Microsoft

Microsoft Endpoint Configuration Manager Feedback

Suggestion box powered by UserVoice

How can we improve Configuration Manager?

← Ideas

Increase Security: Suspend BitLocker PIN entry on restart

SCCM 1610 (current branch)
Windows 10

Suspend BitLocker PIN entry on restart
Used Setting: Always
https://docs.microsoft.com/en-us/sccm/core/clients/deploy/about-client-settings

Repro Steps:
1. 06:00 AM: User is logged on to his Windows 10 Client and is working
2. 07:00 AM: SCCM install Software on Windows 10 Client, which requires a reboot
3. 07:00 AM and later: User does not click on "reboot now" on shown SCCM restard dialogs

Note: Reboot deadline is configered to: 4 hours

Current behaviour:
a) 07:00 AM: Bitlocker PIN is suspended
b) 11:00 AM: Reboot is initiated by SCCM, as deadline is passed

Desired behaviour:
a) 11:00 AM: Bitlocker PIN is suspended, as deadline is passed
b) 11:00 AM: Reboot is initiated by SCCM, as deadline is passed

Why do we desire this change?
1. while Bitlocker PIN is suspended the machines security is reduced due to the absence of the PIN Protector at that point of time (on purpose, as configured);
However, we would like to mitigate the security risk. By keeping the "reduced security timeframe" as short as possible to follow security best practices
2. Scenario: Stolen Laptop; We noticed that if the User does shutdown the machine, while Bitlocker PIN is suspended by SCCM - the machine will stay in that suspended state "forever" (until the next OS startup completes)

14 votes
Vote
Sign in
(thinking…)
Sign in with: Facebook Google
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Tom Saint shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

3 comments

Sign in
(thinking…)
Sign in with: Facebook Google
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    Just make it so the Reboot coordinator only bypasses the PIN if it does a auto reboot (forced reboot), not if the user press the restart now button. If the user presses the button, that means they are there to type in the PIN.

  • Austin WongCarter commented  ·   ·  Flag as inappropriate

    The problem with that would be if they just restart on their own, rather than letting ConfigMan restart the computer. I see the prompt to reboot, I delay it, but when I leave for the day I reboot the computer and walk out. In this scenario how would ConfigMan know to suspend the BitLocker PIN before the reboot?

  • Joel Nolan commented  ·   ·  Flag as inappropriate

    David James on the ConfigMgr Engineering Team said they would work on fixing this at MMS 2017! Thanks David!

Ideas: Application Management

Categories

Feedback and Knowledge Base

(thinking…)