Jump to content
MJ5150

Rebooting when BitLocker is enabled

Recommended Posts

Our standard deployment is a single physical server at the customer site with a Hyper-V VM as the DC. Both servers are Microsoft Windows. A mixture of 2008, 2012, and 2016.

BitLocker is enabled on the C drive of the Hyper-V VM.

Each month we install Microsoft Windows updates, then get a ticket in CWM it was successful and time for a reboot. Currently I am having to log in to the physical server, reboot the VM, then enter the BitLocker key to get it back online. It seems like there is a more efficient way to do this, perhaps by automation.

Are there others out there with a similar situation that have found a way to automate the reboots even with BitLocker enabled?

Any suggestions on a more efficient way to do these reboots that will include less human involvement? I've seen some people mention a script that suspends BitLocker, then enables it after a reboot. I haven't seen a script for CWA to do this though.

-Mike

Share this post


Link to post
Share on other sites

To elaborate on Gav's recommendation..you want to add the suspend and resume bitlocker commands as a pre and post patch reboot script if you are not using vTPM.

This is also handy to have for situations when you have new clients with bitlocker enabled but no tpm on workstations and want to automate patching.

Share this post


Link to post
Share on other sites

The command from @Gavsto was inserted into our reboot script as the first step before Reboot Computer. It works perfectly to suspend BitLocker once during that reboot.

Thank you @Gavsto for your assist there.

This piece of the script is resolved, now getting the lock desktop command to work after AutoLogin runs is our latest challenge.

-Mike

Share this post


Link to post
Share on other sites

The PS command only suspends it once. We tested by rebooting the server manually right after, and the BL prompt came back up.

I think it may be the end of the PS command, -RebootCount 1, that tells it to suspend for only one reboot.

-Mike

Share this post


Link to post
Share on other sites
On 11/8/2018 at 11:13 AM, MJ5150 said:

now getting the lock desktop command to work after AutoLogin runs is our latest challenge

RunDll32.exe user32.dll,LockWorkStation

Can run as a task at login, for instance.

Edited by SteveYates

Share this post


Link to post
Share on other sites
On 11/14/2018 at 1:31 PM, SteveYates said:

RunDll32.exe user32.dll,LockWorkStation

Can run as a task at login, for instance.

Can that be configured in the script, or are you referring to setting that up via AD?

-Mike

Share this post


Link to post
Share on other sites
19 hours ago, MJ5150 said:

Can that be configured in the script, or are you referring to setting that up via AD?

(re: " RunDll32.exe user32.dll,LockWorkStation ")

If you run that at user login (or any other time) it will lock the screen.  The handful of times we've had to enable an automatic login, we create a Scheduled Task to run that at user login.  It can also be added to the Run key in the registry I would think.  Creating a shortcut in Startup folder would work but holding Shift I suspect would bypass that (not sure if that bypasses the Run key also)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×