Feature Updates, BitLocker, and 3rd Party Management Tools

%3CLINGO-SUB%20id%3D%22lingo-sub-89176%22%20slang%3D%22en-US%22%3EFeature%20Updates%2C%20BitLocker%2C%20and%203rd%20Party%20Management%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-89176%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20for%20the%20last%20couple%20of%20weeks%2C%20I%20have%20been%20battling%20deploying%20the%20Creators%20Update%20(1703)%20to%20several%20machines%20using%20the%20Windows%20Servicing%20componet%20of%20ConfigMgr.%26nbsp%3B%20What%20would%20occur%20is%20the%20update%20would%20download%20and%20execute%20as%20expected.%26nbsp%3B%20After%20about%2015%20minutes%20of%20it%20doing%20its%20job%20in%20the%20background%20(compat%20checks%2C%20setting%20up%20the%20SafeOS%2C%20NewOS%2C%20DISMing%20drivers%2C%20staging%20boot%20images%2C%20etc.)%20it%20suspends%20BitLocker%20before%20triggering%20a%20reboot.%26nbsp%3B%20This%20is%20right%20at%20the%20end%20of%20the%20pre-reboot%20phase.%26nbsp%3B%20If%20no%20user%20is%20logged%20in%2C%20the%20machine%20reboots%20immediately%20and%20the%20update%20process%20continues.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20let's%20assume%20a%20user%20is%20logged%20in.%26nbsp%3B%20Maybe%20they%20are%20working%2C%20or%20maybe%20they%20just%20left%20it%20locked%20before%20they%20went%20home.%26nbsp%3B%20The%20ConfigMgr%20client%20will%20prompt%20for%20a%20reboot%20(as%20expected)%2C%20the%20provide%20a%20120%20minute%20delay.%26nbsp%3B%20This%20is%20where%20we%20hit%20a%20snag.%26nbsp%3B%20Since%20we%20are%20using%20a%203rd%20party%20tool%20to%20manage%20BitLocker%2C%20the%20policy%20will%20refresh%20and%20re-enable%20BitLocker%20before%20the%20device%20reboots.%26nbsp%3B%20This%20causes%20the%20machine%20to%20boot%20to%20the%20%22Choose%20a%20Keyboard%20Language%22%20screen.%26nbsp%3B%20Once%20you%20choose%20your%20language%20and%20select%20continue%2C%20it%20boots%20back%20into%20(in%20this%20case)%201607.%26nbsp%3B%20Good%20job%20on%20the%26nbsp%3B%20recovery%20piece%20MS%2C%20but%20now%20what%3F%26nbsp%3B%20Since%20there%20are%20limited%20options%20for%20configuration%20on%20the%20Servicing%20side%20within%20ConfigMgr%2C%20we%20are%20left%20to%20completely%20disable%20our%203rd%20party%20policy%20during%20the%20time%20it%20takes%20machines%20to%20update.%26nbsp%3B%20We%20have%20reached%20out%20to%20our%20vendor%2C%20but%20I'm%20sure%20they%20haven't%20ran%20into%20this%20as%20it%20is%20a%20new%20process.%26nbsp%3B%20I'm%20also%20sure%20they%20won't%20have%20a%20solution.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20that%20being%20said%2C%20are%20there%20others%20out%20there%20experiencing%20the%20same%20thing%3F%26nbsp%3B%20We%20are%20submitting%20a%20feature%20request%20with%20MS%20to%20add%20a%20BitLocker%20check%20at%20reboot%20execution%2C%20but%20we%20will%20see%20where%20that%20goes.%20%26nbsp%3B%3C%2FP%3E%3CP%3ESigned%2C%20Misery%20looking%20for%20company.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-93426%22%20slang%3D%22en-US%22%3ERe%3A%20Feature%20Updates%2C%20BitLocker%2C%20and%203rd%20Party%20Management%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-93426%22%20slang%3D%22en-US%22%3E%3CP%3ENo%20responses%3F%26nbsp%3B%20Was%20hoping%20Michael%20Niehaus%20would%20have%20some%20insight%20on%20this%20one.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

So for the last couple of weeks, I have been battling deploying the Creators Update (1703) to several machines using the Windows Servicing componet of ConfigMgr.  What would occur is the update would download and execute as expected.  After about 15 minutes of it doing its job in the background (compat checks, setting up the SafeOS, NewOS, DISMing drivers, staging boot images, etc.) it suspends BitLocker before triggering a reboot.  This is right at the end of the pre-reboot phase.  If no user is logged in, the machine reboots immediately and the update process continues.

 

Now let's assume a user is logged in.  Maybe they are working, or maybe they just left it locked before they went home.  The ConfigMgr client will prompt for a reboot (as expected), the provide a 120 minute delay.  This is where we hit a snag.  Since we are using a 3rd party tool to manage BitLocker, the policy will refresh and re-enable BitLocker before the device reboots.  This causes the machine to boot to the "Choose a Keyboard Language" screen.  Once you choose your language and select continue, it boots back into (in this case) 1607.  Good job on the  recovery piece MS, but now what?  Since there are limited options for configuration on the Servicing side within ConfigMgr, we are left to completely disable our 3rd party policy during the time it takes machines to update.  We have reached out to our vendor, but I'm sure they haven't ran into this as it is a new process.  I'm also sure they won't have a solution.  

 

With that being said, are there others out there experiencing the same thing?  We are submitting a feature request with MS to add a BitLocker check at reboot execution, but we will see where that goes.  

Signed, Misery looking for company.

 

1 Reply
Highlighted

No responses?  Was hoping Michael Niehaus would have some insight on this one. :)