Suspend Bitlocker disk encryption when installing firmware- or BIOS updates, hardware drivers or Operating System updates

dynabook Knowledge Base Article
Suspend Bitlocker disk encryption when installing firmware- or BIOS updates, hardware drivers or Operating System updates

ISSUE

BitLocker Drive Encryption is an integral security feature that provides considerable protection for the operating system on your computer and data stored on the operating system volume. BitLocker ensures that data stored on a computer remains encrypted even if the computer is tampered with when the operating system is not running. This helps protect against "offline attacks", attacks made by disabling or circumventing the installed operating system, or made by physically removing the hard drive to attack the data separately.

BitLocker uses the Trusted Platform Module (TPM) to provide enhanced protection for your data and to assure early boot component integrity. This helps protect your data from theft or unauthorized viewing by encrypting the disk volumes.

When installing firmware- or BIOS updates, hardware drivers or when updating the operating system, it is recommended to suspend Bitlocker protection.

In case Bitlocker protection is not suspended before, Bitlocker protection might request a Recovery Key on next boot of the operating system. Root cause is a not validated system integrity at start up.

RESOLUTION | Short

Suspension of BitLocker encryption allow users to access encrypted data on a volume that uses BitLocker Drive Encryption. Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, suspension makes key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted.

While suspended, BitLocker does not validate system integrity at start up. You might suspend BitLocker protection for firmware upgrades or system updates.

For details about how to suspend or turn off BitLocker, please refer to the resolution detailed section below.

RESOLUTION | Detailed

HOW TO SUSPEND BITLOCKER DRIVE ENCRYPTION AND- / OR DECRYPTING THE VOLUME

The procedure is the same for all BitLocker Drive Encryption configurations on TPM-equipped computers and computers without a compatible TPM.

When you suspend BitLocker (first procedure described below), you can choose either to temporarily turn-off BitLocker (= suspend), or to decrypt the drive. Disabling BitLocker allows TPM changes and operating system upgrades. Decrypting (second procedure described below), the drive means that the volume will once again be readable, and that all the keys are discarded. Once a volume is decrypted, you must generate new keys by going through the encryption process again.

BEFORE YOU START

You must be logged on as an administrator
The drive must be encrypted (Bitlocker disc encryption active)

[ SUSPEND BITLOCKER ]
Procedure to suspend BitLocker Drive Encryption on an operating system drive

Click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption.
Click Suspend Protection for the operating system drive.
A message is displayed, informing you that your data will not be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption. Click Yes to continue and suspend BitLocker on the drive.

By completing this procedure, you have suspended BitLocker protection on the drive by changing the decryption key to a clear key. To read data from the drive, the clear key is used to access the files. When BitLocker is suspended, TPM validation does not occur and other authentication methods, such as the use of a PIN or USB key to unlock the operating system drive, are not enforced. This allows you to make system changes such as updating the BIOS or replacing a data drive. When you are finished making changes to the computer, click Resume Protection from the BitLocker Drive Encryption Control Panel item to start using BitLocker Drive Encryption again.

[ TURN OFF BITLOCKER | DECRYPT ]
Procedure to turn off BitLocker Drive Encryption

Click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption.
Find the drive on which you want BitLocker Drive Encryption turned off, and click Turn Off BitLocker.
A message is displayed, informing you that the drive will be decrypted and that decryption may take some time. Click Decrypt the drive to continue and turn off BitLocker on the drive.

By completing this procedure, you have decrypted the drive and removed BitLocker protection.

USING "SUSPEND-BITLOCKER" CMDLET TO SUSPEND BITLOCKER ENCRYPTION

Please see below document from Microsoft, describing the suspension of BitLocker encryption using the "Suspend-BitLocker" cmdlet:

https://docs.microsoft.com/en-us/powershell/module/bitlocker/suspend-bitlocker?view=windowsserver2019-ps

DOCUMENT DETAILS

Document ID:

Doc Type:

Security

Online Date:

2015-06-02 00:00:00

Date Modified:

2024-07-18

Category:

Software

Company:

Microsoft

Product Category:

Portables

Product Group:

Product Series:

Product:

Model Number:

Operating System:

Windows 10 - 32 Bit, Windows 10 - 64 Bit, Windows 7 - 32 Bit, Windows 7 - 64 Bit, Windows 8 - 32 Bit, Windows 8 - 64 Bit, Windows 8.1 - 32 Bit, Windows 8.1 - 64 Bit, Windows Vista 32 Bit, Windows Vista 64 Bit

Keywords:

Drive, Encryption, Firmware, Operating System, Password, Security

DISCLAIMER

Dynabook provides this information "as is" without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Dynabook shall not be responsible for the topicality, correctness, completeness or quality of the information or software provided. Dynabook is not liable for any damage caused by the use of any information or software provided, including information that is incomplete or incorrect. Any trademarks used herein belong to their respective owners.

Dynabook Europe | Support Center | About us