Systems Management Question
K1000 Security -> Dell Updates & bitlocker
12/27/2017 1912 views
Has anyone found a way to have the K1000 server/agent suspend Bitlocker when applying Dell Updates through the K1000? As an enterprise security policy, we are required to have Bitlocker enabled on all endpoints.
In our testing, it seems like deploying BIOS updates via Dell Updates in the K1000 triggers Bitlocker protections. This would be easily mitigated if there was a way to temporarily suspend Bitlocker while the update is installed.
Unfortunately, I cannot find a way to invoke the Dell Updates from the command line where I would write a script to suspend Bitlocker and then run the Dell Updates (think manually invoking runkbot 4 0).
I could write a manual script or MI to deploy each BIOS update, but this becomes immediately unscalable and unsustainable. It also defeats the whole point of the Dell Updates and having the K1000 manage them.
I've even considered creating a whole bunch of smart labels - One that would detect the need for updates, which would trigger a script to run suspending Bitlocker. Then having another label that would recognize Bitlocker's suspension and apply the BIOS update. Unfortunately, this leaves room for error where a machine could have bitlocker suspended for prolonged periods of time, potentially resulting in the system having a vulnerable posture.
Has anyone else found a way around this that provides some level of automation?
Be the first to answer this question