Hi,
We are currently looking into setting up GPO for Windows Updates, as the feature updates require multiple reboots, every reboot will require the enter of the Bitlocker PIN.
Is there a way to suspend Bitlocker so this can happen? Not sure if it can be link to our GPO?
Kind regards, Dan
MBAM supports network unlock/suspend, and it's possible I believe to setup network unlock without MBAM too.
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock
MBAM would conflict with SSG though.
What about creating a new policy group for this update - TPM only? Assign it to the batches of PC's you intend to do update, make sure they receive the policy and then reboots should work a treat without a PIN?
Thanks for the info, so would the new policy be a Group Policy? How would this be achieved?
I'd keep it all "in-house" and use SSG to create the policy. Assign it to a select group, wait until your resync kicks in (or manually kick it off on the client) and you should be good.
You policy would look a little like this -
Note your current policy will probably say TPM + PIN. I wouldn't advise changing your default policy. Create a new one - create a new group (_WIndows_Update) - putting a _ at the front will ensure it remains top of the list to find! and then assign the policy to this group. Move a PC into this group (or add it manually).
Hope this helps Dan?
Thanks, that helps, so would that mean we would have to remove them once the updates have been completed?
Yes, remove the policy - and sadly that might mean a new PIN. Unless you want to try the non-SSG route but how supported that would be would be a guess?!
How many PC's do you need to do Dan and how many reboots?
Some updates ARE Bitlocker aware and will suspend the computer automatically. I've had no need to unlock yet and have around 3500 Bitlockered laptops (not all on SSG)
Would prefer the SSG route as all our devices (250+) are on SSG, so that would make it difficult if a new PIN is required every time there is a feature update.
Most Feature updates require a couple of reboots.
I have not run into this issue with mine yet, as the Window updates SHOULD be BL aware. Some (ironically) MS Surface updates have not been, and that's been a bit of an issue. The update should check for BL, then suspend. If a further update requires another reboot - again it should be aware and suspend for you. Have you put any devices into a test pool to check?
No not yet, so in theory I shouldn't have to create a separate policy in SSG if the Feature Updates are BL aware?
I'd also add Dan - 1803 onwards is 100% BL aware. Link here for more details...
https://docs.microsoft.com/en-gb/archive/blogs/mniehaus/new-upgrade-to-windows-10-1803-without-suspending-bitlocker
Note this DOES need the correct config though - like secure boot enabled?
Yes all of ours are Secure Boot enabled, but is that using Windows Bitlocker and not Bitlocker through SSG?