Upgrading encrypted drive

How to upgrade Windows 10 when BitLocker is enabled

If you have a drive using BitLocker, and you need to upgrade to a new version of Windows 10, here's some info you need to know.

Windows 10 upgrade using BitLocker

On Windows 10, BitLocker is a security feature that encrypts the entire drive to protect your data against unauthorized access.

The drawback using BitLocker is that usually prevents a successful upgrade to a new version of Windows 10. However, to avoid this problem, the Windows 10 setup suspends the encryption and adds a decrypt key in clear text to allow the system access to the partition to complete the upgrade process. Once the Windows 10 upgrade is complete the key in plain text is removed, and then BitLocker will enable again automatically.

This means that the Windows 10 upgrade process on a device using BitLocker is the same to a device without using the security feature.

The only caveat with this process is that your data is technically vulnerable during the upgrade process, as anyone with the right knowledge could get access to your data. So, if you’re planning to store important files on a drive, you should also consider to keep your device on a secure location.

Optional settings when using BitLocker

If you’re using a USB bootable media to install a new feature update, starting with version 1803 (April 2018 Update), Windows 10 introduces some new commands options to control the behavior of BitLocker.

  • Setup.exe /BitLocker AlwaysSuspend – Always suspends BitLocker during upgrade process.
  • Setup.exe /BitLocker TryKeepActive – Enables upgrade without suspending BitLocker, but if the upgrade doesn’t work then BitLocker will be suspended to complete the upgrade.
  • Setup.exe /BitLocker ForceKeepActive – Enables upgrade without suspending BitLocker, but if upgrade doesn’t work the upgrade will fail.

To use the above commands, you’ll need to create a USB bootable media, and follow these steps:

  1. Open Start.

  2. Search for Command Prompt, right-click the top result, and select Run as administrator.

  3. Type the following command to open the media’s location and press Enter:

    D:\
  4. Type one of the following commands to change the behavior of BitLocer and press Enter:

    • Setup.exe /BitLocker AlwaysSuspend
    • Setup.exe /BitLocker TryKeepActive
    • Setup.exe /BitLocker ForceKeepActive

Once you completed the steps, Windows 10 will try to install a new feature update enforcing the option you specified.

These new settings are available on device running Windows 10 Pro and Enterprise with Secure Boot enabled and where TPM is available.

If you don’t specified an option, Windows 10 will always suspend (not disable) BitLocker to upgrade to a new version.