Event banner
Event details
With Windows Update for Business driver update management, we can now update device firmware. We consider this as a sensitive operation. For example, we have BitLocker configured with PIN code for startup, and also a risk is to have the recovery code asked to the user because the firmware update changed something in the TPM config. So question is when firmware is installed, is BitLocker suspended (once) or how is this handled ?
- EricMoe
Microsoft
Johan, check out https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/faq#do-i-have-to-suspend-bitlocker-protection-to-download-and-install-system-updates-and-upgrades- Specifically, when applying updates to UEFI\BIOS firmware through Windows Update, Windows handles suspending Bitlocker to apply the update. The description of Bitlocker suspension is covered earlier in the FAQ at https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/faq#what-is-the-difference-between-suspending-and-decrypting-bitlocker- Suspend keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the Suspend option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
