From f316504f37755bdcc43aaad9ffe53f2f7746b931 Mon Sep 17 00:00:00 2001 From: Rafal Sosnowski <51166236+rafals2@users.noreply.github.com> Date: Fri, 26 Feb 2021 14:57:02 -0800 Subject: [PATCH 1/6] Update bitlocker-upgrading-faq.md --- .../bitlocker/bitlocker-upgrading-faq.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md index a856063b96..d52e930a69 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md @@ -32,14 +32,17 @@ Yes. **Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased. -## Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades? +## Do I have to suspend BitLocker protection to download and install system updates and upgrades? No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start). Users need to suspend BitLocker for Non-Microsoft software updates, such as: -- Computer manufacturer firmware updates -- TPM firmware updates -- Non-Microsoft application updates that modify boot components +- Some TPM firmware updates if these update clears TPM outside of Windows API. Not every TPM firmware update will clear the TPM and this happens if known vulnerability has been discovered in the TPM firmware. User doesn’t have suspend BitLocker if TPM firmware update uses Windows API to clear TPM because in this case BitLocker will be automatically suspended. We recommend users testing their TPM firmware updates if they don’t want to suspend BitLocker protection. +- Non-Microsoft application updates that modify UEFI\BIOS configuration +- Manual or 3rd party updates to secure boot databases (only If BitLocker uses Secure Boot for Integrity validation) +- Updates to UEFI\BIOS firmware, installation of additional UEFI drivers or UEFI applications without using Windows Update mechanism (only If BitLocker does not use Secure Boot for Integrity validation and you update) + - You can check if BitLocker uses Secure Boot for integrity validation with manage-bde -protectors -get C: (and see if "Uses Secure Boot for integrity validation" is reported) + > [!NOTE] > If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer. From 45f6df76a66215daeab29f083ad7718ff8919c98 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 11 Mar 2021 11:53:30 -0800 Subject: [PATCH 2/6] Update windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../information-protection/bitlocker/bitlocker-upgrading-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md index d52e930a69..b96edcaede 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md @@ -37,7 +37,7 @@ Yes. No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start). Users need to suspend BitLocker for Non-Microsoft software updates, such as: -- Some TPM firmware updates if these update clears TPM outside of Windows API. Not every TPM firmware update will clear the TPM and this happens if known vulnerability has been discovered in the TPM firmware. User doesn’t have suspend BitLocker if TPM firmware update uses Windows API to clear TPM because in this case BitLocker will be automatically suspended. We recommend users testing their TPM firmware updates if they don’t want to suspend BitLocker protection. +- Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM and this happens if a known vulnerability has been discovered in the TPM firmware. Users don’t have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. We recommend users testing their TPM firmware updates if they don’t want to suspend BitLocker protection. - Non-Microsoft application updates that modify UEFI\BIOS configuration - Manual or 3rd party updates to secure boot databases (only If BitLocker uses Secure Boot for Integrity validation) - Updates to UEFI\BIOS firmware, installation of additional UEFI drivers or UEFI applications without using Windows Update mechanism (only If BitLocker does not use Secure Boot for Integrity validation and you update) From d2c33ae322ad32414be08568e4b36063f0d668a2 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 11 Mar 2021 11:53:36 -0800 Subject: [PATCH 3/6] Update windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../information-protection/bitlocker/bitlocker-upgrading-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md index b96edcaede..f2ec6bb94e 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md @@ -38,7 +38,7 @@ No user action is required for BitLocker in order to apply updates from Microsof Users need to suspend BitLocker for Non-Microsoft software updates, such as: - Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM and this happens if a known vulnerability has been discovered in the TPM firmware. Users don’t have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. We recommend users testing their TPM firmware updates if they don’t want to suspend BitLocker protection. -- Non-Microsoft application updates that modify UEFI\BIOS configuration +- Non-Microsoft application updates that modify the UEFI\BIOS configuration. - Manual or 3rd party updates to secure boot databases (only If BitLocker uses Secure Boot for Integrity validation) - Updates to UEFI\BIOS firmware, installation of additional UEFI drivers or UEFI applications without using Windows Update mechanism (only If BitLocker does not use Secure Boot for Integrity validation and you update) - You can check if BitLocker uses Secure Boot for integrity validation with manage-bde -protectors -get C: (and see if "Uses Secure Boot for integrity validation" is reported) From b84d50d305603bb3566afdb062493fb7159a370a Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 11 Mar 2021 11:53:42 -0800 Subject: [PATCH 4/6] Update windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../information-protection/bitlocker/bitlocker-upgrading-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md index f2ec6bb94e..a7cf3027aa 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md @@ -39,7 +39,7 @@ Users need to suspend BitLocker for Non-Microsoft software updates, such as: - Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM and this happens if a known vulnerability has been discovered in the TPM firmware. Users don’t have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. We recommend users testing their TPM firmware updates if they don’t want to suspend BitLocker protection. - Non-Microsoft application updates that modify the UEFI\BIOS configuration. -- Manual or 3rd party updates to secure boot databases (only If BitLocker uses Secure Boot for Integrity validation) +- Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation). - Updates to UEFI\BIOS firmware, installation of additional UEFI drivers or UEFI applications without using Windows Update mechanism (only If BitLocker does not use Secure Boot for Integrity validation and you update) - You can check if BitLocker uses Secure Boot for integrity validation with manage-bde -protectors -get C: (and see if "Uses Secure Boot for integrity validation" is reported) From abd555c87cd09f31c1ba816209e244b84b01ba8c Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 11 Mar 2021 11:53:48 -0800 Subject: [PATCH 5/6] Update windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../information-protection/bitlocker/bitlocker-upgrading-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md index a7cf3027aa..5a8d6bf039 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md @@ -40,7 +40,7 @@ Users need to suspend BitLocker for Non-Microsoft software updates, such as: - Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM and this happens if a known vulnerability has been discovered in the TPM firmware. Users don’t have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. We recommend users testing their TPM firmware updates if they don’t want to suspend BitLocker protection. - Non-Microsoft application updates that modify the UEFI\BIOS configuration. - Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation). -- Updates to UEFI\BIOS firmware, installation of additional UEFI drivers or UEFI applications without using Windows Update mechanism (only If BitLocker does not use Secure Boot for Integrity validation and you update) +- Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if you update and BitLocker does not use Secure Boot for integrity validation). - You can check if BitLocker uses Secure Boot for integrity validation with manage-bde -protectors -get C: (and see if "Uses Secure Boot for integrity validation" is reported) From fcbc9b85ae8e2afa2016f1020cdef52dfe3dec57 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 11 Mar 2021 11:53:53 -0800 Subject: [PATCH 6/6] Update windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../information-protection/bitlocker/bitlocker-upgrading-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md index 5a8d6bf039..8f6a80ac58 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md @@ -41,7 +41,7 @@ Users need to suspend BitLocker for Non-Microsoft software updates, such as: - Non-Microsoft application updates that modify the UEFI\BIOS configuration. - Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation). - Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if you update and BitLocker does not use Secure Boot for integrity validation). - - You can check if BitLocker uses Secure Boot for integrity validation with manage-bde -protectors -get C: (and see if "Uses Secure Boot for integrity validation" is reported) + - You can check if BitLocker uses Secure Boot for integrity validation with manage-bde -protectors -get C: (and see if "Uses Secure Boot for integrity validation" is reported). > [!NOTE]