When you upgrade a Windows 10 device protected by BitLocker to a new feature update version of Windows 10, for example from Windows 10 version 1703 to Windows 10 version 1803, BitLocker is suspended during the upgrade process.
Suspension does not mean that the entire drive gets decrypted during the process; instead, it makes the encryption key available "in the clear" so that data is "available to everyone".
Data that gets written to the disk is still encrypted. A suspended BitLocker protection on a device does not run validation checks during startup. Administrators could use the Suspend Bitlocker Powershell script in the past to suspend BitLocker protection, for example, before upgrading to a new version of Windows or upgrading device firmware.
A security researcher discovered a bypass option during upgrades to access BitLocker encrypted data.
Windows suspended BitLocker encryption automatically during feature upgrades to a new version.
Microsoft added new command line options to Windows 10 version 1803 to control BitLocker behavior during the upgrade:
The new setup options work on Windows 10 version 1803 and later, and only on devices running Windows 10 Professional or Enterprise. Other requirements are that Secure Boot needs to be enabled and that TPM is available and that only a TPM protector is being used.
Michael Niehaus reports that you can use the commands on Windows 10 version 1709 machines that get upgraded to version 1803 as well.
The default upgrade option is set to /BitLocker AlwaysSuspend on retail devices. This is no change to the behavior in the past as BitLocker will be suspended during the upgrade if you don't supply another command line parameter.
You can use /BitLocker TryKeepActive to try and keep BitLocker enabled during the upgrade. Windows 10 attempts to keep it enabled but if it does not work will suspend BitLocker to process the upgrade.
The switch /BitLocker ForceKeepActive on the other hand enforces BitLocker encryption during upgrades. The upgrade will fail if errors occur because of BitLocker being enabled.
Microsoft switched the default command to /BitLocker TryKeepActive on Windows 10 Insider Builds. It is likely that Microsoft will switch retail builds to the parameter as well in the future.
Now You: do you use BitLocker or other drive encryption software?
Related articles
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.
Interesting, thanks!
I only have my external harddrive encrypted. Automatically unlocking on my laptop enabled.
Hopefully this will never happen, but in case my harddrive gets lost or stolen, my laptop will most likely be gone as well.
I wonder if I could turn this into BitLocker “forgetting” my laptop if a day not used.
Although, it would probably be easier to figure out if/how to encrypt my OS.
That is interesting.
I do use bitlocker. everyone should encrypt their drives. OSX and Windows 10 installed on surface tablets encrypts the drive implicitly.