suspended preboot login comes back after windows updates
A little background - we've had issues in the past with username/password sync between pre-boot encryption auth and AD. So we've been forced to set our encryption policy to bypass pre-boot auth indefinitely. Also, our workstations are shut down every night for this particular computer lab, but the servers stay up 24/7. It's a 2016 server environment with Windows 10 workstations.
Everything works fine until windows updates time. This lab is not connected to the internet, so I have an internal WSUS running and I manually import updates into the lab, bring up the workstations, have them check in to the local wsus, install updates, reboot, check back into WSUS to confirm completion, and then finally shut them down until they are next used by either myself or an end user. However, the next day when the systems are booted up, they prompt for preboot authentication even though the policy they've been using all month is set to bypass it.
Here's the weird part. Right after I'm done with the updates, I've tried to recreate the problem by doing one more reboot, and doing a full shutdown of the workstations. They all come right back up to windows without prompting... so I thought I was fine. maybe it didn't do it this time... next morning though: Boom, preboot screen. I even preemptively did a wake with force policy update checked, and still the next morning - preboot screen.
So finally that morning, I use my credentials through the preboot (which works most of the time, but in some cases I've had to use the recovery options in ePO). Then in EPO I initiate a wake up and check the box to force policy update. After that completes I usually reboot to verify and sure enough everything boots fine and continues to boot fine until the next month of windows updates when this process happens again.
So my question is - is there something about the changes being made via windows updates which is causing encryption to lose its applied policy? And why does it take a day AFTER applying updates for this to happen? Sometimes mid-month these systems will go a week without being turned on, but still boot fine bypassing preboot.