How can you temporarily suspend (not disable and decrypt) Bitlocker via Management of Native Encryption so we can update BIOS, firmware, certain Windows updates etc. on large numbers of PCs without triggering Bitlocker recovery prompts on the next reboot?
I don't see this option in the policy settings in ePO and we would need to be able to do this for either a fixed time period or a number of reboots.
There is an option in MDE to auto login for a scheduled time period, but I don't see any similar setting for MNE.
As part of the MNE package there is the maintenance mode executable.
You can run it on a client to set an amount of restarts where BitLocker will not prompt for a PIN and/or check boot measurements with the TPM.
You can package it as part of the BIOS update.
You can see page 41-42 on the product guide for additional details.
So, this maintenance mode cannot be turned on and off directly from ePO policies?
What methods are available to automate running the executable to enable and disable maintenance mode on multiple systems remotely?
This isn't part of the standard policy options for MNE.
From ePO you can try creating a client tasks with EEDK and deploy this to clients.
other options can be to script it with PSexec/Powershell or use a configuration management tool to deploy and run to clients (BigFix/SCCM).
The way I would do it is:
Create a package that contains the maintenance executable and the BIOS package.
Run the maintenance mode verify that BitLocker is in suspended mode.
Install the BIOS upgrade.
Clear maintenance mode.
We can put the executable on the systems during the OS deployment or maybe push the files to the hard drives via group policy preferences.
Getting the executable on the system isn't the main problem.
I still don't understand how we can actually run the executable to put the systems in maintenance mode on some type of managed schedule. We would like be be able to set systems to have maintenance mode enabled during specific time period (such as tomorrow between 4 am and 8 am) and then revert back to the normal mode automatically after the time period has expired.
I don't think that this can be done with the out of the box MNE configurations and polices, you'll have to use additional tools to achieve that.
How about deploying the tool and during the deployment creating a scheduled task that will run it in the required time?
Since you can enable Bitlocker with MNE, what prevents MNE from managing suspending Bitlocker?
Why not add this feaure instead of expecting MNE users to deal with the difficult to mananage executable files?