BIOS update through HPIA and Bitlocker management
We are in the process of setting a recurrent execution of HP Image Assistant on our devices. We are still evaluating the execution mechanism (be it a scheduled task or a recurrent advertisement through SCCM); in any case, since most devices are turned off at night, we expect to run HPIA at any moment of the day -- but to prevent service interruption, we will not enforce a device restart until a user initiates it from Windows or during a maintenance window at night, whichever comes first.
Problem is, our devices are Bitlockered -- there is an Intune policy ensuring that our drives are and stay encrypted. The HP BIOS softpaqs do suspend Bitlocker protection when run from HPIA; but we started to observe that on some devices, protection got resumed before the device is restarted, resulting in a user having to enter a recovery key to confirm the changes. We tracked that the protection resumes after a random delay after a BIOS update has been staged, and that a "BitLocker MDM policy Refresh" scheduled task is responsible for this resume.
We got in touch with Microsoft, and they replied that this is an expected behavior. If a policy is set to ensure that drives are encrypted, and Bitlocker is found in a suspended state during a compliance evaluation, then the "BitLocker MDM policy Refresh" task will resume Bitlocker protection.
Which brings this question: how do you manage BIOS updates on active devices (i.e. not during imaging)? Do you enforce a restart immediately after the BIOS update has been staged? How do you manage that on devices that are offline/unreachable during maintenance windows?