How to Control Bitlocker During Windows 10 Upgrades
When you upgrade a Windows 10 device protected by BitLocker to a new feature update version of Windows 10, BitLocker is suspended during the upgrade process.
Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, suspension makes key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted.
While suspended, BitLocker does not validate system integrity at start up. You might suspend BitLocker protection for firmware upgrades or system updates.
Windows suspended BitLocker encryption automatically during feature upgrades to a new version.
Microsoft added new command line options to Windows 10 version 1803 to control BitLocker behavior during the upgrade:
The new setup options work on Windows 10 version 1803 and later, and only on devices running Windows 10 Professional or Enterprise. Other requirements are that Secure Boot needs to be enabled and that TPM is available and that only a TPM protector is being used.
The default upgrade option is set to /BitLocker AlwaysSuspend on retail devices.
You can use /BitLocker TryKeepActive to try and keep BitLocker enabled during the upgrade. Windows 10 attempts to keep it enabled but if it does not work will suspend BitLocker to process the upgrade.
The switch /BitLocker ForceKeepActive on the other hand enforces BitLocker encryption during upgrades. The upgrade will fail if errors occur because of BitLocker being enabled.
Did you find this tutorial helpful? Don’t forget to share your views with us.
Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, suspension makes key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted.
While suspended, BitLocker does not validate system integrity at start up. You might suspend BitLocker protection for firmware upgrades or system updates.
Windows suspended BitLocker encryption automatically during feature upgrades to a new version.
Microsoft added new command line options to Windows 10 version 1803 to control BitLocker behavior during the upgrade:
- Setup.exe /BitLocker AlwaysSuspend – Always suspend bitlocker during upgrade.
- Setup.exe /BitLocker TryKeepActive – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade.
- Setup.exe /BitLocker ForceKeepActive – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade.
The new setup options work on Windows 10 version 1803 and later, and only on devices running Windows 10 Professional or Enterprise. Other requirements are that Secure Boot needs to be enabled and that TPM is available and that only a TPM protector is being used.
The default upgrade option is set to /BitLocker AlwaysSuspend on retail devices.
You can use /BitLocker TryKeepActive to try and keep BitLocker enabled during the upgrade. Windows 10 attempts to keep it enabled but if it does not work will suspend BitLocker to process the upgrade.
The switch /BitLocker ForceKeepActive on the other hand enforces BitLocker encryption during upgrades. The upgrade will fail if errors occur because of BitLocker being enabled.
Did you find this tutorial helpful? Don’t forget to share your views with us.