I'm in the process of rolling out the Windows Secure Boot certificate update across my organization using Intune. After deploying a test policy for a small group, I noticed a few Dell devices with outdated BIOS versions are asking for the BitLocker recovery key after the update. We utilize Dell Command Update (DCU) for managing firmware updates, but users can ignore notifications. Plus, we have a BIOS admin password set on our Dell machines, blocking firmware updates unless the password is provided. I'm looking for advice on the following: 1) How can I update BIOS/firmware on Dell devices without triggering BitLocker recovery? 2) Can I enable Secure Boot remotely on devices where it's disabled? 3) Some devices show Secure Boot status as 'Unknown' in Intune—how can I ensure this status is reported correctly? Any tips or real-world experiences would be great!
3 Answers
In my experience managing around 500 Dell laptops, losing a few devices to BitLocker recovery was pretty common. I've seen it happen more often on Dell systems compared to others. However, I use Lenovo Commercial Vantage for updates with my fleet of 350 Lenovo machines, and I've managed to avoid any BitLocker issues since we started a year ago. It might be worth considering which devices you're using and how you manage updates.
You could consider suspending BitLocker protection before applying the firmware updates. This should help prevent recovery key prompts after the updates are done.
To avoid BitLocker recovery prompts, you might want to script the DCU command line to store the BIOS password in the registry of each device first. This way, you can execute the BIOS installation commands without triggering any issues. Check out Dell's documentation for more info on the DCU CLI commands for guidance.
That's pretty rough! I've always wondered if this is just a Dell issue. I haven't faced any BitLocker problems with my Lenovo machines, which makes me think there could be a difference in how these systems handle firmware updates.