I'm currently setting up BitLocker through Intune and I'm uncertain about something. When deploying BitLocker this way, will Windows Update still deliver HP BIOS/UEFI firmware updates? I'm concerned that if these updates are applied, the computer may prompt for the 48-digit BitLocker recovery key after a BIOS/UEFI update, which could result in numerous calls to our service desk. How are others managing this potential issue? For example, are you using Intune or Group Policy to disable driver updates through Windows Update?
4 Answers
You can actually turn off driver updates directly in Intune if that helps. Just a heads up though, while it’s possible to disable these updates, I’m curious if anyone else has run into issues with BIOS/UEFI updates triggering recovery prompts for BitLocker.
Overall, Windows Update should suspend BitLocker without issues. In my experience, it works well most of the time, but occasionally you'll find one or two updates that fail to perform this step out of a fleet of hundreds.
Before our deployment with SCCM and Group Policy, we worried about firmware updates triggering BitLocker recovery mode, but we've only encountered a few rare cases where that happened. If your hardware supports it, consider using the manufacturer's tools for managing driver and firmware updates silently on a schedule, like Dell Command Update.
From what I've seen, Windows Updates will indeed push those BIOS/UEFI updates if your policies allow it. However, Windows typically suspends BitLocker before rebooting, which helps avoid any recovery key prompts. After the update is completed, BitLocker should resume normally.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures