Bitlocker recovery keys not present

Reply
L1 Bithead

Bitlocker recovery keys not present

Hello,

I wanted to check if someone can shed some light on this issue I had.

 

During a Cortex XDR PoC, the end user activated the Disk encryption policy on a couple of workstations without confirming the pre-requisities so these workstations encrypted the HDD (C:) and after the first reboot started asking for the bitlocker recovery key.

 

Now, the issue is that the key is not present on Active Directory and the user said that it got no other prompt to save the key on the endpoint. My question is that if XDR activated the bitlocker policy and if it was not able to save the recovery key, should it encrypt anyway? I now have a couple of workstations that have their disks encrypted and no way to rollback or unlock them.

 

Thanks in advance for any tips/help/comments.

L4 Transporter

Hi @Bruno_Alipio -

 

There are several pre-reqs that must be checked off before enabling an encryption policy.  They can be found here:  https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/harde...

 

Since you are having issues with decryption, it is best to contact Support for assistance.  


David Falcon 
Solutions Architect, Cortex
Palo Alto Networks® 
L1 Bithead

Hi @dfalcon, thanks for the feedback, I opened a case in support but unfortunately they where not able to help. I'm just trying to figure out the standard behavior if the prerequisites are not met. If the bitlocker process cant save the recovery keys to the AD, should it present a GUI to the user asking for USB/print/local file? Is there anyway that the XDR agent is enabling the bitlocker and asking for a silent process?
L1 Bithead

Hi Dfalcon,

 

Is there a tool or some some log which can show, what prerequisites are not met? I have some PC's I think are compliant, but the Disk Encryption Visibility portal doesn't share my opinion. And I don't know what is the problem.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!