Bitlocker is "Suspended" during Windows Updates, Why?

Skipper Of Odyssey 1 Reputation point
2021-04-20T11:06:05.043+00:00

In our environment we use a mixture of Windows 10 LTSB and LTSC Windows 10 machines.

All our assets have Bitlocker enabled.

Updates are applied VIA SCCM (Microsoft Endpoint Configuration Manager) 2012 R2

When Windows 10 updates apply to those assets after a Patch Tuesday Update, Bitlocker is Suspended and the machines are shutdown as the updates normally apply when the machines are shutting down and the user goes home.

When the machine is next switched on, the Bitlocker screen does not appear (Bitlocker Suspended) and you are immediately presented with a Windows logon screen. After another reboot the machine re-enables the Bitlocker but this leaves the machine vulnerable until it is rebooted an additional time.

My questions are:

  1. Why is Microsoft Suspending Bitlocker for the updates to take place and not re-enabling it before the machine shutsdown which leaves our machines vulnerable?
  2. Is there way to ensure Bitlocker is enabled after the Windows Update (even if part way through and requires a reboot after a shutdown)?

Thank you.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
6,025 questions
Microsoft Configuration Manager Updates
Microsoft Configuration Manager Updates
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Updates: Broadly released fixes addressing specific issue(s) or related bug(s). Updates may also include new or modified features (i.e. changing default behavior).
633 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
8,247 questions
No comments
{count} votes

3 answers

Sort by: Most helpful
  1. AllenLiu-MSFT 22,401 Reputation points Microsoft Employee
    2021-04-21T08:30:38.393+00:00

    Hi, @Skipper Of Odyssey
    Thank you for posting in Microsoft Q&A forum.
    Since you are using SCCM to deploy the windows updates, so check your client setting to see if the Suspend BitLocker PIN entry on restart is set to "Always"? If so, we may change it to "Never".

    89835-44.jpg

    By the way, for SCCM update related issue, we may use the tag mem-cm-updates.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Cheong00 3,421 Reputation points
    2021-04-21T10:00:06.493+00:00

    I remember that if any of the updates includes update for BIOS (only if your device is from Microsoft, say WinPhone or Surface families) or BitLocker itself, it will temporarily suspend BitLocker in order to export the key on boot drive. Then on the next reboot it can update the metadata to the new version.

    If that's the case, I don't know the reason why it won't resume automatically after booted. You may want to check Event Viewer and see if there's any hint.


  3. Jason Sandys 30,881 Reputation points Microsoft Employee
    2021-04-21T17:04:40.99+00:00

    Quality updates never suspend BitLocker although ConfigMgr Current Branch has the ability to do this when ConfigMgr initiates a restart (for whatever reason) -- see the screenshot from @AllenLiu-MSFT (this is not present in ConfigMgr 2012). However, this won't leave BitLocker in a suspended state after the reboot has completed. Thus, there's something else going on here and as @Cheong00 noted, the first step here is to review the event log to discover the source.

    Also, as a note to the OP, ConfigMgr 2012 is only supported for managing Win 10 LTSB 2015 (and maybe 2016 LTSC -- I don't remember specifically). You really should upgrade to ConfigMgr CB soon.