The context:
My environment uses Bitlocker to protect the data on our laptops. If any changes are made to the boot process while Bitlocker is active, then a key must be entered before the drive can be decrypted and booted. We don't want our users to ever encounter this prompt for a key, but we would like to update the BIOS on their laptops. The solution is to temporarily suspend Bitlocker before a BIOS update is applied and then resume after the machine has rebooted. Suspending/resuming bitlocker is a simple command that can be called within packageboot. I have tested this part, and can verify that the suspend/resume (disable/enable) get run successfully if I wrap them in Preexecution and Postexecution blocks in the xml file.
The problem comes into play when the update requires a reboot. The post-execution in Packageboot never gets called. In my tests I have used the following:
Touch.exe - a simple program that takes 1 parameter and creates it if it doesn't exist, overwriting it if it does.
Exit3010.exe - returns a 3010 exit code, which indicates a success, but with a required reboot.
manage-bde - a Microsoft program that manages the Bitlocker state. -protectors -disable c: turns off monitoring, -protectors -enable c: turns them back on.
packageboot.xml:
<?xml version="1.0" encoding="utf-8"?>
<packageboot version="1.0.0.0" id="dd53b76e-babc-410f-8901-426d0989f5f1">
<instructions>
<preexecution>
<programs>
<program type="exe" typeaction="runandwait" name="manage-bde.exe" pathtype="simplepath" path="%SYSTEM%" successcode="0" failureaction="stop" enabled="true">-protectors -disable c:</program>
<program type="exe" typeaction="runandwait" name="touch.exe" successcode="0" failureaction="stop" enabled="true">c:\data\reboot.flag</program>
</programs>
</preexecution>
<execution>
<programs>
<program type="exe" typeaction="runandwait" name="exit3010.exe" successcode="0" failureaction="continue" enabled="true">
</program>
</programs>
</execution>
<postexecution>
<programs>
<program type="exe" typeaction="runandwait" name="touch.exe" successcode="0" failureaction="stop" enabled="true">c:\data\hit-post-exec.flag</program>
<program type="exe" typeaction="runandwait" name="manage-bde.exe" pathtype="simplepath" path="%SYSTEM%" successcode="0" failureaction="stop" enabled="true">-protectors -enable c:</program>
<program type="exe" typeaction="runandwait" name="touch.exe" successcode="0" failureaction="stop" enabled="true">c:\data\end-post-exec.flag</program>
</programs>
</postexecution>
</instructions>
</packageboot>
When I deliver this via WSUS, I get all the touched flag files before a reboot happens. This means Bitlocker gets turned off, but turned back on before a reboot occurs. Is there anyway to tell Packageboot to run the post-execution steps after a reboot?
If not, my plan is to create another update that triggers on the updated BIOS version and turns Bitlocker back on, but this seems kludgey and would tell users they have another update to install after they've already rebooted. I'd like to avoid that.
Does anyone see a more elegant solution?
Message was edited by: Robert Miller - formatted a but for readability