windows-itpro-docs/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq.yml

### YamlMime:FAQ
metadata:
  title: BitLocker Upgrading FAQ
  description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?"
  ms.prod: windows-client
  ms.technology: itpro-security
  author: frankroj
  ms.author: frankroj
  manager: aaroncz
  ms.topic: faq
  ms.date: 11/08/2022
  ms.reviewer: 
  ms.custom: bitlocker
title: BitLocker Upgrading FAQ
summary: |  

sections:
  - name: Ignored
    questions:
      - question: |
          Can I upgrade to Windows 10 with BitLocker enabled?
        answer: |
          Yes. 

      - question: |
          What is the difference between suspending and decrypting BitLocker?
        answer: |
          **Decrypt** completely removes BitLocker protection and fully decrypts the drive.
          
          **Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
          
      - question: |
          Do I have to suspend BitLocker protection to download and install system updates and upgrades?
        answer: |
          No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](/windows/deployment/update/waas-quick-start). 
          Users need to suspend BitLocker for Non-Microsoft software updates, such as:   
          
          -	Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM. Users don't have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. It's recommended that users test their TPM firmware updates if they don't want to suspend BitLocker protection.
          -	Non-Microsoft application updates that modify the UEFI\BIOS configuration.
          -	Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation).
          -	Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if BitLocker doesn't use Secure Boot for integrity validation during updates).
           -	BitLocker can be checked if it uses Secure Boot for integrity validation with the command line `manage-bde.exe -protectors -get C:`. If Secure Boot for integrity validation is being used, it will be report **Uses Secure Boot for integrity validation**.
          
          
          > [!NOTE]
          > If BitLocker has been suspended, BitLocker protection can be resumed after the upgrade or update has been installed. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, the computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.