Suspend Bitlocker before reboot
When a BIOS update is being deployed, automatically suspend Bitlocker before the reboot. If this doesn't happen, you're forced to enter the recovery key which isn't very practical if you're doing a large roll out.
FYI this is for BIOS updates for Dell coming from SCUP 2011. Probably applies to other hardware
A simple Checkbox in the Deployment Wizard will give be us a big help!
Bram Vlasblom commented
Yes, this would be a very useful option. Updating BIOS is a pain ********** right now.
Bryan F commented
I'm in the same boat. Dell provides us with the updates, but we take can't take advantage of them because drive encryption has become part of the baseline level of our device protection.
Based on my testing, Gary's understanding looks to be right: the client setting doesn't suspend BitLocker entirely. And in any case, that isn't granular enough for the scenarios we need to enable. I would guess that TPM protection is the most common protection on newer devices, and we don't need to suspend protection for every reboot, just those that would affect the measured boot protections (like firmware).
I'd like a setting in the Software Update deployment wizard that specifies that BitLocker be suspended until the next reboot -- whether initiated by SCCM, the user, or some other task. This could be useful in Application/Package deployments, too, when we need to package a driver for deployment.
Additionally, I'd like to be able to specify power requirements. It must be connected to AC power, for example. Or the battery must be charged at least to a certain threshold. If those requirements aren't met, rather than fail, Software Center should alert the user on the action that needs to be taken before updates can proceed. The update should then sit on waiting to install until those requirements are met.
Gary W commented
As far as I'm aware, that only suspends the need to enter the PIN after reboot, it doesn't actually suspend Bitlocker. Unfortunately the documentation doesn't state either way.
Matt Wreede commented
How is this any different than the "Suspend Bitlocker PIN entry on restart" client setting? This forces CCM-derived restarts to suspend bitlocker on restarts.