none
Suspend Bitlocker for BIOS update RRS feed

  • Question

  • Bit of a problem...

    Lots of Dell machines with TPMs and Bitlocker. Using SCUP to push out Dell drivers and firmware.

    BIOS update gets applied via SCCM 2012 R2 and now I've got users calling me because they're being asked for Bitlocker recovery key (Not PIN; no PINs are enabled)

    Luckily I've not rolled this out full scale yet, but when I get over 100 machines with this issue I'm not going to be very popular.

    So the obvious question is: How can I force SCCM to suspend Bitlocker before applying the BIOS update? Seems a fairly basic thing to want to do, but I'm at a loss.

    Thanks



    Monday, July 13, 2015 8:57 PM

Answers

  • Thanks folks.

    I think I'll end up skipping them for now. Seems such an oversight on SCCM's part, especially when there's something included to not ask for the PIN after a reboot.

    Thursday, July 16, 2015 8:49 PM

All replies

  • Hi,

    One way would be to use a task sequence and use the bultin step to suspend bitlocker and then the step to install Software Updates and then enable bitlocker again. not ideal as you would have to deploy the Software Updates as available to the computers so they can be installed, but it will work.

    The other option is to skip the update of BIOS using SCEP and use a script instead, not ideal etiher but again then you can control bitlocker before/after..

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    Monday, July 13, 2015 9:15 PM
  • I thought that Software Updates (those which provoke a restart) would also pause/suspend BitLocker? (I'm sure I read that somewhere..)
    But I'm not sure that this would apply for SCUP..?

    (I'm not using BitLocker, so I don't have first-hand experience of this feature)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Monday, July 13, 2015 9:21 PM
  • Thanks folks.

    I think I'll end up skipping them for now. Seems such an oversight on SCCM's part, especially when there's something included to not ask for the PIN after a reboot.

    Thursday, July 16, 2015 8:49 PM
  • This is a problem for me as well. Anyone know if this is missing functionality, or a bug in the way things are supposed to work?
    Tuesday, September 15, 2015 5:08 PM
  • The task sequence is the best option to use.  The reason this happens is exactly what it is supposed to do, a critical component on the system has changed causing bitlocker to say "HEY this isn't the system I was in so I'm not going to open up until someone verifies I can"  This is different than just disabling a PIN to allow a reboot for software to continue to install.  Use the Task sequence, disable the protectors, update firmware, enable protectors.

    Basically see the following for common issues:

    http://blogs.technet.com/b/askcore/archive/2010/08/04/issues-resulting-in-bitlocker-recovery-mode-and-their-resolution.aspx

    James

    Wednesday, September 16, 2015 4:50 AM
  • Hey

    I disabled the Bitlocker in The task sequence.. but still have problem.

    Specially with New DELL latitude.

    /Taghi

    Tuesday, July 25, 2017 1:42 PM
  • Hi, i had the same issues.  Solved with Microsoft MBAM. It will allow you to manage everything with commandline, to suspend/disable bitlocker, for example to update bios you could use: Manage-bde.exe -protectors -disable c:

    kind regards

    Tuesday, July 25, 2017 2:01 PM