Windows 11 Bitlocker and HP BIOS/UEFI Firmware Updates via Windows Update
Posted by americanconstitution@reddit | sysadmin | View on Reddit | 28 comments
I'm in the process of deploying Bitlocker via Intune, but can't find a solid answer this question. If you deploy Bitlocker via Intune, will Windows Updates still try to deliver HP BIOS/UEFI firmware updates?
If it does still deliver update, this could cause the computer to prompt for the Bitlocker 48 digit recovery key (when the BIOS/UEFI is updated), which would cause a massive amount of calls to our service desk. How are you handling this potential problem? (e.g. Using Intune/GPO to disable driver updates via Windows Update)
Stephen-IT@reddit
I've just encountered this. After finding about 80 HP ProDesk 400 G6 all asking for the bitlocker recovery key, even after putting in the key you'll still get asked to provide the recovery key.
After bit of a panic, it looks like you just need to enable the 3 2023 certificate items in the BIOS.
Once enabled it seems to boot fine, I've got one PC still asking for the recovery key but on the 10 or 15 I've done so far, this has sorted it, reboots and all.
Stephen-IT@reddit
Also found this which explains how to fix this issue.
https://liam-robinson.co.uk/enabling-2023-secure-boot-certificate-authority-uefica2023-on-hp-prodesk-400-g6-devices/
cratesofmilk@reddit
My last job was an HP shop and in my experience, BIOS/UEFI updates will download in the background but won’t actually install until we manually suspend bitlocker and reboot.
It was actually a pretty effective troubleshooting step for our service desk to suspend bitlocker and restart while troubleshooting pesky driver issues. There was usually an update available since they weren’t installing on their own, and it had a good success rate of fixing the issue.
Obviously there can be other factors and results may vary, but that is my experience.
dpf81nz@reddit
in my experience yes they are deployed (assuming you have your policies configured to), but windows suspends bitlocker prior to the reboot to avoid that, and then resumes it after the update
bfodder@reddit
This is accurate and makes OPs concerns a non issue.
pcbrad@reddit
In my experience it does not always do this. Have had half a fleet of 60 odd laptops for a customer all require recovery, while the other half were fine.
Stonewalled9999@reddit
Lenovo's were famous for this a few years back. They seem to have fixed it. Dell too - infact the Windows Update for Dell BIOS now works better than the Command Update.
itskdog@reddit
I think that happens if the laptop isn't plugged in when Windows reboots, so the UEFI holds the update for when it's safe to do so, by which time BDE has been resumed.
dpf81nz@reddit
ah ok, i have about 100 or so and havent seen it in the few years ive used intune thankfully
Xzenor@reddit
Can confirm
Ill-Detective-7454@reddit
Yes this exact scenario happened to a test machine of mine. My users that need to encrypt data use a data partition or vhdx with bitlocker but no bitlocker on system partition.
Smith6612@reddit
BIOS updates can still be delivered. Most capsule updates will temporarily suspend BitLocker to install the BIOS update, then re-enable it on the next boot-up. Even running the updates manually within Windows, you'll find that the installers are smart enough to check for BitLocker and advise you that BitLocker will be temporarily suspended.
These can trip BitLocker, but it rarely happens in my experience so long as the update is delivered and installed within Windows.
mangeek@reddit
Before we deployed (via SCCM & GPO many years ago) There was a lot of concern about BIOS updates throwing BitLocker into recovery, but we haven't actually had that happen in anything but corner cases.
If you have the option with your hardware, you might want to deploy the vendor's software to manage drivers and firmware updates, and scripts to trigger it silently on a schedule. I'm talking about tools like Dell Command Update (or whatever they call it).
HotTakes4HotCakes@reddit
Problem with Dell command update is I can't figure out how to get the most recent version of it to deploy through Intune properly.
FlickKnocker@reddit
Are you trying to pull from direct link to dell.com? That always crapped out with 403 Forbidden eventually/sometimes/often, so we just store the exe as a package ourselves.
Michal_F@reddit
I would recommend having a good pilot group for testing updates, issue can be on some specific models, combination update + BIOS version + specific model or application. But HP + Microsoft deploy this BIOS updates to normal users also that have Bitlocker enabled.
Just my recommendation, if you are just in stage to deploy Bitlocker, update all your HW first to avoid any compatibility issues with old BIOS, but depends mostly how old HW you have :)
BrechtMo@reddit
if a driver or Bios update goes well, no bitlocker recovery will be triggered. The installation process takes care of that for you.
Avas_Accumulator@reddit
The fact is that all and any Secure Boot/BIOS updates may trigger the code. You can allow users to see "My Devices" and from there grab the bitlocker key, which could help.
We've had it going through WUpdate for ages without much problems. I think they work closely with MS to ensure less interruptions.
We also use the HP script tools to remediate BIOS that are out of date - even with a good setup you need to track that BIOS are actually rolled out across the fleet and deal with PCs that are not up to date - I even found a PC that should have been in order that had a 1500 day old BIOS on it.
Get-HPBIOSUpdates -Flash -Bitlocker Suspend -Force -Yes -Password $BiosPassword -ErrorAction Stop
GinormousHippo458@reddit
Yikes. All that weird trust and supply (surveillance) chain stuff is all integrated in normie computer land now, eh? 😬 Holy shit.
If only the masses had coherent thought, Linux and open source adoption would be booming.
HappyVlane@reddit
I think you're in the wrong subreddit.
TerrorToadx@reddit
🤓.
sniff122@reddit
Windows update should suspend bitlocker beforehand, which I've seen to had fairly decent luck with for the most part.
thatguyyoudontget@reddit
I second this.
cbtboss@reddit
Generally speaking windows update will suspend the bitlocker service without issue, but we do occasionally have a handful that fail this step for whatever reason. (1 to 2 out of a fleet of 300+ in a month or so)
Repulsive_Bank_9046@reddit
You can turn off driver updates in Intune
americanconstitution@reddit (OP)
While I can turn off the driver updates in Intune or Group Policy, I'm reaching out to see if other sysadmins/desktop admins have experienced issues with these BIOS/UEFI firmware updates, causing Bitlocker to prompt for the recovery key.
Repulsive_Bank_9046@reddit
We haven't run into that issue. Currently manage a 25k fleet of windows machines
americanconstitution@reddit (OP)
Thanks very much for the response. I'll continue letting Windows Updates deliver the firmware updates :)