Bug? Feature? Power users baffled as BitLocker update switch-off continues

Three months on, users continue to report that Microsoft's BitLocker disk encryption technology turns itself off during security updates.

The problem, which has prompted much head-scratching in security circles, was raised by power user "kingcr" on Microsoft's technet forums back in June as part of an ongoing discussion.

He reported at the time that BitLocker automatically suspended itself the first time a machine logged in after a security patch was applied and following a restart of his Windows 10 machine.

A couple of factors may be at play. One contributor to the discussion claimed that feature upgrades – unlike regular cumulative updates – had always suspended BitLocker. Since the release of Windows 10 v1803 in early May it has been possible, in certain circumstances, to let BitLocker run unimpeded even when feature updates are applied. This facility only works when "when TPM [Trusted Platform Module] is the only protector (no password, no USB-key, no PIN)".

The original poster told the thread his machine had been suspending BitLocker even during cumulative updates, adding that he reckoned the PC was clear of scripts that might explain the odd behaviour. "kingcr" managed to replicate the odd behaviour even after a clean install on the same machine.

Others said they had encountered the same issue.

This was a worry because "BitLocker should 'never' suspend itself without explicit interactive permission from the administrator," as one contributor put it.

The protection offered by the technology is rendered irrelevant otherwise, some argued.

The glitch isn't remotely exploitable but is still a means for hackers with physical access to a computer to snaffle encryption keys, although only around the application of security updates.

Security experts quizzed by El Reg have noticed the BitLocker suspension snafu.

Sean Sullivan, a security advisor at F-Secure, told El Reg: "Automated BIOS/firmware updates recently required my laptop's BitLocker to disable itself. Haven't heard about it doing so in any other scenario, though."

Computer forensic expert David Cowen confirmed what several power users were reporting on the thread. "Updates put the volume in clearkey mode for one reboot."

Cowen blogged about the issue from a computer forensics perspective back in July.

BitLocker is Microsoft's full disk encryption technology and has been bundled with Windows since the days of Vista. Means and ways around the tech are of constant interest to hackers of various stripes.

So is what's happening expected behaviour or a glitch?

Microsoft said it was working on the issue.

Jeff Jones, senior director at Microsoft, said: “On older devices without a Trusted Platform Module, Bitlocker may be temporarily suspended during some updates. Protection resumes after the machine is restarted." ®