Increase Security: Suspend BitLocker PIN entry on restart
SCCM 1610 (current branch)
Windows 10
Suspend BitLocker PIN entry on restart
Used Setting: Always
https://docs.microsoft.com/en-us/sccm/core/clients/deploy/about-client-settings
Repro Steps:
1. 06:00 AM: User is logged on to his Windows 10 Client and is working
2. 07:00 AM: SCCM install Software on Windows 10 Client, which requires a reboot
3. 07:00 AM and later: User does not click on "reboot now" on shown SCCM restard dialogs
Note: Reboot deadline is configered to: 4 hours
Current behaviour:
a) 07:00 AM: Bitlocker PIN is suspended
b) 11:00 AM: Reboot is initiated by SCCM, as deadline is passed
Desired behaviour:
a) 11:00 AM: Bitlocker PIN is suspended, as deadline is passed
b) 11:00 AM: Reboot is initiated by SCCM, as deadline is passed
Why do we desire this change?
1. while Bitlocker PIN is suspended the machines security is reduced due to the absence of the PIN Protector at that point of time (on purpose, as configured);
However, we would like to mitigate the security risk. By keeping the "reduced security timeframe" as short as possible to follow security best practices
2. Scenario: Stolen Laptop; We noticed that if the User does shutdown the machine, while Bitlocker PIN is suspended by SCCM - the machine will stay in that suspended state "forever" (until the next OS startup completes)

3 comments
-
Anonymous commented
Just make it so the Reboot coordinator only bypasses the PIN if it does a auto reboot (forced reboot), not if the user press the restart now button. If the user presses the button, that means they are there to type in the PIN.
-
Austin WongCarter commented
The problem with that would be if they just restart on their own, rather than letting ConfigMan restart the computer. I see the prompt to reboot, I delay it, but when I leave for the day I reboot the computer and walk out. In this scenario how would ConfigMan know to suspend the BitLocker PIN before the reboot?
-
Joel Nolan commented
David James on the ConfigMgr Engineering Team said they would work on fixing this at MMS 2017! Thanks David!