Turn on Bitlocker?

Reply
Highlighted
L1 Bithead

Turn on Bitlocker?

We are in the process of rolling out Cortex XDR to our organization. I saw the new BItlocker status screen/policies.

I'm struggling to understand if I can enable Bitlocker with this policy, or if this is just a way to ensure the devices are complaint with the way we want Bitlocker configured? We were previously using our AV company's encryption product so we will be switching to Bitlocker, so I wasn't sure if I can enable it through Cortex or if I need to use Intune or GPO.

 

Thanks

Highlighted
L4 Transporter

Hi there-

 

Yes, you can enable this through Cortex XDR. You could also use GPO - Either method will work.


David Falcon 
MDR Systems Engineer, Cortex
Palo AltoNetworks® 
Highlighted
L1 Bithead

Hmmm, That is what I thought, but even with the policy set to encrypt the disk, bitlocker still reports it is off.

TPM is enabled.

 

Is there any thing else I need to do to get Cortex to turn on Bitlocker?

Highlighted
L4 Transporter

Hi @pkawula -

 

Before digging deeper, just want to confirm that you have gone through the steps on page 156 of the admin guide (linked below) and that all pre-requisites have been met.   

 

Admin Guide - https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cortex/cortex-xdr/cor... 


David Falcon 
MDR Systems Engineer, Cortex
Palo AltoNetworks® 
Highlighted
L1 Bithead

@dfalcon 

 

WIndows 10 1909

 

TPM enabled.

It is an AD connected endpoint. But the ADDS role is not installed there on the endpoint directly. I've never heard of ADDS being run on a workstation...

Tags (1)
L4 Transporter

Hi @pkawula-

 

I have not tried to enable this yet.  I will try to get access to a lab to verify; however, it is my understanding that this is needed to allow the agent to access the encryption recovery key backup.  Please give me through the end of the week to secure an environment to test. 


David Falcon 
MDR Systems Engineer, Cortex
Palo AltoNetworks® 
Highlighted
L4 Transporter

Hi @pkawula-

 

I spoke with the Product Manager responsible for the Bitlocker feature this morning.  The prerequisite list is accurate and anything listed must be set up / enabled before taking advantage of the feature.  The PM also recommended that two profiles (as well as two policy rules) be created to use this feature.  The first one is an encrypt profile to encrypt the drive(s).  The second profile should be a decrypt profile to decrypt the drives.  If you need to decrypt an encrypted drive, you would then add that machine to a policy with decrypt profile.

dfalcon_0-1588603264763.png

 

In the policy list (under extensions), you would place the decrypt policy above the encrypt policy since the rule set is a top-down match.

 


David Falcon 
MDR Systems Engineer, Cortex
Palo AltoNetworks® 
Highlighted
L1 Bithead

Thanks @dfalcon 

I will likely just manage Bitlocker with Intune then and just use Cortex as a monitoring dashboard. I am not sure why Cortex needs that feature turned on when GPO and/or Intune can manage Bitlocker without it. Seems odd. Maybe I am missing something? Or maybe just because it is a third party software. Not a huge deal as we weren't expecting to control encryption from Cortex when we purchased anyway.

If I just wanted to test, I am assuming adding the RSAT ADDS and Lightweight Directory Tools feature in Win10 1909 will fulfill the requirements?

Highlighted
L2 Linker

@pkawula that is what we do. We implement Bitlocker via GPO and monitor through the Cortex XDR console. Using the Cortex XDR console alerted us to the fact that we were only using 128-bit encryption. We have since used GPO to enable 256-bit encryption going forward. Prior to Cortex XDR we had no visibility into this.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!