{"id":2034,"date":"2018-05-08T09:24:45","date_gmt":"2018-05-08T14:24:45","guid":{"rendered":"http:\/\/www.wildow.com\/blog\/?p=2034"},"modified":"2018-05-08T09:24:45","modified_gmt":"2018-05-08T14:24:45","slug":"windows-10-control-bitlocker-during-upgrades-from-ghacks","status":"publish","type":"post","link":"http:\/\/www.wildow.com\/blog\/?p=2034","title":{"rendered":"Windows 10: control Bitlocker during upgrades from GHacks"},"content":{"rendered":"<h1 class=\"heading--large\">Windows 10: control Bitlocker during upgrades<\/h1>\n<div class=\"opacity--90 text--small ghacks-links ghacks-links--smallunderline mt--10 mb--20\">by\u00a0<a href=\"https:\/\/www.ghacks.net\/author\/martin\/\" data-wpel-link=\"internal\">Martin Brinkmann<\/a>\u00a0on May 08, 2018 in\u00a0<a href=\"https:\/\/www.ghacks.net\/category\/windows\/\" rel=\"category tag\" data-wpel-link=\"internal\">Windows<\/a>\u00a0&#8211;\u00a0<a href=\"https:\/\/www.ghacks.net\/2018\/05\/08\/windows-10-control-bitlocker-during-upgrades\/#respond\" data-wpel-link=\"internal\">No comments<\/a><\/div>\n<div class=\"user-content\">\n<p>When you upgrade a\u00a0<a href=\"https:\/\/www.ghacks.net\/2015\/11\/17\/how-to-encrypt-windows-10-hard-drives-using-bitlocker\/\" data-wpel-link=\"internal\">Windows 10 device protected by BitLocker<\/a>\u00a0to a new feature update version of Windows 10, for example from Windows 10 version 1703 to Windows 10 version 1803, BitLocker is suspended during the upgrade process.<\/p>\n<p>Suspension does not mean that the entire drive gets decrypted during the process; instead, it makes the encryption key available &#8220;in the clear&#8221; so that data is &#8220;available to everyone&#8221;.<\/p>\n<p>Data that gets written to the disk is still encrypted. A suspended BitLocker protection on a device does not run validation checks during startup. Administrators could use the\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/powershell\/module\/bitlocker\/suspend-bitlocker?view=win10-ps\" target=\"_blank\" rel=\"external noopener noreferrer\" data-wpel-link=\"external\">Suspend Bitlocker Powershell<\/a>\u00a0script in the past to suspend BitLocker protection, for example, before upgrading to a new version of Windows or upgrading device firmware.<\/p>\n<p>A security researcher\u00a0<a href=\"https:\/\/www.ghacks.net\/2016\/11\/30\/bitlocker-bypass-on-windows-10-through-upgrades\/\" data-wpel-link=\"internal\">discovered a bypass option during upgrades<\/a>\u00a0to access BitLocker encrypted data.<\/p>\n<h2>Windows 10: control Bitlocker during upgrades<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-143705\" src=\"https:\/\/cdn.ghacks.net\/wp-content\/uploads\/2018\/05\/windows-10-bitlocker.png\" alt=\"windows 10 bitlocker\" width=\"960\" height=\"584\" \/><\/p>\n<p>Windows suspended BitLocker encryption automatically during feature upgrades to a new version.<\/p>\n<p>Microsoft\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/whats-new\/whats-new-windows-10-version-1803\" target=\"_blank\" rel=\"external noopener noreferrer\" data-wpel-link=\"external\">added<\/a>\u00a0new command line options to Windows 10 version 1803 to control BitLocker behavior during the upgrade:<\/p>\n<ul>\n<li><strong>Setup.exe \/BitLocker AlwaysSuspend<\/strong>\u00a0\u2013 Always suspend bitlocker during upgrade.<\/li>\n<li><strong>Setup.exe \/BitLocker TryKeepActive<\/strong>\u00a0\u2013 Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade.<\/li>\n<li><strong>Setup.exe \/BitLocker ForceKeepActive<\/strong>\u00a0 \u2013 Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade.<\/li>\n<\/ul>\n<p>The new setup options work on Windows 10 version 1803 and later, and only on devices running Windows 10 Professional or Enterprise. Other requirements are that Secure Boot needs to be enabled and that TPM is available and that only a TPM protector is being used.<\/p>\n<p><a href=\"https:\/\/blogs.technet.microsoft.com\/mniehaus\/2018\/05\/02\/new-upgrade-to-windows-10-1803-without-suspending-bitlocker\/\" target=\"_blank\" rel=\"external noopener noreferrer\" data-wpel-link=\"external\">Michael Niehaus reports<\/a>\u00a0that you can use the commands on Windows 10 version 1709 machines that get upgraded to version 1803 as well.<\/p>\n<p>The default upgrade option is set to\u00a0<strong>\/BitLocker AlwaysSuspend<\/strong>\u00a0on retail devices. This is no change to the behavior in the past as BitLocker will be suspended during the upgrade if you don&#8217;t supply another command line parameter.<\/p>\n<p>You can use\u00a0<strong>\/BitLocker TryKeepActive<\/strong>\u00a0to try and keep BitLocker enabled during the upgrade. Windows 10 attempts to keep it enabled but if it does not work will suspend BitLocker to process the upgrade.<\/p>\n<p>The switch\u00a0<strong>\/BitLocker ForceKeepActive<\/strong>\u00a0on the other hand enforces BitLocker encryption during upgrades. The upgrade will fail if errors occur because of BitLocker being enabled.<\/p>\n<p>Microsoft switched the default command to \/BitLocker TryKeepActive on Windows 10 Insider Builds. It is likely that Microsoft will switch retail builds to the parameter as well in the future.<\/p>\n<p><strong>Now You<\/strong>: do you use BitLocker or other drive encryption software?<\/p>\n<p><strong>Related articles<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/www.ghacks.net\/2017\/11\/09\/block-you-need-to-format-the-disk-message-in-windows\/\" data-wpel-link=\"internal\">Block &#8220;You need to format the disk&#8221; message in Windows<\/a><\/li>\n<li><a href=\"https:\/\/www.ghacks.net\/2014\/06\/08\/veracrypt-become-next-truecrypt\/\" data-wpel-link=\"internal\">Could VeraCrypt become the next TrueCrypt?<\/a><\/li>\n<li><a href=\"https:\/\/www.ghacks.net\/2013\/02\/07\/forensic-tool-to-decrypt-truecrypt-bitlocker-and-pgp-contains-and-disks-released\/\" data-wpel-link=\"internal\">Forensic tool to decrypt TrueCrypt, Bitlocker and PGP containers and disks released<\/a><\/li>\n<li><a href=\"https:\/\/www.ghacks.net\/2017\/01\/06\/microsoft-windows-10-bitlocker-is-slower-but-also-better\/\" data-wpel-link=\"internal\">Microsoft: Windows 10 Bitlocker is slower, but also better<\/a><\/li>\n<li><a href=\"https:\/\/www.ghacks.net\/2018\/04\/27\/speed-up-migration-encrypted-drives\/\" data-wpel-link=\"internal\">Speed up the migration of encrypted drives to another software<\/a><\/li>\n<\/ul>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Windows 10: control Bitlocker during upgrades by\u00a0Martin Brinkmann\u00a0on May 08, 2018 in\u00a0Windows\u00a0&#8211;\u00a0No comments When you upgrade a\u00a0Windows 10 device protected by BitLocker\u00a0to a new feature update version of Windows 10, for example from Windows 10 version 1703 to Windows 10 &#8230; <a class=\"more-link\" href=\"http:\/\/www.wildow.com\/blog\/?p=2034\">Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[52,4],"tags":[53],"class_list":["post-2034","post","type-post","status-publish","format-standard","hentry","category-bitlocker","category-windows","tag-bitlocker-win10-upgrade"],"_links":{"self":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2034","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2034"}],"version-history":[{"count":1,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2034\/revisions"}],"predecessor-version":[{"id":2035,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2034\/revisions\/2035"}],"wp:attachment":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2034"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2034"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2034"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}