Suspending BitLocker For Fun & Profit (and to do remote reboots)
If you have a Windows Vista/7 Ultimate/Windows 8/10 Pro system with BitLocker enabled, and if the system requires a PIN/password or USB media to decrypt the drive at boot, you can't manage the system remotely if a reboot is required. However it is possible to suspend Bitlocker temporarily so that Windows starts instead of waiting for the decryption key, and enabling further remote access. When Bitlocker is suspended, the key protectors are available to the boot process so the drive can be unlocked without intervention.
The process to suspend BitLocker is instantaneous. The drive is not decrypted or re-encrypted.
Run the BitLocker Drive Encryption tool:
If using Windows 7/2012 or later:
- Click Suspend Protection for the boot volume (C:).
- When prompted “Do you want to suspend Bitlocker Drive Encryption?”, click Yes.
If using Windows Vista/2008:
- Click Turn Off BitLocker for the boot volume (C:).
- When prompted, click Disable BitLocker.
Complete the maintenance and reboot the system.
In Windows 8/2012 and later, BitLocker is automatically resumed after a reboot, so no further action is required.
For other versions of Windows, open BitLocker Drive Encryption again:
Windows Vista: Click Turn On BitLocker
Windows 7: Click Resume Protection.
Suspending Bitlocker can also be performed from an elevated command prompt:
manage-bde -protectors -disable c:
(NB although the verb here is “disable”, this is just suspension; the drive is not decrypted. To remove the encryption completely, the verb is “off”.)