/build/static/layout/Breadcrumb_cap_w.png

K1000 Security -> Dell Updates & bitlocker

Has anyone found a way to have the K1000 server/agent suspend Bitlocker when applying Dell Updates through the K1000?  As an enterprise security policy, we are required to have Bitlocker enabled on all endpoints.

In our testing, it seems like deploying BIOS updates via Dell Updates in the K1000 triggers Bitlocker protections.  This would be easily mitigated if there was a way to temporarily suspend Bitlocker while the update is installed.

Unfortunately, I cannot find a way to invoke the Dell Updates from the command line  where I would write a script to suspend Bitlocker and then run the Dell Updates (think manually invoking runkbot 4 0).

I could write a manual script or MI to deploy each BIOS update, but this becomes immediately unscalable and unsustainable.  It also defeats the whole point of the Dell Updates and having the K1000 manage them.

I've even considered creating a whole bunch of smart labels - One that would detect the need for updates, which would trigger a script to run suspending Bitlocker.  Then having another label that would recognize Bitlocker's suspension and apply the BIOS update.  Unfortunately, this leaves room for error where a machine could have bitlocker suspended for prolonged periods of time, potentially resulting in the system having a vulnerable posture.

Has anyone else found a way around this that provides some level of automation?

Thanks.
Asked 6 years ago 2151 views
3 Comments   [ + ] Show comments
  • You can push Powershell Scripts via K1000 agent, I am sure there must be a way to suspend Bitlocker via Powershell

    Then trigger your Updates Job.

    Finally send another script to enable Bi-locker.

    See:
    http://www.isumsoft.com/windows-10/enable-suspend-or-resume-bitlocker-protect-for-drive.html

    Method 2 uses CMD
    Method 3 uses PS - Channeler 6 years ago
    • I considered this, but found a problem If I do this, then how do I call the "dell update" functionality built into the K1000 to kick off immediately after I suspend bitlocker? - dstarrisom 6 years ago
      • Dell Updates are separate module, and they can't touch bit-locker without help.

        Maybe use GPO if possible (we don't use bitlocker here), to disable that and then time a Dell Updates schedule? - Channeler 6 years ago
  • Coordinating the two operations is the problem. I can't just suspend bitlocker and then hope that the Dell Updates go through. They need to be in serial so that bitlocker doesn't get disabled for longer than necessary. - dstarrisom 6 years ago
  • Do you have a specified window for when updates will be pushed to machines? If so, then you can schedule your scripts to run to suspend Bitlocker and then enable it again around those timeframes. Your Dell Update schedule would run during the window.

    You can also vote for this request on the UserVoice:
    https://kace.uservoice.com/forums/82699-sma-k1000/suggestions/31775392-patching-needs-a-workflow-builder-with-scripts-no - chucksteel 6 years ago

Answers (0)

Be the first to answer this question

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ