Bitlocker Pin and Software Patching

Posted On January 4, 2013

In the last number of years many businesses have started rolling out Full Disk Encryption software throughout their IT Environment’s enabling piece of mind and security to prevent Data Loss / Theft, but this introduced many different issues for IT Administrators in general. Later iterations of Encryption products allowed “Maintenance” windows to be implemented as apart of policies so pc’s could have software updates installed and rebooted to complete.

 

Its the reboot aspect that causes the most issues especially if you have a startup Pin/Password, i encountered this recently in an environment i was managing. The issue was that after software updates were installed PC’s would simply staff offline because they would be stuck at the password/pin prompt screen for bitlocker. Hmmm well thats thrown a spanner in the works!

Its actually something microsoft have documented well quiet well here 

For your convenience ive listed them here:

Type of update Action

Windows Anytime Upgrade

Decrypt

Upgrade from Windows 7 to Windows 8

Suspend

Non-Microsoft software updates, such as:

  • Computer manufacturer firmware updates
  • TPM firmware updates
  • Non-Microsoft application updates that modify boot components

Suspend

What this doesn’t say however is what to do if you have a startup pin ? In a way it actually does but you have to read between the lines on this one, if you suspend the bitlocker protectors on the OS drive it will temporarily stop the startup PIN/Password from prompting.

You can accomplish this by running the following command before every reboot:

manage-bde –protectors –disable c:

If you run this command on your machine you will see your Hard disk icon change:

2013-01-04_21h12_16 

To This

2013-01-04_21h12_02

A quick restart later and your all patched up! Simples!

Tags:, , , ,