BitLocker Windows Update Shutdown or Reboot option behavior
BitLocker is a Windows security feature that provides encryption for entire volumes. It addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. In this article, we shall discuss the following topic “understanding BitLocker Windows Update Shutdown or Reboot option behavior”. This is important for maintaining system security and functionality. Please see “Copy and Paste between your device to a VM running in Hyper-V“, and How to update the BIOS on your Dell system.
Note: BitLocker will not be automatically suspended for Windows Updates (including Windows quality updates and feature updates.). Therefore, when Windows updates are applied, BitLocker remains active and not suspended and therefore continue to protect your device.
Also, see “Reasons for BitLocker Recovery Prompt: Query the number of BitLocker recovery request“. See “VMware Workstation states: What are the differences between Suspend, Power Off, and Run in Background“, and how to use command prompt to shutdown and restart your computer.
What about 3rd Party Updates?
This will be discussed better in the next sub-topic below. The caveat here is for example. The BIOS/UEFI updates (a non-Microsoft software updates), this requires BitLocker to be suspended. Also, see this URL for more information.
If you use SCCM now Endpoint Configuration Manager, and would like to fix BitLocker “not suspended PIN” after Windows Updates restart. Please see this link.
To ensure Windows Updates are installed completely, the option “Update and restart” should be used. This will ensure that BitLocker is suspended throughout the update process.
However, selecting the “Install updates and shut down” option is not considered best practice. The updates may not be applied correctly.
Thereby potentially leaving the PC vulnerable, as most updates necessitate a complete system reboot (restart). Please see this link for more information.
Other areas that require you to suspend BitLocker before downloading and installing system updates and upgrades
If you have followed me to this session. You would probably already know that no user action is required for BitLocker in order to apply updates from Microsoft but for non-Microsoft software updates. Some of these are but not limited to these alone:
- Some TPM firmware updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM. Users don’t have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended.
Note: It’s recommended that users test their TPM firmware updates if they don’t want to suspend BitLocker protection. - Manual or non-Microsoft updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation).
- Non-Microsoft application updates that modify the UEFI\BIOS configuration as addressed in this article. Also, updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if BitLocker doesn’t use Secure Boot for integrity validation during updates).
Please see How to prevent a remote shutdown and restart in Windows, and How to delete an Elastic Block Store Volume on AWS.
What happens with the option “Update and Shutdown” and “Update and Restart”
During restarts, BitLocker is automatically suspended to perform system changes. But when you choose to install and shutdown, the update process is not completed and BitLocker does not have the option to be suspended.
But when this is not suspended and the system changes is detected, BitLocker might think the device is being tampered with and will trigger the BitLocker recovery prompt.
To avoid this issue, you can manually suspend BitLocker in three different ways. By using Control Panel, PowerShell, and Command Prompt.
Once you’re done making system changes, you can resume encryption again. Please see this link for more information.
Note: Installing BIOS updates via the DCU/WSUS does not require manual BitLocker suspension, except when downloaded manually.
Here are some related articles: How to update the BIOS on your Dell system, and Reasons for BitLocker Recovery Prompt: Query the number of BitLocker recovery request.
What happens during BitLocker Suspension?
Using BitLocker suspension doesn’t decrypt the data. Instead, the option makes the BitLocker key available to anyone in clear text, and additional data you create will still be encrypted on the drive.
Once you’re done making system changes, you can always resume encryption to keep your files protected.
Note: If BitLocker is suspended, you can resume BitLocker protection after the upgrade or update is installed. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, the computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
See this URL also for more information. If BitLocker protection isn’t suspended, the system won’t recognize the BitLocker key and you’ll be prompted to enter the recovery key to proceed next time the system restarts.
Not having a recovery key will cause data loss or an unnecessary operating system reinstallation. This will happen every time you restart the system.
FAQs
Does TPM 2.0 support Legacy and Compatibility Support Module (CSM) modes?
TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled.
Considering you cannot just change between BIOS/UEFI modes. What can I do to prevent reinstallation of the OS?
Installed operating system on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI.
Note: Before changing the BIOS mode, use the tool mbr2gpt.exe. This prepares the OS and the disk to support UEFI.
How should I format the operating system drive to support BitLocker?
The system drive contains files required to boot, decrypt, and load the operating system. BitLocker isn’t enabled on this drive. For BitLocker to work, the system drive:
should not be encrypted;
– It should also differ from the operating system drive
– Must be formatted with the FAT32 file system on computers that use UEFI-based firmware, or with the NTFS file system on computers that use BIOS firmware.
– Microsoft recommended approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space.
You will find these related article useful: How to fix System Partition not available or large enough on Microsoft BitLocker Administration and Monitoring [Part 1], and how to create a BitLocker System Partition [Part 2].
What happens if you upgrade a device from Windows 10 to 11. Does MBAM override the information in the database and report it to the MBAM Aplication Serer (Hardware and Recovery services)?
Yes, in this case, MBAM will override the necessary information and have the operting system reflected as nothing has changed with the PC just the OS.
Bonus Point!
You will require some special rights to administer BitLocker such as to enable or disable, or change configurations of BitLocker on OS and fixed data drives require the local Administrators group membership. But Standard users can tenable or disable or change configurations of BitLocker on removable data drives.
I hope you found this article very useful on understanding BitLocker Windows Update Shutdown or Reboot option behavior. Please feel free to leave a comment below.
