Hi all,
How do y’all work with and around patching when BitLocker encryption is on? Do you disable before each patch run? Bookend each baseline with disable/enable actions? Something else?
Thanks!
-Andrew
1 Like
I never had to suspend bitlocker for any patching. The only time i would if i was doing BIOS updates and i did it as a two part job to suspend bitlocker and have my bios update check to verify that was done and then perform the update. Then i had a second action to activate bitlocker again. But for normal day to day patching i didnt have to suspend bitlocker. Are you having issues with patching and btilocker?
Hmmm. Seems that BigFix patches sometimes don’t apply after rebooting. This is on Bitlocker+PIN machines. But if Bitlocker is suspended beforehand, they work.
I just turned on a Bitlocker PIN on one my machines and the patches seemed to install fine. Are you having this issue on all machines with the PIN enabled or just some? By chance are you making sure the servicing stack is first in your baseline? If that is not first in the baseline you could have an issue were it skips the patches because the needed servicing stack is not installed first.
In our experience, we don’t suspend BitLocker for normal patches, but do suspend BitLocker and clear BIOS password and suspend security (AV) software when doing things like OS upgrade, BIOS, firmware, and driver updates. Then we follow with tasks in our baseline to turn all those items back on.
We’ve have never had any issues with BitLocker enabled volumes, which we use throughout environment. As far as I’m aware, WUSA.exe automatically handles temporarily suspending Bitlocker prior to installing the update which them gets re-enabled after the reboot to complete the patch installation.
1 Like