How to Suspend BitLocker with PowerShell

Key takeaways

• Automated BitLocker management: The script provides a streamlined way to suspend BitLocker encryption on Windows systems, enhancing efficiency in IT management.
• Administrative privileges required: Running the script requires Administrator privileges, ensuring secure handling of encryption settings.
• Conditional restart options: Parameters like -Restart and -RestartIfNoEncryption offer flexibility, catering to different operational scenarios in IT environments.
• Temporary suspension for maintenance: Ideal for system updates or hardware changes, the script suspends encryption only until the next reboot, maintaining overall security.
• Script vs. manual management: This PowerShell approach is more efficient and less error-prone compared to manual BitLocker suspension methods.
• Security and compliance: Use the script judiciously within the bounds of organizational security policies to avoid potential data exposure.
• Enhanced with IT management tools: Integration with platforms like NinjaOne can further streamline script deployment and IT security management.
• Automated reactivation post-restart: BitLocker automatically reactivates after a system reboot, ensuring continuous data protection.

BitLocker, Microsoft’s encryption program, offers a crucial layer of security for data protection. However, in specific scenarios such as system updates or hardware modifications, suspending BitLocker temporarily becomes necessary. PowerShell scripts, like the one we’re examining today, provide an efficient solution for managing BitLocker’s state, offering convenience and control to IT professionals.

Background

The provided PowerShell script is designed to suspend BitLocker encryption on Windows systems until the next restart. This functionality is particularly valuable in managed IT environments, where large-scale software updates or changes to system configuration often require temporary suspension of encryption. For Managed Service Providers (MSPs) and IT professionals, this script streamlines the process, ensuring minimal disruption to security protocols while performing critical operations.

The script:

#Requires -Version 5.1

<#
.SYNOPSIS
    Suspends BitLocker Protection until after the next restart. Can optionally restart the computer once suspended.
.DESCRIPTION
    Suspends BitLocker Protection until after the next restart. Can optionally restart the computer once suspended.
.EXAMPLE
    (No Parameters)

    Checking for Bitlocker Volumes...
    Bitlocker Volumes found!

    Drive RecoveryPassword                                                Status
    ----- ----------------                                                ------
    C:    652795-525382-638803-450769-280214-250415-444829-276023 FullyEncrypted



    Suspending Found Volumes
    Suspended Drive C:

PARAMETER: -Restart
    Restart the computer after suspending BitLocker protection.

PARAMETER: -RestartIfNoEncryption
    Restart the computer even if no BitLocker protection was found.

.OUTPUTS
    None
.NOTES
    Minimum OS Architecture Supported: Windows 10, Server 2016
    Release Notes:
    Initial Release
By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. 
    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. 
    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. 
    Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. 
    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. 
    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. 
    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
#>

[CmdletBinding()]
param (
    [Parameter()]
    [Switch]$Restart = [System.Convert]::ToBoolean($env:restart),
    [Parameter()]
    [Switch]$RestartIfNoEncryption = [System.Convert]::ToBoolean($env:restartRegardlessOfBitlockerStatus)
)

begin {
    function Test-IsElevated {
        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
        $p = New-Object System.Security.Principal.WindowsPrincipal($id)
        $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
    }
}
process {
    if (-not (Test-IsElevated)) {
        Write-Error -Message "Access Denied. Please run with Administrator privileges."
        exit 1
    }

    Write-Host "Checking for BitLocker Volumes..."
    $BitLockerVolumes = Get-BitLockerVolume | Where-Object { $_.ProtectionStatus -eq "On" } | ForEach-Object {
        [PSCustomObject]@{
            Drive            = $_.MountPoint
            RecoveryPassword = $_.KeyProtector | Where-Object { $_.RecoveryPassword } | Select-Object -ExpandProperty RecoveryPassword
            Status           = $_.VolumeStatus
        }
    }

    if ($BitlockerVolumes) {
        Write-Host "BitLocker Volumes found!"
        $BitLockerVolumes | Format-Table -AutoSize | Out-String | Write-Host

        Write-Host "Suspending Found Volumes"
        $BitlockerVolumes | ForEach-Object {
            try {
                Suspend-BitLocker -MountPoint $_.Drive -RebootCount 1 -ErrorAction Stop | Out-Null
                Write-Host "Suspended Drive $($_.Drive)"
            }
            catch {
                Write-Error "Failed to suspend drive $($_.Drive)!"
                Exit 1
            }
        }
    }else{
        Write-Warning "No BitLocker Volumes found with protection turned on?"
        if(-not $RestartIfNoEncryption){
            Exit 1
        }
    }

    if(($Restart -or $RestartIfNoEncryption) -and ($BitLockerVolumes -or $RestartIfNoEncryption)){
        Write-Host "Scheduling restart for 30 seconds from now."

        Start-Process cmd.exe -ArgumentList "/c shutdown.exe /r /t 30" -Wait -NoNewWindow
    }
    
}
end {
    
    
    
}

 

Detailed breakdown

The script begins by checking if it is run with Administrator privileges, essential for modifying BitLocker settings. It then identifies all drives with BitLocker protection enabled and lists their status. If BitLocker is active, the script suspends it on the identified drives, allowing access to the unencrypted drive for the next boot sequence only.

Two key parameters, -Restart and -RestartIfNoEncryption, give users control over the computer’s behavior post-script execution. The -Restart parameter triggers a system reboot after suspending BitLocker, while -RestartIfNoEncryption ensures a restart even if no encrypted volumes are found. This flexibility is crucial for automation in larger IT infrastructures.

Potential use cases

Imagine an IT administrator in a large corporation preparing to deploy a critical software update across all company computers. Using this script, they can temporarily suspend BitLocker, apply the update, and then allow BitLocker to reactivate upon the next system restart, maintaining security while ensuring smooth update deployment.

Comparisons

Traditionally, suspending BitLocker requires manual intervention for each system or complex group policy configurations. This script simplifies the process, providing a more straightforward, script-based approach that can be integrated into automated workflows, making it a more efficient option for MSPs and IT professionals.

FAQs

• Is it safe to suspend BitLocker using this script?
  • Yes, but ensure it’s used in a controlled environment. The script suspends encryption only until the next reboot, after which BitLocker automatically reactivates.

• Can this script be used on any Windows version?
  • The script is designed for Windows 10 and Server 2016 onwards, as these versions support the necessary PowerShell commands.

• Does the script provide feedback if BitLocker is not found?
  • Yes, it warns if no encrypted volumes are detected and acts according to the script’s parameters.

Implications

While this script is a powerful tool, its misuse can lead to security vulnerabilities. Temporarily suspending BitLocker exposes data, so it should be used judiciously and in secure environments. Always ensure that the suspension of BitLocker aligns with your organization’s security policies.

Recommendations

• Always run the script in a secure and controlled environment.
• Verify that all systems are correctly rebooted after the script’s execution to ensure BitLocker reactivates.
• Incorporate this script into broader system maintenance protocols to maintain overall security integrity.

Final thoughts

In the context of managed IT services, tools like NinjaOne can complement scripts like this. NinjaOne offers comprehensive IT management solutions, making it easier to deploy scripts, monitor system health, and manage security across a network. Integrating PowerShell scripts into such platforms enhances efficiency, security, and control, essential for modern IT infrastructures.