We have set up MNE 4.0 to manage Bitlocker on Microsoft Surface tablets that don't support MDE and we configured the policy for TPM automatically unlocking at reboot.
We also have some other systems that use MDE 7.1.3 with TPM auto unlock and Out of Band unlock.
This is working OK for now, but I have heard that certain patches and updates may break the TPM pairing and cause prompts for Bitlocker recovery or MDE PBA even though they are configured to use TPM to unlock.
We need a way to prevent this from happening.
I looked through the MNE 4.0 Product Guide and I saw a mention of "maintenance mode" and using scripts. It describes what you can do, but I didn't see a detailed step by step guide example on everything you need to do to make this actually work. Can you use ePO to manage activating the scripts? If so how?
If possible, we would like to be able to have these PBA bypasses automated on a recurring schedule that matches the dates Windows Updates are scheduled to be installed each month.
We have installation deadlines to install Windows Updates by a certain date and time every month. Some users will install updates manually before the due date and some users will not. If not manually installed before the deadline, the updates will automatically install when the deadline is reached or the next time the computer is turned on if it was powered off at the time of the deadline. So this means not every computer will get the updates at the exact time they are scheduled for automatic installation.
Is there some way to handle suppressing Bitlocker recovery prompts that will handle this?
If a system with MDE supports both TPM unlock and Out of Band unlock and both policies are enabled, will AMT Out of Band unlock work as a failover to let the system boot if TPM unlocking was broken by a system update?
Is there something that can be done prior to installing a system update that will prevent that system update or patch from breaking the MNE and MDE TPM unlocks in the first place?
One can "suspend" encryption on a system encrypted with EEPC/DE using the steps/tools located here: McAfee KnowledgeBase - How to upgrade a Windows operating system with Drive Encryption installed
I have not seen a similar thing for MNE, but that does not mean it doesn't exist. In fact, I bet Microsoft itself would support this, and have instructions for it, since it really is BitLocker itself that is doing the encrypting, and nothing on McAfee's part. A quick Google search revealed this: Felipe Binotto's Blog: Refreshing a BitLocker Enabled computer