PostMend
PostMend blog

How to suspend BitLocker in Windows 11 (and turn it back on)

Before a BIOS update or a hardware change, suspending BitLocker saves you from a surprise recovery-key prompt. Here is how to do it two ways, and how to re-enable protection afterwards.

← Back to all articles
Abdullah Arif22 May 20265 min read

There are a handful of situations where you really do need to suspend BitLocker before you start work on a Windows machine. Flashing a BIOS or UEFI firmware update is the most common one. Others include swapping the TPM chip, making changes to the boot partition, or setting up a dual-boot configuration. In each case, the next restart can look to BitLocker like the boot chain has been tampered with — because, in a sense, it has. The drive stays locked and Windows asks for the 48-digit recovery key. If you don't have it to hand, that's a bad morning.

Suspending first takes that risk off the table. It's a two-minute job, and this guide covers both the Control Panel route and the command line so you can pick whichever suits you.

What “suspend” actually means

Suspending BitLocker does not decrypt the drive. The data on disk stays fully encrypted — the cipher hasn't changed. What changes is where the key is stored. Normally the key is sealed inside the TPM and only released after the boot chain passes a set of integrity checks. When you suspend, Windows writes a clear-text copy of the volume master key to disk so the system can boot without those checks. The moment you resume protection, that clear-text key is deleted and the TPM seal is restored.

This is quite different from turning BitLocker off entirely, which triggers a full decrypt of every sector on the drive — an operation that takes hours on a large disk. Suspend and resume takes seconds.

Method 1: the Control Panel way

This is the quickest route if you're already on the desktop. No administrator terminal required.

  1. Open Manage BitLocker

    Press Win + S, type Manage BitLocker, and press Enter. Alternatively, open Control Panel, go to System and Security, then select BitLocker Drive Encryption.

  2. Suspend protection on the OS drive

    You’ll see your drives listed with their current BitLocker status. Next to the operating-system drive (usually C:), click Suspend protection.

  3. Confirm

    A small dialogue asks whether you’re sure. Click Yes. The status line changes to show a yellow warning icon — protection is now suspended.
Screenshot placeholderManage BitLocker window showing the Suspend protection link beside the C: drive

Method 2: the command line

If you're working remotely, running a script, or just prefer the terminal, the manage-bde tool handles it cleanly. You need an elevated prompt — run Command Prompt or Terminal as administrator.

  1. Open an elevated terminal

    Press Win + X, then choose Terminal (Admin) or Command Prompt (Admin).

  2. Suspend BitLocker (auto-resumes after next restart)

    Run:
    manage-bde -protectors -disable C:
    Without any extra flags, BitLocker automatically re-enables itself after the next restart. This is the right choice if you're doing a single firmware flash and rebooting straight into Windows afterwards.

  3. Or: suspend indefinitely until you manually resume

    If you need the machine to stay suspended across multiple reboots — say, you're partitioning a drive or running a sequence of updates — add the -RebootCount 0 flag:
    manage-bde -protectors -disable C: -RebootCount 0
    A value of 0 tells Windows not to count reboots at all. Protection stays suspended until you explicitly re-enable it. Values 1 through 15 are also valid — for instance, -RebootCount 2 would let the machine restart twice before automatically resuming.

How to turn BitLocker back on

Once the firmware update, hardware swap, or whatever you were doing is finished, resume protection before the machine goes back into service.

  1. Control Panel route

    Return to Manage BitLocker (same path as above). The OS drive will now show a Resume protection link. Click it, then confirm. The yellow warning icon disappears and the TPM seal is restored.

  2. Command line route

    In an elevated terminal, run:
    manage-bde -protectors -enable C:
    That’s it. BitLocker reads the TPM state, validates the boot chain, and removes the clear-text key from disk.

Don't leave it suspended

A suspended drive is relying on a clear-text key stored on the disk itself. Anyone who gets physical access to that machine — or pulls the drive — can read the data without a password or recovery key. Always resume BitLocker protection as soon as the work is done. If you used -RebootCount 0, it will not resume on its own — you have to do it manually.

If you end up locked out before getting the chance to suspend — a firmware update applied automatically overnight, for instance — you'll need your recovery key. The recovery key guide covers every place Windows might have saved it: your Microsoft account, Active Directory, an Azure AD tenant, or a printout you made at setup. And if your laptop is in for repair, it's worth knowing that PostMend suspends BitLocker as standard practice before any firmware or motherboard work — you can read more about what that involves on the services page.

Need a hand with your Dell?

We diagnose every laptop free. Post it in and we'll take a look.

Get in touch
← All articles