none
Suspending BitLocker for Updates? RRS feed

  • Question

  • I ran across a Best Practice today, for Bitlocker, that suggested Suspending bitlocker when applying any system updates to your Windows systems. I had never thought about this and wonder if anyone has done this on their systems. We have hundreds of notebooks that we manage and don't want to get a load of phone calls some Monday from users trying to get a recovery password to get in to their systems.

    We've never had problems with our notebooks so far when we've updated them so I guess my question really is will Microsoft tell us in any given update whether we need to worry about Bitlocker or not.


    Orange County District Attorney
    Monday, August 16, 2010 9:23 PM

Answers

  • From the Bitlocker team: The only thing they need to worry, in practice, are system updates that change BCD settings. It is rare, but not impossible, and should not be system specific (i.e. a test is likely conclusive).
    Tuesday, August 17, 2010 4:51 AM
    Answerer

All replies

  • From the Bitlocker team: The only thing they need to worry, in practice, are system updates that change BCD settings. It is rare, but not impossible, and should not be system specific (i.e. a test is likely conclusive).
    Tuesday, August 17, 2010 4:51 AM
    Answerer
  • Thanks for the note on my question. Are there any Bitlocker-specific logs on a Windows 7 system that can help pinpoint what might be kicking off a Bitlocker password prompt?
    Orange County District Attorney
    Tuesday, August 17, 2010 3:47 PM
  • WindowsLogs>ApplicationsAndServicesLogs>Microsoft>Windows>Bitlocker.
     
    Anything in there?
     
    Password prompt as in after patching?
     
    Wednesday, August 18, 2010 12:39 AM
    Answerer
  • Ah, of course, I forgot. I checked both the Admin and the Operational logs and there's nothing at all in there. Maybe I need to enable diagnostic logging?
    Orange County District Attorney
    Wednesday, August 18, 2010 2:11 PM
  • One other note that may have some bearing on my issue. I checked our Group Policy for Bitlocker and found that I have enabled Bitlocker Encryption on

    • Fixed Data Drives
    • Operating System Drives
    • Removeable Data Drives

    We've only encrypted the Operating System drive, C: on our notebooks. I'm imagining our policy would allow encryption of Fixed Data Drives or Removeable Drives should that be necessary, correct? Otherwise, could this policy cause any Bitlocker password prompts?


    Orange County District Attorney
    Wednesday, August 18, 2010 2:34 PM
  • Can you check to see if the TPM chip got disabled in the BIOS?

    Just got a report that someone has seen that and wondering if yours is similar?

    Monday, August 23, 2010 6:22 PM
    Answerer
  • We checked the notebooks and none appear to have disabled the TPM in system BIOS. Most of our users are novices and stay away from the BIOS.
    Orange County District Attorney
    Monday, August 23, 2010 8:03 PM