/bundles/itninjaweb/img/Breadcrumb_cap_w.png
Has anyone found a way to have the K1000 server/agent suspend Bitlocker when applying Dell Updates through the K1000?  As an enterprise security policy, we are required to have Bitlocker enabled on all endpoints.

In our testing, it seems like deploying BIOS updates via Dell Updates in the K1000 triggers Bitlocker protections.  This would be easily mitigated if there was a way to temporarily suspend Bitlocker while the update is installed.

Unfortunately, I cannot find a way to invoke the Dell Updates from the command line  where I would write a script to suspend Bitlocker and then run the Dell Updates (think manually invoking runkbot 4 0).

I could write a manual script or MI to deploy each BIOS update, but this becomes immediately unscalable and unsustainable.  It also defeats the whole point of the Dell Updates and having the K1000 manage them.

I've even considered creating a whole bunch of smart labels - One that would detect the need for updates, which would trigger a script to run suspending Bitlocker.  Then having another label that would recognize Bitlocker's suspension and apply the BIOS update.  Unfortunately, this leaves room for error where a machine could have bitlocker suspended for prolonged periods of time, potentially resulting in the system having a vulnerable posture.

Has anyone else found a way around this that provides some level of automation?

Thanks.
3 Comments   [ - ] Hide Comments

Comments

  • You can push Powershell Scripts via K1000 agent, I am sure there must be a way to suspend Bitlocker via Powershell

    Then trigger your Updates Job.

    Finally send another script to enable Bi-locker.

    See:
    http://www.isumsoft.com/windows-10/enable-suspend-or-resume-bitlocker-protect-for-drive.html

    Method 2 uses CMD
    Method 3 uses PS
    • I considered this, but found a problem If I do this, then how do I call the "dell update" functionality built into the K1000 to kick off immediately after I suspend bitlocker?
      • Dell Updates are separate module, and they can't touch bit-locker without help.

        Maybe use GPO if possible (we don't use bitlocker here), to disable that and then time a Dell Updates schedule?
  • Coordinating the two operations is the problem. I can't just suspend bitlocker and then hope that the Dell Updates go through. They need to be in serial so that bitlocker doesn't get disabled for longer than necessary.
  • Do you have a specified window for when updates will be pushed to machines? If so, then you can schedule your scripts to run to suspend Bitlocker and then enable it again around those timeframes. Your Dell Update schedule would run during the window.

    You can also vote for this request on the UserVoice:
    https://kace.uservoice.com/forums/82699-sma-k1000/suggestions/31775392-patching-needs-a-workflow-builder-with-scripts-no
Please log in to comment

There are no answers at this time
Answer this question or Comment on this question for clarity

Answers

Share