I'm managing around 1,600 devices in a constrained environment where we only use WSUS for updates, and we have no budget for additional tools like SCCM or Intune. I've noticed that many of our systems run outdated BIOS or UEFI firmware. With recent Windows updates that affect Secure Boot and the UEFI trust chain, like DB and DBX updates, I'm worried about possible mismatches between OS updates and the firmware's state. My main questions are:
- If Windows updates change the UEFI trust chain but the firmware is outdated, can this trigger BitLocker recovery because of changes in PCR measurements?
- Is there a risk of making machines unbootable if the firmware does not support these updates properly?
- How tolerant is BitLocker to these changes in practice, especially with TPM and Secure Boot measurements drifting?
- Are there any recorded cases where outdated firmware with the new Windows updates caused boot failures or required manual fixes?
Since we don't manage firmware centrally, I want to gauge the real risk before I approve the updates in WSUS. Any insights, specifically from those who've dealt with Secure Boot DBX rollouts or similar issues on a large scale, would be super helpful. Thanks!
5 Answers
From my experience, when Windows updates anything that might affect BitLocker, it usually suspends BitLocker or adds a 'grace unlock' to avoid triggering it. But be cautious! If your firmware gets changed without the system knowing—that’s when you could see BitLocker getting tripped.
I've noticed that some lower-end Mini PCs can become unbootable after certain Secure Boot updates, but most hardware just updates fine. Keeping BIOS updated is generally your best bet to reduce issues.
I hear you. My biggest concern is that a large chunk of our devices are remote, and we've seen them go into BitLocker recovery after regular updates. A lot of Dells are prone to this. It can really mess with our workflow.
Just to add, while most devices should handle things alright, always be proactive. Keep your systems as up to date as possible and monitor closely for any issues. Experience shows that being prepared for the worst is key.
I've gone through a lot of info about Secure Boot changes, so here's a quick rundown:
- Yes, the Secure Boot updates are aware of BitLocker, which should keep you from having to worry too much.
- However, bugs are a reality; not all firmware works well with these updates. Some models might end up tripping BitLocker recovery.
- This is likely why Microsoft is rolling them out in stages. They’re using telemetry to monitor how updates are performing, but it’s unclear how they’re tracking BitLocker failures.
For your devices, thoroughly test your updates, especially if they’re on VMs. For physical endpoints, keep an eye on event logs for any failures.
You're right to be concerned about the interplay between firmware, Secure Boot, and BitLocker—especially with older devices. DBX updates can change the measured boot values, which could prompt BitLocker recovery if the TPM PCR values change. It’s less common to have outright unbootable systems, but it can happen if the firmware can't handle new revocation lists. Ultimately, BitLocker tends to be resilient, but it really depends on the consistency of your hardware. It might be a good idea to test updates on older machines before rolling them out widely.
Got it! Most of my systems are from Dell and Lenovo, only a few years old. My worry is with those that have older BIOS versions and might conflict with the new certificates. Any advice?
For sure, and if you have a mix of hardware, it can really be hit or miss. Just always have those recovery keys on hand, just in case.