Script to suspend or resume BitLocker protection on Windows 10/11 devices

BitLocker Drive Encryption is a data protection feature that encrypts the entire system drive (and external storage) to address threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. But despite being a useful feature for Windows devices, it has its downsides. If you enable encryption on the system drive, during a Unified Extensible Firmware Interface (UEFI) or Basic Input/Output System (BIOS) update, a hardware change, or when upgrading to a new version of the operating system, you may experience issues. You will be prompted to enter the recovery key during startup, because BitLocker will think that the device is being tampered with. Fortunately, we can prevent such encryption problems by suspending BitLocker using PowerShell and batch scripts. Hexnode UEM allows IT admins to remotely deploy these scripts to their endpoints using the Execute Custom Script action.

Batch Script

Suspend BitLocker protection

The script uses the Manage-bde cmdlet to suspend BitLocker encryption. The RebootCount parameter allows you to specify how many times your computer can reboot before BitLocker automatically reactivates. You can use values from 0 to 15, where zero suspends BitLocker until you manually resume protection.

Resume BitLocker protection

The script resumes BitLocker, keeping the system drive fully encrypted.

PowerShell Script

Suspend BitLocker protection

The Suspend-BitLocker cmdlet suspends BitLocker encryption on the BitLocker volume specified by the MountPoint parameter. Use -RebootCount in the command to determine how many times the computer can be rebooted before BitLocker is automatically re-enabled. Values from 0 to 15 are allowed. If the RebootCount parameter value is 0, BitLocker encryption remains suspended until you manually resume protection.

Resume BitLocker protection

Running the script enables the encryption protection feature on your device.