This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 71%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDP%3C/text%3E%3C/svg%3E)
Various users across our clients have been getting bitlocker recovery screens after doing windows updates to their devices. It appears that the updates also include a type of firmware update. We have also tested and were able to replicate this in house.
I have been looking into the matter but it doesn't appear to be clear as to whether this is intended. Does Windows update know to suspend bitlocker when applying firmware changes?
All our clients use Dell devices on the latest features update of Windows 10, all of which have TPM chips.
This causes a lot of disruption as we have to get these users to power cycle their devices to reset hardware and get logged back on. If that fails, provide them with the bitlocker key to get them logged on.
This appears to have started this year when Microsoft added the feature to allow windows to update drivers.
As we have so a large quantity of users, it is not practical to go around and manually suspend bitlocker, nor is it acceptable to allow users or have ourselves hold back updates as this impacts security and compliance for them and starts causing problems with device compliancy in Intune.
Do we have an idea of what can be causing this? Is windows meant to suspend bitlocker and that isn't happening?
Why is windows doing firmware upgrades that will force bitlocker recovery to prompt when it can't suspend bitlocker?
This is becoming a growing a problem and we need to get to the bottom of this. I am sorry if there is similar threads to this problem, but the ones I found either didn't have a response, had a solution that did not work with our requirements or wasn't within the same scope.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 2%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Le me try to broaden your vision on this.
Bitlocker is not meant to be end-user (non-admin) administered.
Giving a recovery key to a non-admin is a security no-go since it allows the user to do anything with the device (decrypt, manipulate, harvest credentials,...)
So surely, you will want to prevent this firmware update to happen without bitlocker being suspended in the first place, I agree.
But windows update must not decide for itself "now is the time to suspend bitlocker" - this must remain the choice of the admin.
So your best bet is to introduce patch management software (like WSUS) and govern which updates arrive at your clients yourself.
Thank you for the response,
I do agree as well, users should not have any administrative access especially to Bitlocker management.
I also have considered the problems with Windows Updates doing bitlocker suspension (e.g. pending updates leaving computer in a suspended state for long periods of time).
The main problem is that Intune provides the configuration option to allow Windows Updates to Install drivers.
Intune is commonly used for Enterprise tenants. So why have the feature available, if it puts devices into bitlocker recovery?
Its frustrating to have a feature that on the surface, provides a tidy solution that would be productive and cost effective for a business. but instead causes bitlocker Recovery, making it counter productive.
I presume the resolution we look at is turning that feature off and go back to ensuring that BIOS updates are managed manually using patch management software to monitor when these are available? which is a step back.
Driver updates in general do NOT trigger Bitlocker recovery. Firmware ("Bios-") updates do! Don't deploy these.
Absolutely agreed, the problem is that the intune configuration profile for windows update allows you to enable "Allow driver updates via Windows Updates"
This installs BIOS and other firmware update that require bitlocker to suspend.
So the real question is why have this option with enterprise/business licencing if it causes these problems. I will take this back to our team however as it would appear that a third party patch management software will have to be the solution to ensure we can prevent these type of changes from being applied.
Its a real pain as we could really do with a way of managing BIOS upgrades that can be automated without administrative involvement and still prevent users from having admin access.
Guess its something that is restricted by the technology in place :/
Hi,
Just checking in to see if the information provided was helpful.
If the reply helped you, please remember to accept as answer.
If no, please reply and tell us the current situation in order to provide further help.
@David Price
Hi,
From the official article:
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq
Users need to suspend BitLocker for Non-Microsoft software updates, such as:
Computer manufacturer firmware updates
TPM firmware updates
Non-Microsoft application updates that modify boot components
If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
Hope above information can help you.
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Jenny Feng
Thank you for the response, I understand that users can do this. However not every user is computer literate nor will they know which updates coming through windows updates is the one they need to suspend bitlocker for.
Do we know why Windows Update is pushing out BIOS and firmware updates without suspending bitlocker for the user and/or prompting the user to tell them they need to suspend (not helpful still as non of them are admins for security purposes).
Suspending bitlocker for all these users would mean we have to monitor windows update too and the remote support for which would be an incredible amount of work.
It seems to be an oversight for the "Receive Updates for other Microsoft products when you update windows" option.
Is there not a form of work around or solution that Microsoft are working on?
Would it be best to turn off this feature and just use a third party patch management software?
Hi,
I agree with you that it is better to prompt the user to tell them they need to suspend.
So far, however, there is no such option to trigger this
I think what we can do is manage the updates for the users.