We are in the process of rolling out Cortex XDR to our organization. I saw the new BItlocker status screen/policies.
I'm struggling to understand if I can enable Bitlocker with this policy, or if this is just a way to ensure the devices are complaint with the way we want Bitlocker configured? We were previously using our AV company's encryption product so we will be switching to Bitlocker, so I wasn't sure if I can enable it through Cortex or if I need to use Intune or GPO.
Yes, you can enable this through Cortex XDR. You could also use GPO - Either method will work.
Hmmm, That is what I thought, but even with the policy set to encrypt the disk, bitlocker still reports it is off.
TPM is enabled.
Is there any thing else I need to do to get Cortex to turn on Bitlocker?
Hi @pkawula -
Before digging deeper, just want to confirm that you have gone through the steps on page 156 of the admin guide (linked below) and that all pre-requisites have been met.
WIndows 10 1909
It is an AD connected endpoint. But the ADDS role is not installed there on the endpoint directly. I've never heard of ADDS being run on a workstation...
I have not tried to enable this yet. I will try to get access to a lab to verify; however, it is my understanding that this is needed to allow the agent to access the encryption recovery key backup. Please give me through the end of the week to secure an environment to test.
I spoke with the Product Manager responsible for the Bitlocker feature this morning. The prerequisite list is accurate and anything listed must be set up / enabled before taking advantage of the feature. The PM also recommended that two profiles (as well as two policy rules) be created to use this feature. The first one is an encrypt profile to encrypt the drive(s). The second profile should be a decrypt profile to decrypt the drives. If you need to decrypt an encrypted drive, you would then add that machine to a policy with decrypt profile.
In the policy list (under extensions), you would place the decrypt policy above the encrypt policy since the rule set is a top-down match.
I will likely just manage Bitlocker with Intune then and just use Cortex as a monitoring dashboard. I am not sure why Cortex needs that feature turned on when GPO and/or Intune can manage Bitlocker without it. Seems odd. Maybe I am missing something? Or maybe just because it is a third party software. Not a huge deal as we weren't expecting to control encryption from Cortex when we purchased anyway.
If I just wanted to test, I am assuming adding the RSAT ADDS and Lightweight Directory Tools feature in Win10 1909 will fulfill the requirements?
@pkawula that is what we do. We implement Bitlocker via GPO and monitor through the Cortex XDR console. Using the Cortex XDR console alerted us to the fact that we were only using 128-bit encryption. We have since used GPO to enable 256-bit encryption going forward. Prior to Cortex XDR we had no visibility into this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!