Windows: Reboot without entering the bitlocker key

Hi,

you want to reboot a Windows box which has an bitlocker encrypted system drive C: and is protected by a TPM and a pin?

It is possible to disable entering the PIN. The drive would not be decrypted but the PIN is stored at the disk while the protector is disabled.

To suspend encryption enter the following command

c:\> manage-bde.exe –protectors –disable c:

this disables the protection until you enable it:


c:\> manage-bde.exe –protectors –enable c:

If you want to disable the encryption for only one reboot use (only available in Windows 8)

c:\> manage-bde.exe –protectors –disable c: -RebootCount 1

See the manage-bde man page for more examples.

Since Windows 8.1/Server 2012R2 there is also an powershell cmdlet Suspend-BitLocker which does the same job as manage-bde

PS c:\> Suspend-BitLocker -MountPoint C: -RebootCount 1 -Confirm:$false

Note: If you have encrypted additional fixed drives like D: or E: and you use the autounlock function you have to suspend the bitlocker there before you suspend the C: drive! Otherwise you need the recovery key to get access back.

Resume the encryption in the reverse order, first C: and then the other fixed drives.

Michael

Leave a Reply Cancel reply