Device Compliance, BitLocker, and BIOS Updates
Greetings,
Background: Financial services org with 900-1000 Windows devices under management in Intune. Userbase is made up of advisor teams, each determining their own schedule and travel plans. Management wants to restrict access exclusively to company issued devices which I'm planning on doing through Conditional Access and the "Require device to be marked as compliant" control.
The self-test and IT team test has gone well, but the most common non-compliant scenario appears to be BitLocker suspending when a BIOS update is pending. Before I roll this out to the triple digits I'm trying to see if I'm misunderstanding something.
Question: When requiring device compliance how are you managing BIOS updates and mitigating users being locked out when those updates require suspension of BitLocker?
- Are you using the "Require encryption of data storage on device" or the "Require BitLocker" control in your compliance policies? Both?
- Are you making use of grace periods and email notifications?
- Are you using WUfB/Autopatch, vendor tools, and/or remediation scripts to schedule/distribute BIOS updates?
- If using WUfB/Autopatch, which update behavior are you using? (notify, install, install and restart, etc.)
Additional details: We're mostly Dell, and our non-Dell devices are getting phased out. I know I can use DCU with ADMX or scripting to manage the application of BIOS updates independently of WUfB, but again I'm not sure I've figured out a way to have it nudge the user to update without locking out the user hours or even days before the reboot deadline.
Any help or insight is appreciated.