Anniversary Update with Bitlocker Reboot without Encryption Key

Question

I have Windows 10 Professional installed and have avoided the Anniversary Update until yesterday. The computer installed the update despite my best efforts to stop it. But that is a different problem.

I have Bitlocker configured to require a key stored in the TPM, another key stored on an Apricorn Aegis secure thumb drive, and a 20 character alpha-numeric pin, to boot the OS. When the Anniversary Update needed to reboot the machine, I prepared to provide the necessary key and pin but watched as the computer continued the update process without the required key file or pin. I saw the graphics card post screen, the raid post screen, and the motherboard post screen, but no Bitlocker pin screen. How is this possible? A reboot should clear the RAM, where the encryption keys are stored. How did the Anniversary Update application know how to read the encrypted hard drive without the key file or pin?

Was a recovery key written to the boot sector or Windows boot partition in an unencrypted state? Or was Bitlocker temporarily disabled? If so, how? Decrypting a file system takes a long time, even with four SSD's running RAID 0 (930GB usable space). The setup process for the update did not take long enough for such an operation, nor was there a lengthy re-encryption process at the end.

If a recovery key was written to the boot sector/partition, how do I determine if it has been securely wiped? Bare in mind, these are sold state drives that try to even out writes to disk to make the storage medium last longer. I need the specific blocks zeroed out that stored the recovery key. I have extremely sensitive data stored on this machine, and the slightest risk of this kind of vulnerability would require the physical destruction of all four SSD's.

Answer 1

I know you've already got an answer elsewhere.

However, just in case someone else stumbles upon your question, I'll try to provide a short explanation:

In Windows 10, the Anniversary Update (1607), as well as the other "Feature updates" (November Update [1511], Creators Update [1703], ...) are in fact major updates, in some ways similar to an upgrade from Windows 7/8 to Windows 10 (you end up with a Windows.old folder, for instance).

During these major system upgrades, Bitlocker is not disabled: the drive is not decrypted before the upgrade and then re-encrypted after the upgrade, as you correctly inferred.

Instead, Bitlocker is suspended.

The difference between suspending and decrypting is explained in the Bitlocker FAQ:

Decrypt completely removes BitLocker protection and fully decrypts the drive.

Suspend keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the Suspend option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.