/build/static/layout/Breadcrumb_cap_w.png

How can I suspend Bitlocker before Dell Updates

Hi IT Ninjas,

I wonder if anyone could give me any advice on the best way to solve a problem.  So we are deploying lots of computers which I want encrypting.  The PC's are managed via Kace 1000 v9.

So while I have Bitlocker Group Policy/Sophos Central to handle encrypting the devices I want a way to disable the encyrption during Dell Updates for items such as BIOS updates.  At present the updates to BIOS are all controlled via the Securty -> Dell Updates schedules.  I have a scripts to Suspend-Bitlocker, but I cant tie the two together.  So Ideally I would want - Suspend Bitlocker -> Update BIOS -> Resume Bitlocker.

Task Chains wont allow me to select the Dell Update schedules just the Patch Management Schedules.  

I suppose I could write a Script to deploy the Dell BIOS update via script but then I will end up with multiple scripts per model/BIOS version. 

I'm sure I'm not the only one who wants to do this, how was everyone else done it?


0 Comments   [ + ] Show comments

Answers (1)

Posted by: jct134 1 year ago
Senior Purple Belt
0

We had issues with a few things with the Kace dell patching section...

1. you have to have the newest Dell Agent installed in order to detect other updates needed (run detect for just agent, deploy, reboot)

2. then detect for updates (Bios etc..) however it did NOT detect until AFTER the device was inventoried UGH! so Force inventory, then detect

3. Detect for updates AGAIN.

4. Deploy updates, if you use bitlocker (like we do) it does NOT always allow bios to update, and on many devices prompts for the bitlocker password ugh!

3 another force inventory and new detect to show that the update was successfully installed...


Seems like way too much crap to go through just to get a Bios update (in our situation anyways)


So instead, what I do is this...


I download the newest bios for our devices (in our case the desktops are 5080, 5090 & 3000 Optiplex's)

I zip those up into bios.zip with 3 folders 1 for each model (and can add as many models as you need into seperate folders..)

I then attach that as a dependencies to a script that runs powershell that does the following...

1.Creates folder where I want the install files stored

2. unzips the zip file to that location

3. detects what model the computer is and sets the $biosFile path to the install file based on the model

4. checks if bitlocker is enabled, and if so suspends bitlocker

5. Installs the bios with /s /f (Silent and Force) and waits for the process to finish (with lines "$biosProcess = Start-Process -FilePath $BiosFile -ArgumentList "/s /f" -PassThru" AND $BiosProcess.WaitForExit()"

6. then after the bios install file finishes, the script checks to see if any user is currently logged in (in case someone just logged in while bios was updating) if no user, computer reboots.. If user is logged in

then I trigger the KUserAlert.exe (which you can use to pop up the same kace message boxes & customize what you want it to say...

1st I pop up a message that just says "IT updated your system, and it needs to be rebooted..." is auto closes in 1 minute, or if they click OK,

2nd I pop up another message that says "COMPUTER WILL REBOOT IN ABOUT 5 MINUTES..." again it auto closes in 1 minute or if they click OK

3rd I pop up 1 last message that says "REBOOTING... in 5 minutes, or as soon as you click OK.  If you have any questions, put in an IT ticket.  Thank you  DO NOT interrupt the reboot process the computer can become unusable" now that message auto closes in 5 minutes, or if they click OK

then the computer is forced to reboot...


So far I have had great success with this, I am also in the process of creating a similar script for our HP devices.. so about 2300 devices in all...

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ