Event details
I've been watching the AMA Secure Boot videos and wanted to confirm something that was said. It seemed like they were saying that Bitlocker would not need to be suspended while updating the certificates using the AvailableUpdates registry key entry.
This is correct. Even when BitLocker is sealed against TPM's PCR 7, it will be automatically resealed so that no Bitlocker recovery key is required.
That is the theory (which matches practice in >99% of the cases). Firmware bugs have proven that it may fail in some cases (just like Bitlocker TPM unlock sometimes fails for completely unrelated firmware reasons)
Some cautious people suspend BitLocker nevertheless, especially when they are doing the updates from remote. It's a trade-off, whether the risk of having your data at risk for a short moment outweighs the risk of having to (find a way to) enter your Recovery key.