Suspend-BitLocker

Suspend Bitlocker encryption for the specified volume.

Syntax
      Suspend-BitLocker [-MountPoint] String[] [[-RebootCount] Int32]
         [-Confirm] [-WhatIf] [CommonParameters]

Key
   -MountPoint String[]
       An array of drive letters or BitLocker volume objects. This cmdlet suspends protection for the 
       volumes specified. To obtain a BitLocker volume object, use Get-BitLockerVolume.
        
   -RebootCount Int32
       The number of computer restarts before BitLocker restores protection.
       The acceptable values for this parameter are:integers from 0 to 15 (default=1).
       Specify zero to suspend protection indefinitely until you resume it with Resume-BitLocker.       

   -Confirm
       Prompt for confirmation before running the cmdlet.

   -WhatIf
       Show what would happen if the cmdlet runs. The cmdlet is not run.

Standard Aliases for Suspend-BitLocker: none, but if you want to add a short alias like spbl, set it with set-alias

The Suspend-BitLocker cmdlet suspends Bitlocker encryption, allowing users to access encrypted data on a volume that uses BitLocker Drive Encryption. This cmdlet makes the encryption key available in the clear.

Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, suspension makes key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted.

While suspended, BitLocker does not validate system integrity at start up. You might suspend BitLocker protection for firmware upgrades or system updates.

You can specify the number of times that a computer restarts before the BitLocker suspension ends by using the RebootCount parameter, or you can use Resume-BitLocker to manually resume protection. If you do not specify the -RebootCount parameter, the cmdlet uses a value of one (1), so BitLocker protection resumes after the next restart.

PreventDeviceEncryption

When a user boots the PC for the first time and goes through the out-of-the-box experience, device encryption, on initialization, will automatically encrypt the operating system drive and any fixed data drive using BitLocker.

To prevent this, during setup press Shift and F10 to open a command prompt and then run regedit.exe

Edit: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Bitlocker

and add a new DWORD PreventDeviceEncryption equal to True (1)

Then exit and continue with the setup, bitlocker can still be enabled manually later as needed.

An overview of BitLocker Drive Encryption.

This cmdlet was introduced in Windows PowerShell 5.0.

Examples

Suspend BitLocker protection on C: indefinitely:

PS C:\> Suspend-BitLocker -MountPoint "C:" -RebootCount 0

“The psychic task which a person can and must set for himself is not to feel secure, but to be able to tolerate insecurity” ~ Erich Fromm

Related PowerShell Cmdlets

Enable-BitLockerAutoUnlock - Enable automatic unlocking for a BitLocker volume.
Resume-Bitlocker - Resume Bitlocker encryption for the specified volume.

 
Copyright © 1999-2025 windevcluster.com
Some rights reserved