Microsoft

System Center Configuration Manager Feedback

Suggestion box powered by UserVoice

How can we improve Configuration Manager?

Suspend Bitlocker before reboot

When a BIOS update is being deployed, automatically suspend Bitlocker before the reboot. If this doesn't happen, you're forced to enter the recovery key which isn't very practical if you're doing a large roll out.
FYI this is for BIOS updates for Dell coming from SCUP 2011. Probably applies to other hardware

53 votes
Vote
Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
You have left! (?) (thinking…)
Gary W shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

5 comments

Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
Submitting...
  • Bryan F commented  ·   ·  Flag as inappropriate

    I'm in the same boat. Dell provides us with the updates, but we take can't take advantage of them because drive encryption has become part of the baseline level of our device protection.

    Based on my testing, Gary's understanding looks to be right: the client setting doesn't suspend BitLocker entirely. And in any case, that isn't granular enough for the scenarios we need to enable. I would guess that TPM protection is the most common protection on newer devices, and we don't need to suspend protection for every reboot, just those that would affect the measured boot protections (like firmware).

    I'd like a setting in the Software Update deployment wizard that specifies that BitLocker be suspended until the next reboot -- whether initiated by SCCM, the user, or some other task. This could be useful in Application/Package deployments, too, when we need to package a driver for deployment.

    Additionally, I'd like to be able to specify power requirements. It must be connected to AC power, for example. Or the battery must be charged at least to a certain threshold. If those requirements aren't met, rather than fail, Software Center should alert the user on the action that needs to be taken before updates can proceed. The update should then sit on waiting to install until those requirements are met.

  • Gary W commented  ·   ·  Flag as inappropriate

    As far as I'm aware, that only suspends the need to enter the PIN after reboot, it doesn't actually suspend Bitlocker. Unfortunately the documentation doesn't state either way.

  • Matt Wreede commented  ·   ·  Flag as inappropriate

    How is this any different than the "Suspend Bitlocker PIN entry on restart" client setting? This forces CCM-derived restarts to suspend bitlocker on restarts.

Feedback and Knowledge Base