Should I Turn off BitLocker before Upgrading OS?

should I turn off bitlocker before upgrading os, how to disable bitlocker, should i disable bitlocker, turn off bitlocker

Posted by @Lucas December 17, 2024 Updated By @Lucas September 4, 2024

User case: Should I turn off BitLocker before upgrading OS?

“I want to use Windows 11 instead of Windows 10 and keep all of my apps and user data." When I ran the setup, it got stuck and wouldn't move. Without fully decrypting the Bitlocker private hard drive, I couldn't get it to work. Is this how an in-place change usually works? That should be done, but I'm not sure if Bitlocker needs to be turned off for that.”

– User from Reddit

Does Bitlocker have to be disabled for OS upgrades?

The answer of this question is YES. It may be necessary to suspend Bitlocker because of a change in the boot partition in addition to changing the Operating System. Some report that even suspending Bitlocker was giving an error in the Windows 11 update assistance. The computer even generated another Bitlocker whose code remained in the Microsoft account.

Some TPM firmware updates might clear the TPM outside of the Windows API, while not every TPM firmware update will result in this action. Suppose the TPM firmware update uses the Windows API to clear the TPM. In that case, BitLocker will be automatically suspended, and users do not need to suspend BitLocker protection in such cases manually.

However, it is recommended that users test their TPM firmware updates if they prefer not to suspend BitLocker protection. This testing ensures that the update process will not inadvertently clear the TPM in a way that BitLocker cannot automatically handle, thereby maintaining the integrity and security of their encrypted data.

Also, there are some reasons why we suggest you turn off BitLocker before upgrading OS:

1. File Access Restrictions

  • Encryption Complexity: BitLocker encrypts the entire drive, including system and boot files. During an OS upgrade, the installer needs to read and write to these critical files. If the upgrade process cannot access these files because they are encrypted, it may fail.
  • Read/Write Permissions: Certain upgrade tasks require unrestricted access to system files, which might be restricted by BitLocker encryption.

2. System File Integrity Checks

  • Modification Detection: BitLocker ensures the integrity of the system files to prevent unauthorized changes. During an upgrade, system files are modified, and this can trigger BitLocker to block these changes to maintain security.

3. Boot Configuration Data (BCD) Issues

  • Bootloader Updates: Upgrading the OS often involves updating the bootloader. If BitLocker is enabled, any issues accessing or modifying the Boot Configuration Data (BCD) can lead to a failed boot process post-upgrade.
  • Secure Boot Interference: BitLocker integrates with Secure Boot to provide an additional layer of security. Changes to the bootloader or BCD during an upgrade might be flagged as a security issue, causing the upgrade to fail.

4. Error Recovery Complications

  • Recovery Environment: If the upgrade fails and the system needs to boot into the Windows Recovery Environment (WinRE), BitLocker encryption might complicate this process. The recovery environment might not have the necessary decryption keys to access the encrypted drive.
  • Rollback Issues: If the upgrade needs to be rolled back, BitLocker encryption can make this process more complex and error-prone.

How to turn off BitLocker before OS upgrading?

In this part, we'll show you 3 ways to turn off BitLocker function on your drive.

Way 1. Turn off BitLocker encryption via Control Panel

Same as suspending BitLocker, you can operate from the Control Panel, here are the steps:

Step 1. Open Control Panel and go to "System and Security" > "BitLocker Drive Encryption".

Step 2. Click Turn off BitLocker on the drive that you want to decrypt.

Step 3. Confirm whether you want to decrypt your drive, then click “Yes” to start the process, and your drive will not be protected anymore.

Way 2. Turn off BitLocker from Command Prompt

To turn off BitLocker using the command line, you can also use the "manage-bde" command in Command Prompt. But there is a little difference from suspending commands. Here's a step-by-step guide on how to turn off BitLocker using the command line:

Step 1. Run command prompt as an administrator.

Step 2. If your is locked, you need to type the following command to unlock it:

manage-bde -unlock F: -RecoveryPassword YOUR-BITLOCKER-RECOVERY-KEY .

Step 3. Then, use the following command to turn off BitLocker for a specific drive:

manage-bde -off X:

Replace X with the letter of the drive you want to decrypt (e.g., E:).

Here's an example: manage-bde -off E:

Step 4. The command will initiate the decryption process. Please note that this process may take some time, especially if you have a large drive or a significant amount of data. Wait for it to complete.

Way 3. Turn off BitLocker using Powershell

If you prefer using PowerShell, you can use the Disable-BitLocker cmdlet. Let’s see the steps:

Step 1. Right-click on the Start button and select "Windows PowerShell (Admin)".

Step 2. Use the following PowerShell command:

Disable-BitLocker -MountPoint "X:"

Replace X with the letter of the drive you want to decrypt (e.g., E).

Step 3. Allow some time for the decryption process to finish. After completing these steps, BitLocker protection will be turned off, and the drive will be decrypted.

Way 3. Using third-party tool to turn off BitLocker

Besides system tools, you can also use third-party tool. AOMEI Partition Assistant Professional is a disk and drive manager for Windows users. If you meet any problems that impede you turn off BitLocker, the "BitLocker" function of this handy tool will solve the problem quickly. The BitLocker function can even support Windows Home users to encrypt their drives.

Step 1. Find the encrypted drive you would like to decrypt and click the option "Turn off BitLocker".

Step 2. There are 2 ways available to decrypt the drive: Use password to decrypt the drive and Use recovery key to decrypt the drive. Please select either way as per your need.

If you select "Use a password to decrypt the drive", please enter the right password and then click the "Decrypt" button.

If you select "Use a recovery key to decrypt the drive", please enter the recovery key saved in the TXT file or printed when you encrypted the drive, and then click the "Decrypt" button.

Step 3. Then, the decryption process will start and it might take time to decrypt the drive. Once the decryption process is finished, please click "Completed". Finally, the BitLocker on the drive is decrypted.

Final lines

In all, we suggest you turn off BitLocker before upgrading OS because if the upgrade process cannot proceed due to encryption-related access issues, it might attempt to roll back to the previous version. This rollback might fail if BitLocker interferes with restoring system files. Also, there is a risk of data loss if the upgrade process encounters critical errors related to encrypted files and cannot properly handle them. Some users might see access denied errors if the upgrade process tries to modify or replace system files that are protected by BitLocker.

As a disk manager, AOMEI Partition Assistant Professional can also help you manage your BitLocker drive. In addition, you can prepare your disk via many practical functions before upgrading, such as extend C drive space, resize recovery partition, convert MBR to GPT without data loss, and so on.