locked
Bitlocker and WSUS RRS feed

  • Question

  • Hi All,

    I have been entrusted with installing WSUS onto a clients server.

    I'm just concerned as the company has implemented Bitlocker onto all machines, so I was wondering if this is going to cause issues with WSUS pushing out updates to these machines?

    Does anyone know? Or has any past experience or knowledge regarding this?

    Kind Regards,

    Jason H

    Thursday, November 9, 2017 10:22 AM

All replies

  • Bitlocker does not change anything, don't worry.

    Of course you need to be aware that for a hands-free restart after updating, the machine will need someone to put in the key, if no TPM is used for that.

    Also take a note of this: http://blog.win-fu.com/2016/11/every-windows-10-in-place-upgrade-is.html

    Thursday, November 9, 2017 10:49 AM
  • Hi Ronald,

    Thanks so much for replying.

    So just to clarify, Bitlocker wont effect WSUS pushing updates out and installing.

    If the machines don't have built-in TPM chips and we have to set Bitlocker to allow without a compatible TMP, someone will have to physically punch in the key? So if they have TMP chips, this wont be needed?

    Kind Regards,

    Jason H

    Thursday, November 9, 2017 11:09 AM
  • Bitlocker can be used with TPM+PIN or with TPM alone. TPM+Pin is the most secure way, since it uses preboot authentication. If you use TPM alone, the key is released by the TPM automatically and all that stands between the thief and the data is the windows logon password, it will reboot automatically after update installations.

    Thursday, November 9, 2017 11:40 AM
  • All he is saying (to make it simpler) is whatever happens when you reboot now, will happen with WSUS as well, so if your machines require a PIN now to boot, they will also require it after patching and rebooting via WSUS so users may walk in and find the machines waiting for the PIN (and not completely patched and ready to use). Normally when using an enterprise type solution to patch or install software, you should be able to reboot and get right back to the OS, in case multiple reboots are required (shouldn't be required with normal monthly patching via WSUS but still worth mentioning as sometimes 5 minutes are required to complete patch installation after the OS restarts)...

    Jack

    Thursday, November 9, 2017 11:41 AM