Understanding Windows 10 upgrade BitLocker state

Understanding Windows 10 upgrade BitLocker state

Q. If I perform a Windows upgrade for a machine encrypted with BitLocker is there a point when the volume is no longer protected during the upgrade?

A. When using BitLocker no manual actions are required to upgrade the OS which is a different experience when a third-party disk encryption technology is used that requires various steps to enable the upgrade to work. Behind the scenes what actually happens is the current protectors are essentially disabled since a new clear key is added to enable access to the volume even in the PE environment then once the upgrade is complete the clear key is removed and the original protectors enabled again. This means the volume is still encrypted with BitLocker however no key is required to read the volume.

What this means is that technically during the upgrade process the volumes could be accessed if you booted from a USB stick (for example) and data accessed. Therefore to maximize security keep machines in secure locations during the upgrade process. Also to help minimize possible impact you could disable the Shift+F10 key combination which normally opens a command prompt during the upgrade by following the instructions at https://support.microsoft.com/en-us/kb/929839.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.