Suspend POA for Bitlocker

RE: Suspend POA for Bitlocker

Dan Petford — Wed, 21 Oct 2020 14:40:35 GMT

Is the auto suspend for BitLocker just on features updates? Or can it be done on normal updates?

RE: Suspend POA for Bitlocker

Dan Petford — Wed, 14 Oct 2020 09:28:31 GMT

OK thanks, sorry I got confused, so our Windows Updates are going to be rolled out via Group Policy every Tuesday which is Microsoft's "Patch Tuesday", the feature updates we are going to delay a month, so assuming they are Secure Boot enabled, and are on 1803 onwards, they should automatically suspend without and new policies added on SSG?

RE: Suspend POA for Bitlocker

MichaelMcLannahan — Wed, 14 Oct 2020 09:25:43 GMT

I'm not sure how you intend to roll out the update (and from what from to versions) but it's just an additional command/string on setup? Yes this would be Windows Bitlocker management - but its the same thing. There is no Sophos SafeGuard Bitlocker as such.

RE: Suspend POA for Bitlocker

Dan Petford — Wed, 14 Oct 2020 09:22:32 GMT

Yes all of ours are Secure Boot enabled, but is that using Windows Bitlocker and not Bitlocker through SSG?

RE: Suspend POA for Bitlocker

MichaelMcLannahan — Wed, 14 Oct 2020 09:21:39 GMT

I'd also add Dan - 1803 onwards is 100% BL aware. Link here for more details...

https://docs.microsoft.com/en-gb/archive/blogs/mniehaus/new-upgrade-to-windows-10-1803-without-suspending-bitlocker

Note this DOES need the correct config though - like secure boot enabled?

RE: Suspend POA for Bitlocker

Dan Petford — Wed, 14 Oct 2020 09:19:46 GMT

No not yet, so in theory I shouldn't have to create a separate policy in SSG if the Feature Updates are BL aware?

RE: Suspend POA for Bitlocker

MichaelMcLannahan — Wed, 14 Oct 2020 09:18:17 GMT

I have not run into this issue with mine yet, as the Window updates SHOULD be BL aware. Some (ironically) MS Surface updates have not been, and that's been a bit of an issue. The update should check for BL, then suspend. If a further update requires another reboot - again it should be aware and suspend for you. Have you put any devices into a test pool to check?

RE: Suspend POA for Bitlocker

Dan Petford — Wed, 14 Oct 2020 09:11:06 GMT

Would prefer the SSG route as all our devices (250+) are on SSG, so that would make it difficult if a new PIN is required every time there is a feature update.

Most Feature updates require a couple of reboots.

RE: Suspend POA for Bitlocker

MichaelMcLannahan — Wed, 14 Oct 2020 09:05:23 GMT

Yes, remove the policy - and sadly that might mean a new PIN. Unless you want to try the non-SSG route but how supported that would be would be a guess?!

How many PC's do you need to do Dan and how many reboots?

Some updates ARE Bitlocker aware and will suspend the computer automatically. I've had no need to unlock yet and have around 3500 Bitlockered laptops (not all on SSG)

RE: Suspend POA for Bitlocker

Dan Petford — Wed, 14 Oct 2020 09:02:07 GMT

Thanks, that helps, so would that mean we would have to remove them once the updates have been completed?

RE: Suspend POA for Bitlocker

MichaelMcLannahan — Wed, 14 Oct 2020 08:59:53 GMT

I'd keep it all "in-house" and use SSG to create the policy. Assign it to a select group, wait until your resync kicks in (or manually kick it off on the client) and you should be good.

You policy would look a little like this -

Note your current policy will probably say TPM + PIN. I wouldn't advise changing your default policy. Create a new one - create a new group (_WIndows_Update) - putting a _ at the front will ensure it remains top of the list to find! and then assign the policy to this group. Move a PC into this group (or add it manually).

Hope this helps Dan?

RE: Suspend POA for Bitlocker

Dan Petford — Wed, 14 Oct 2020 08:50:55 GMT

Thanks for the info, so would the new policy be a Group Policy? How would this be achieved?

RE: Suspend POA for Bitlocker

MichaelMcLannahan — Wed, 14 Oct 2020 08:48:36 GMT

MBAM supports network unlock/suspend, and it's possible I believe to setup network unlock without MBAM too.

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock

MBAM would conflict with SSG though.

What about creating a new policy group for this update - TPM only? Assign it to the batches of PC's you intend to do update, make sure they receive the policy and then reboots should work a treat without a PIN?