Windows 10: Bitlocker automatically suspending after CU

Hi



I have encountered unexpected behavior with Bitlocker since cumulative update (CU) KB4100403 in June.


The machine is running Windows 10 Pro, 1803. The machine has no TPM, and Bitlocker is set up to use a password prior to logging in.


I noticed that since mid-June, Bitlocker is automatically suspended on my operating system drive during Cumulative Updates. Once the update has completed and I log in, Bitlocker is suspended and must either be manually resumed or will automatically resume once I manually restart the system. manage-bde shows the drive status as:


Volume C: [System]
[OS Volume]
Size: 59.07 GB
BitLocker Version: 2.0
Conversion Status: Fully Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection Off (1 reboots left) <-------------------
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
Password
Numerical Password


The problem here is that Bitlocker should not be suspended unless user-initiated as this creates a security issue. Now I am aware of the following blog post relating to changes made to Bitlocker in 1803: https://blogs.technet.microsoft.com/mniehaus/2018/05/02/new-upgrade-to-windows-10-1803-without-suspending-bitlocker/. I have asked about this issue elsewhere have been pointed to this blog post, however it doesn't apply to my situation as (1) it applies only to Feature Updates, not the Cumulative Updates I am dealing with; and (2) it only applies to machines that have a TPM - mine does not.



Looking at the Bitlocker event logs, each time Bitlocker is suspended, the event shows the action initiated by the system account, and each time it correlates with a CU installed in Windows Update.



To get to the bottom of this, I have tried:

(1) To eliminate issues related to software I've installed, I tried a fresh install of 1803 English International from my original ISO, only changed the GPO to allow Bitlocker without TPM, let Bitlocker encrypt, then applied all Windows updates (including the latest CU). On reboot, Bitlocker was suspended.

(2) To eliminate issues related to my ISO, I used the media creation tool to make a new USB installer of 1803 US English. Then followed the same process as (1). On reboot, Bitlocker was suspended.

(3) To attempt to eliminate as many hardware issues as possible, I set up a VirtualBox VM (without VM extensions or tools) and installed 1803 from my original ISO. Then followed the same process as (1). On reboot, Bitlocker was suspended.


Has anyone else encountered this? Is this expected behavior since KB4100403, and if so, does anyone know why?


Thanks

:)

 

Need to turn off Bitlocker to install Windows 10

Hi,

We suggest doing the following steps again to resolve the issue. To complete the procedure, make sure that you have the following information:

• You must be able to provide administrative credentials.
• The drive must be BitLocker-protected.

To suspend BitLocker Drive Encryption on an operating system drive, please follow the steps below:

• Click Start, click Control Panel, click
  System and Security, and then click BitLocker Drive Encryption.
• Click Suspend Protection for the operating system drive.
• A message is displayed, informing you that your data will not be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption.
  
• Click Yes to continue and suspend BitLocker on the drive.

Let us know how it goes.

 

Bitlocker Key

Hi,

Thank you for posting your concern. It is good that you know the Bitlocker key to properly get into the computer. To help you turn off the Bitlocker key, you can follow the steps below:

Please make sure you are signed as the Administrator of the computer.

To suspend BitLocker Drive Encryption on an operating system drive

• 
  Click Start, click Control Panel, click
  System and Security, and then click BitLocker Drive Encryption.
  
• 
  Click Suspend Protection for the operating system drive.
  
• 
  A message is displayed, informing you that your data will not be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption. Click
  Yes to continue and suspend BitLocker on the drive.
  

To turn off BitLocker Drive Encryption

• 
  Click Start, click Control Panel, click
  System and Security, and then click BitLocker Drive Encryption.
  
• 
  Find the drive on which you want BitLocker Drive Encryption turned off, and click
  Turn Off BitLocker.
  
• 
  A message is displayed, informing you that the drive will be decrypted and that decryption may take some time. Click
  Decrypt the drive to continue and turn off BitLocker on the drive.
  

Let us know if this resolves your concern.

 

Bitlocker encryption suspended - how to restart

It possible that the BitLocker protection was accidentally suspended.

For us to provide you with appropriate resolution, please answer the questions below.

• When did the issue start? Not sure, maybe last week or so
• Were there any changes made on the device? Only a few Win updates
• Are you able to log in to your device? Yes
• Have you tried to resume encryption in the BitLocker Manager?
  The option is not available when I right mouse click or not sure where to look for it
• Can you clarify "on the reboot the TPM commands won't recognize my keyboard"?
  I do the steps to use TPM.MSC to clear out settings and reset password. I get to the reboot screen and no key works on the Surface keyboard I use