topic Re: Turn on Bitlocker? in Cortex XDR Discussions

Turn on Bitlocker?

pkawula — Mon, 27 Apr 2020 19:07:58 GMT

We are in the process of rolling out Cortex XDR to our organization. I saw the new BItlocker status screen/policies.

I'm struggling to understand if I can enable Bitlocker with this policy, or if this is just a way to ensure the devices are complaint with the way we want Bitlocker configured? We were previously using our AV company's encryption product so we will be switching to Bitlocker, so I wasn't sure if I can enable it through Cortex or if I need to use Intune or GPO.

Thanks

Re: Turn on Bitlocker?

dfalcon — Mon, 27 Apr 2020 19:15:51 GMT

Hi there-

Yes, you can enable this through Cortex XDR. You could also use GPO - Either method will work.

Re: Turn on Bitlocker?

pkawula — Mon, 27 Apr 2020 19:18:35 GMT

Hmmm, That is what I thought, but even with the policy set to encrypt the disk, bitlocker still reports it is off.

TPM is enabled.

Is there any thing else I need to do to get Cortex to turn on Bitlocker?

Re: Turn on Bitlocker?

dfalcon — Mon, 27 Apr 2020 19:46:40 GMT

Hi @pkawula -

Before digging deeper, just want to confirm that you have gone through the steps on page 156 of the admin guide (linked below) and that all pre-requisites have been met.

Admin Guide - https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cortex/cortex-xdr/cortex-xdr-pro-admin/cortex-xdr-pro-admin.pdf

Re: Turn on Bitlocker?

pkawula — Mon, 27 Apr 2020 20:18:38 GMT

@dfalcon

WIndows 10 1909

TPM enabled.

It is an AD connected endpoint. But the ADDS role is not installed there on the endpoint directly. I've never heard of ADDS being run on a workstation...

Re: Turn on Bitlocker?

dfalcon — Wed, 29 Apr 2020 15:18:26 GMT

Hi @pkawula-

I have not tried to enable this yet. I will try to get access to a lab to verify; however, it is my understanding that this is needed to allow the agent to access the encryption recovery key backup. Please give me through the end of the week to secure an environment to test.

Re: Turn on Bitlocker?

dfalcon — Mon, 04 May 2020 14:43:44 GMT

Hi @pkawula-

I spoke with the Product Manager responsible for the Bitlocker feature this morning. The prerequisite list is accurate and anything listed must be set up / enabled before taking advantage of the feature. The PM also recommended that two profiles (as well as two policy rules) be created to use this feature. The first one is an encrypt profile to encrypt the drive(s). The second profile should be a decrypt profile to decrypt the drives. If you need to decrypt an encrypted drive, you would then add that machine to a policy with decrypt profile.

In the policy list (under extensions), you would place the decrypt policy above the encrypt policy since the rule set is a top-down match.

Re: Turn on Bitlocker?

pkawula — Mon, 04 May 2020 14:50:58 GMT

Thanks @dfalcon

I will likely just manage Bitlocker with Intune then and just use Cortex as a monitoring dashboard. I am not sure why Cortex needs that feature turned on when GPO and/or Intune can manage Bitlocker without it. Seems odd. Maybe I am missing something? Or maybe just because it is a third party software. Not a huge deal as we weren't expecting to control encryption from Cortex when we purchased anyway.

If I just wanted to test, I am assuming adding the RSAT ADDS and Lightweight Directory Tools feature in Win10 1909 will fulfill the requirements?

Re: Turn on Bitlocker?

Retired Member — Thu, 21 May 2020 14:56:50 GMT

@pkawula that is what we do. We implement Bitlocker via GPO and monitor through the Cortex XDR console. Using the Cortex XDR console alerted us to the fact that we were only using 128-bit encryption. We have since used GPO to enable 256-bit encryption going forward. Prior to Cortex XDR we had no visibility into this.

Re: Turn on Bitlocker?

Rocky-25 — Fri, 05 Jan 2024 09:35:30 GMT

Hi Everyone

Is the ADDS role on the endpoints still a requirement? It's not listed in the pre-requisites (anymore?):

Disk Encryption • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentation portal

Thanks & Best Regards