Privacy and Security Suspend or Resume BitLocker Protection for Drive in Windows 11


BitLocker_suspend_banner.png

This tutorial will show you how to suspend (pause) or resume BitLocker protection for a drive encrypted by BitLocker or Device Encryption in Windows 10 and Windows 11.

Device Encryption is a Windows feature that enables BitLocker encryption automatically for the Operating System drive and fixed drives. When you first sign in or set up a device with a Microsoft account, or work or school account, Device Encryption is turned on and a recovery key is attached to that account. If you're using a local account, Device Encryption isn't turned on automatically. Unlike BitLocker Drive Encryption, which is available on Windows Pro, Enterprise, or Education editions, Device Encryption is available on a wider range of devices, including those running Windows Home.

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers. You can turn on BitLocker protection for operating system drives, fixed drives, and removable drives.

You can suspend BitLocker protection for an unlocked drive encrypted by BitLocker or Device Encryption, and resume BitLocker protection for the drive at any time.

Sometimes you may need to suspend BitLocker protection on an operating system drive to prevent certain problems and allow successful firmware and hardware updates.

Suspend keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the Suspend option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.

When you suspend BitLocker protection for an OS drive, it will remain unlocked and unprotected until you either manually resume BitLocker protection for the drive, have it automatically resume BitLocker protection after a specified number of times (RebootCount) you restart the computer, or have it automatically resume BitLocker protection the next time you restart the computer.

When you suspend BitLocker protection for a fixed data drive, it will remain unlocked and unprotected until you manually resume BitLocker protection for the drive. This is even after you restart the computer.

When you suspend BitLocker protection for a removable data drive, it will remain unlocked and unprotected until you manually resume BitLocker protection for the drive. This is even after you restart the computer, or disconnect and reconnect the drive.

Reference:

You must be signed in as an administrator to suspend and resume BitLocker protection for drives.



Contents

  • Option One: Suspend BitLocker Protection for OS Drive in Control Panel
  • Option Two: Resume BitLocker Protection for Drive in Control Panel
  • Option Three: Resume BitLocker Protection for Drive in File Explorer
  • Option Four: Suspend BitLocker Protection for Drive using manage-bde Command
  • Option Five: Resume BitLocker Protection for Drive using manage-bde Command
  • Option Six: Suspend BitLocker Protection for Drive using Suspend-BitLocker Command
  • Option Seven: Suspend BitLocker Protection for OS Drive with RebootCount using Suspend-BitLocker Command
  • Option Eight: Suspend BitLocker Protection for All Drives using Suspend-BitLocker Command
  • Option Nine: Resume BitLocker Protection for Drive using Resume-BitLocker Command
  • Option Ten: Resume BitLocker Protection for All Drives using Resume-BitLocker Command




Option One

Suspend BitLocker Protection for OS Drive in Control Panel


This option can only be used to suspend BitLocker protection for an operating system drive.


1 Open the Control Panel (icons view), and click/tap on the BitLocker Drive Encryption icon.

2 Under Operating system drive, click/tap on the Suspend protection link for the OS drive (ex: "C:" you want. (see screenshot below)

BitLocker_suspend_protection_Control_Panel-1.png

3 Click/tap on Yes to confirm. (see screenshot below)

BitLocker_suspend_protection_Control_Panel-2.png

4 BitLocker protection for this OS drive will remain suspended until you either manually resume or restart the computer.




Option Two

Resume BitLocker Protection for Drive in Control Panel


1 Open the Control Panel (icons view), and click/tap on the BitLocker Drive Encryption icon.

2 Under Operating system drive, expand open the suspended drive you want, and click/tap on the Resume protection link. (see screenshot below)

BitLocker_resume_protection_Control_Panel-1.png





Option Three

Resume BitLocker Protection for Drive in File Explorer


1 Open This PC in File Explorer (Win+E). (see screenshot below)

2 Right click on the suspended drive, and click/tap on Show more options.

Step 2 is only available in Windows 11, and not for Windows 10.


3 Click/tap on Resume BitLocker protection.

BitLocker_resume_protection_File_Explorer_This-PC.png





Option Four

Suspend BitLocker Protection for Drive using manage-bde Command


1 Open Windows Terminal (Admin), and select either Windows PowerShell or Command Prompt.

2 Type the command below into Windows Terminal (Admin), press Enter. (see screenshot below)

manage-bde -protectors -disable <drive letter>:

Substitute <drive letter> in the command above with the actual drive letter of the drive you want to suspend BitLocker protection.

For example: manage-bde -protectors -disable D:


BitLocker_suspend_protection_manage-bde.png





Option Five

Resume BitLocker Protection for Drive using manage-bde Command


1 Open Windows Terminal (Admin), and select either Windows PowerShell or Command Prompt.

2 Type the command below into Windows Terminal (Admin), press Enter. (see screenshot below)

manage-bde -protectors -enable <drive letter>:

Substitute <drive letter> in the command above with the actual suspended drive letter of the drive you want to resume BitLocker protection.

For example: manage-bde -protectors -enable D:


BitLocker_resume_protection_manage-bde.png





Option Six

Suspend BitLocker Protection for Drive using Suspend-BitLocker Command


1 Open Windows Terminal (Admin), and select Windows PowerShell.

2 Type the command below into Windows Terminal (Admin), press Enter. (see screenshot below)

Suspend-BitLocker -MountPoint "<drive letter>:"

Substitute <drive letter> in the command above with the actual drive letter of the drive you want to suspend BitLocker protection.

For example: Suspend-BitLocker -MountPoint "D:"


Suspend-BitLocker_PowerShell.png





Option Seven

Suspend BitLocker Protection for OS Drive with RebootCount using Suspend-BitLocker Command


This option only gets applied to the specific "C:" operating system drive, and allows you to specify the number of computer restarts before automatically restoring BitLocker protection for this OS drive. You will still be able to manually resume BitLocker protection for this OS drive at anytime.


1 Open Windows Terminal (Admin), and select Windows PowerShell.

2 Type the command below into Windows Terminal (Admin), press Enter. (see screenshot below)

Suspend-BitLocker -MountPoint "C:" -RebootCount <restarts #>

Substitute <restarts #> in the command above with a number between 0 to 15 for how many times to restart the computer before automatically restoring BitLocker protection for this OS drive.

Setting 0 for the RebootCount will suspend BitLocker protection for this OS drive until you manually resume BitLocker protection for this OS drive.

For example: Suspend-BitLocker -MountPoint "C:" -RebootCount 0


Suspend-BitLocker_RebootCount_PowerShell.png





Option Eight

Suspend BitLocker Protection for All Drives using Suspend-BitLocker Command


1 Open Windows Terminal (Admin), and select Windows PowerShell.

2 Copy and paste the command below into Windows Terminal (Admin), press Enter. (see screenshot below)

Get-BitLockerVolume | Suspend-BitLocker

Suspend-BitLocker_ALL_PowerShell.png





Option Nine

Resume BitLocker Protection for Drive using Resume-BitLocker Command


1 Open Windows Terminal (Admin), and select Windows PowerShell.

2 Type the command below into Windows Terminal (Admin), press Enter. (see screenshot below)

Resume-BitLocker -MountPoint "<drive letter>:"

Substitute <drive letter> in the command above with the actual drive letter of the suspended drive you want to resume BitLocker protection.

For example: Resume-BitLocker -MountPoint "D:"


Resume-BitLocker_PowerShell.png





Option Ten

Resume BitLocker Protection for All Drives using Resume-BitLocker Command


1 Open Windows Terminal (Admin), and select Windows PowerShell.

2 Copy and paste the command below into Windows Terminal (Admin), press Enter. (see screenshot below)

Get-BitLockerVolume | Resume-BitLocker

Resume-BitLocker_ALL_PowerShell.png



That's it,
Shawn Brink


 
Last edited:
Minor correction - In the introduction, for "Device Encryption", it says "Device Encryption is only available for the operating system drive". I just bought a new laptop (win 11 Home) and it came with two SSDs. BOTH SSDs were encrypted. In fact, you can only enable or disable 'device' encryption, not 'drive encryption', so it applies to both drives equally. I disabled 'device encryption', and both drives were unencrypted.
 

My Computers

System One System Two

  • OS
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17 17Z95P-K.AAE8U1
    CPU
    i7-1195G7
    Memory
    16GB LPDDR4X 4266MHz
    Graphics Card(s)
    Intel Iris Xe (Integrated)
    Screen Resolution
    2560x1600
    Hard Drives
    512 GB M.2 NVMe SSD
  • Operating System
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17Z90S
    CPU
    Intel® Core™ Ultra 7 155H
    Memory
    32GB LPDDR5X
    Graphics card(s)
    Intel® Arc™ graphics
    Screen Resolution
    17” WQXGA 2560 x 1600 IPS Touch Display
    Hard Drives
    2TB (1TB x 2) NVMe Gen4 SSD
Minor correction - In the introduction, for "Device Encryption", it says "Device Encryption is only available for the operating system drive". I just bought a new laptop (win 11 Home) and it came with two SSDs. BOTH SSDs were encrypted. In fact, you can only enable or disable 'device' encryption, not 'drive encryption', so it applies to both drives equally. I disabled 'device encryption', and both drives were unencrypted.
Yes, as far as fixed drives are concerned (which the Operating System drive is), with Device Encryption it's either all or nothing. Whereas BitLocker Drive Encryption lets you turn on/off the encryption on each fixed drive individually.

Also,
Starting with Windows 11 build 25905, Microsoft have adjusted the prerequisites (removal of Modern Standby/HSTI validation and untrusted DMA ports check) for enabling device encryption so that it is automatically enabled when doing clean installs of Windows 11.
From: Turn On or Off Device Encryption in Windows 11
 

My Computers

System One System Two

  • OS
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF Gaming F16 (2024)
    CPU
    i7 13650HX
    Memory
    16GB DDR5
    Graphics Card(s)
    GeForce RTX 4060 Mobile
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    512GB SSD internal
    37TB external
    PSU
    Li-ion
    Cooling
    2× Arc Flow Fans, 4× exhaust vents, 5× heatpipes
    Keyboard
    Logitech K800
    Mouse
    Logitech G402
    Internet Speed
    20Mbit/s up, 250Mbit/s down
    Browser
    FF
  • Operating System
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Medion S15450
    CPU
    i5 1135G7
    Memory
    16GB DDR4
    Graphics card(s)
    Intel Iris Xe
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    2TB SSD internal
    37TB external
    PSU
    Li-ion
    Mouse
    Logitech G402
    Keyboard
    Logitech K800
    Internet Speed
    20Mbit/s up, 250Mbit/s down
    Browser
    FF

Latest Support Threads

Back
Top Bottom