none
Patching machines with Bitlocker- how to suspend/resume Bitlocker? RRS feed

  • Question

  • According to MS best practices, you should suspend Bitlocker prior to installing security updates and then resume it after the updates have completed.  See the very bottom of the grid on this page:

    http://technet.microsoft.com/en-us/library/dd875532(WS.10).aspx

    If you don't suspend/resume and you are using TPM with Bitlocker, it is interpreted as a boot attack and the user has to enter the recovery password/key to start the computer.

    Is this an issue for anybody?  Is there a way to automatically suspend/resume Bitlocker when pushing patches with SCCM? 

    Thanks!
    -Karl M

    Friday, April 16, 2010 2:59 PM

Answers

  • In Win7 the script says:

    'NOTE: manage-bde.wsf has been replaced. Please use the replacement tool,
    '      manage-bde.exe, to perform BitLocker Drive Encryption management
    '      operations. This script is provided as a wrapper for backwards
    '      compatibility only.

     

    Looks like this should work to disable it:  manage-bde.exe -protectors -disable c:

    Still a pain to disable everytime an update is sent out and then to re-enable it again, should be automatic with the updates push in SCCM.  Anyways we haven't been doing this and haven't had any bitlocker issues with updates yet, so not worried about it yet.

    Tuesday, April 20, 2010 7:57 PM

  • You can consider using the manage-bde.wsf script (which ships with Vista and Windows 7) in a Run Command Line step.

    To view more detailed Help for this script, type the following command:

    cscript.exe %windir%\system32\manage-bde.wsf -h

    For more information, you can try to access following link:

    Inside ConfigMgr 07 Operating System Deployment
    http://blogs.technet.com/inside_osd/archive/2008/04/08/bitlocker-support.aspx

    Hope it helps.

    Monday, April 19, 2010 7:26 AM

All replies


  • You can consider using the manage-bde.wsf script (which ships with Vista and Windows 7) in a Run Command Line step.

    To view more detailed Help for this script, type the following command:

    cscript.exe %windir%\system32\manage-bde.wsf -h

    For more information, you can try to access following link:

    Inside ConfigMgr 07 Operating System Deployment
    http://blogs.technet.com/inside_osd/archive/2008/04/08/bitlocker-support.aspx

    Hope it helps.

    Monday, April 19, 2010 7:26 AM
  • Thanks for your reply.  I'll take a look at that script.

    Can anyone at Microsoft speak to whether or not they (Microsoft) are building this logic into future Windows 7 patches? 

    If not, Windows 7 patches will need to be downloaded and scripted, then sent out as a "regular" package instead of letting Software Updates handle the download and package creation.

    Monday, April 19, 2010 1:47 PM
  • In Win7 the script says:

    'NOTE: manage-bde.wsf has been replaced. Please use the replacement tool,
    '      manage-bde.exe, to perform BitLocker Drive Encryption management
    '      operations. This script is provided as a wrapper for backwards
    '      compatibility only.

     

    Looks like this should work to disable it:  manage-bde.exe -protectors -disable c:

    Still a pain to disable everytime an update is sent out and then to re-enable it again, should be automatic with the updates push in SCCM.  Anyways we haven't been doing this and haven't had any bitlocker issues with updates yet, so not worried about it yet.

    Tuesday, April 20, 2010 7:57 PM
  • Before everyone freaks out, this guy quoted something from the link he posted that simply doesn't exist.  Here is the real quote:

     

    "Suspend BitLocker before making any major computer configuration changes (such as changing locales, installing a language pack, modifying the boot order, or updating the BIOS), and then resume BitLocker protection after the changes are complete."

     

    It says nothing about patches received from a WSUS server or windows update.

     

    Thanks.

    Friday, April 22, 2011 6:59 PM