0

I know that Bitlocker can automatically suspend protection on an OS drive / partition to, for example, install certain system updates.

And that sometimes the user might need to manually suspend protection on the OS drive / partition to, for example, install certain 3rd party system updates.

My question is about fixed internal non-OS drives / partitions and removeable drives / partitions.

Would Bitlocker protection ever be automatically suspended on such drives / partitions by Windows for any reason?

Or is there any reason why a user would need to do this?

(This is a single user personal computer that is not managed by any organisation etc.

The motivation for this question is that I do not want Bitlocker protection to ever be suspended on my non-OS drives / partitions, and so am trying to find out if there are any circumstances in which Windows itself wuld decide to do this, or in which I would need to manually do this myself.)

Improve this question
1
  • I have no credible answer to this but I just can't see any need whatsoever for BitLocker to do that, as the whole 'suspend' feature is there to help the OS boot across upgrades (TPM-related reasons, mostly), and the non-OS drives are...not involved in that.
    – grawity_u1686
    Commented Feb 10 at 9:40

1 Answer 1

Reset to default
0

Automatically suspending Bitlocker without user intervention would be a major security breach. An attacker would then only need to simulate a system update situation in order to break into the computer.

The BitLocker FAQ says about system updates:

Do I have to suspend BitLocker protection to download and install system updates and upgrades?

No user action is required for BitLocker in order to apply updates from Microsoft, including Windows quality updates and feature updates. Users need to suspend BitLocker for Non-Microsoft software updates

[...]

If BitLocker is suspended, you can resume BitLocker protection after the upgrade or update is installed. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, the computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.

Improve this answer
2
  • Yes, no user action is required for MS updates (as MS suspends Bitlocker for you if needed?) Whereas user action might be required for non-MS updates. But that quote only applies to suspension of the OS drive? What I do not know is whether pure data partitions or removeable drives would ever get suspended by MS, or need to be suspended by the user?
    – TechHorse
    Commented Feb 10 at 11:15
  • Bitlocked Non-system disks are stand-alone, in that they can be moved to other computers (with the right keys). Hardware or software changes on the system disk will not invalidate their encryption keys, so these don't need to be resealed (it's more complicated if you replace the motherboard and its TPM).
    – harrymc
    Commented Feb 10 at 11:28

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .