suspended preboot login comes back after windows updates
A little background - we've had issues in the past with username/password sync between pre-boot encryption auth and AD. So we've been forced to set our encryption policy to bypass pre-boot auth indefinitely. Also, our workstations are shut down every night for this particular computer lab, but the servers stay up 24/7. It's a 2016 server environment with Windows 10 workstations.
Everything works fine until windows updates time. This lab is not connected to the internet, so I have an internal WSUS running and I manually import updates into the lab, bring up the workstations, have them check in to the local wsus, install updates, reboot, check back into WSUS to confirm completion, and then finally shut them down until they are next used by either myself or an end user. However, the next day when the systems are booted up, they prompt for preboot authentication even though the policy they've been using all month is set to bypass it.
Here's the weird part. Right after I'm done with the updates, I've tried to recreate the problem by doing one more reboot, and doing a full shutdown of the workstations. They all come right back up to windows without prompting... so I thought I was fine. maybe it didn't do it this time... next morning though: Boom, preboot screen. I even preemptively did a wake with force policy update checked, and still the next morning - preboot screen.
So finally that morning, I use my credentials through the preboot (which works most of the time, but in some cases I've had to use the recovery options in ePO). Then in EPO I initiate a wake up and check the box to force policy update. After that completes I usually reboot to verify and sure enough everything boots fine and continues to boot fine until the next month of windows updates when this process happens again.
So my question is - is there something about the changes being made via windows updates which is causing encryption to lose its applied policy? And why does it take a day AFTER applying updates for this to happen? Sometimes mid-month these systems will go a week without being turned on, but still boot fine bypassing preboot.
Its not about the machine restart, actually it is because of your machine's windows updates. While performing windows updates windows updates make changes to the TPM Measurements in that machine if TPM is available in that machine.
And if you have TPM Auto-boot option enabled in the mcafee drive encryption policy in this scenario, McAfee Drive Encryption is designed to show the McAfee Drive Encryption PBA screen as an additional level of security.
Make sure you uncheck TPM Autoboot and to have only autoboot option if you do not want to see the mcafee drive encryption pba screen after windows updates.
Was my reply helpful? If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.