Are you guys aware if there are plans to allow the OS to automatically suspend BitLocker protection when a firmware update comes down via Windows Update on devices where Secure Boot is enabled but the PCR 7 binding is not possible?

Firmware updates coming from WU are currently being prevented from installing when Bitlocker Protection is On and the PCRs are set to 0,2,4,11 (generally devices with Secure Boot turned off). The main concern is a subset of devices that leverage OROMS can not bind PCR7 when Secure Boot is enabled and BitLocker is enabled. This causes an SB enabled device to have 0,2,4,11 PCRs preventing them from receiving important firmware updates with updated Default DB 2023 certs. Depending on the client base to suspend bitlocker protection periodically is not a viable solution and doing it automatically via Remediation script would be a security concern.