cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nick4
Level 7
Report Inappropriate Content
Message 1 of 7

Windows Updates trigger PBA

Jump to solution

In our environment we disable PBA on Win10 clients however, some Windows updates trigger an occurrence. Is there a way to prevent this from happening at all?

1 Solution

Accepted Solutions
Reliable Contributor ninov_n
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: Windows Updates trigger PBA

Jump to solution

Hello,

You can set a temporary bypass of the PBA after updates take place so you can make sure they do not activate it (probably it happens because of update/patch activities related to MBR or some boot loaders):

Enable or disable temporary automatic booting

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino

View solution in original post

6 Replies
Reliable Contributor ninov_n
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: Windows Updates trigger PBA

Jump to solution

Hello,

You can set a temporary bypass of the PBA after updates take place so you can make sure they do not activate it (probably it happens because of update/patch activities related to MBR or some boot loaders):

Enable or disable temporary automatic booting

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino

View solution in original post

mlajoie
Level 10
Report Inappropriate Content
Message 3 of 7

Re: Windows Updates trigger PBA

Jump to solution
We use EpeTemporaryAutoboot.exe. There are still times when a user still gets PBA even though temporary autoboot was performed.

There are other occasions, though, that we have users get PBA (this has randomly happened with winver 1809 upgrade, for instance) BUT they cannot use their smartcard/PIN at PBA -- it has defaulted to a password. The default password does not work -- only a challenge/response.

We do have in the policy to use TPM, if available. Not sure if this has any affect on the reboot.
Reliable Contributor ninov_n
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: Windows Updates trigger PBA

Jump to solution

Hi,

TPM would affect the automatic booting only if you select last option and a system is missing a TPM:

Untitled.pngMDE Log On Tab

Otherwise you can consider scheduling a time frame for automatic booting so PBA does not interfere any restarts during it.

 

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino
mlajoie
Level 10
Report Inappropriate Content
Message 5 of 7

Re: Windows Updates trigger PBA

Jump to solution

Thanks for the reply.  Greatly appreciated.

We can't set the policy to automatic booting.

We only use temporary autoboots during a patch or update.  During the patch or update, sometimes a machine will not bypass PBA and will, in fact, stop at PBA.  While this isn't that big of deal - the bigger deal is that it is not using the ePO policy that we use for smart card authentication at PBA -- it is, in fact, asking for a password.  

Reliable Contributor ninov_n
Reliable Contributor
Report Inappropriate Content
Message 6 of 7

Re: Windows Updates trigger PBA

Jump to solution

In such cases, I would suggest you to try rebuilding the PBFS by decrypting/encrypting or performing Emergency Boot. In case you switched or turned on the smart card authentication at a later point, the PBFS needs to be recreated. There are multiple scenarios where policy setting changes doe not take effect immediately and require PBFS rebuild. 

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino
McAfee Employee jsubbura
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: Windows Updates trigger PBA

Jump to solution

Hi @Nick4 / @mlajoie 

Thank you for writing in here.

NOTE: When TPM is enabled in the MDE policy with autoboot, Any software update that changes the boot path, like a Microsoft update to the UEFI bootloader will result in pre-boot being displayed since the boot path has changed, and therefore the disk encryption key cannot be unsealed.

 

That is the reason you see the PBA screen during the windows updates. The same has been documented in the below guide,

https://docs.mcafee.com/bundle/drive-encryption-7.2.0-product-guide-epolicy-orchestrator/page/GUID-2...

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thank you.

Regards,
Jithendran S
McAfee Employee
Want to Ask a Question?
Many members like to perform a search first in case other customers have already asked and answered a similar question. However, to ask a question, first select a forum then click on Post a Topic. You must sign in or log in with your existing credentials.

McAfee Service Portal customers please use your existing username and password to log into the community.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community