04-27-2020 12:07 PM
We are in the process of rolling out Cortex XDR to our organization. I saw the new BItlocker status screen/policies.
I'm struggling to understand if I can enable Bitlocker with this policy, or if this is just a way to ensure the devices are complaint with the way we want Bitlocker configured? We were previously using our AV company's encryption product so we will be switching to Bitlocker, so I wasn't sure if I can enable it through Cortex or if I need to use Intune or GPO.
04-27-2020 12:18 PM
Hmmm, That is what I thought, but even with the policy set to encrypt the disk, bitlocker still reports it is off.
TPM is enabled.
Is there any thing else I need to do to get Cortex to turn on Bitlocker?
04-27-2020 12:46 PM
Hi @pkawula -
Before digging deeper, just want to confirm that you have gone through the steps on page 156 of the admin guide (linked below) and that all pre-requisites have been met.
Admin Guide - https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cortex/cortex-xdr/cor...
04-27-2020 01:04 PM - edited 04-27-2020 01:18 PM
04-29-2020 08:18 AM
I have not tried to enable this yet. I will try to get access to a lab to verify; however, it is my understanding that this is needed to allow the agent to access the encryption recovery key backup. Please give me through the end of the week to secure an environment to test.
05-04-2020 07:43 AM
I spoke with the Product Manager responsible for the Bitlocker feature this morning. The prerequisite list is accurate and anything listed must be set up / enabled before taking advantage of the feature. The PM also recommended that two profiles (as well as two policy rules) be created to use this feature. The first one is an encrypt profile to encrypt the drive(s). The second profile should be a decrypt profile to decrypt the drives. If you need to decrypt an encrypted drive, you would then add that machine to a policy with decrypt profile.
In the policy list (under extensions), you would place the decrypt policy above the encrypt policy since the rule set is a top-down match.
05-04-2020 07:50 AM
I will likely just manage Bitlocker with Intune then and just use Cortex as a monitoring dashboard. I am not sure why Cortex needs that feature turned on when GPO and/or Intune can manage Bitlocker without it. Seems odd. Maybe I am missing something? Or maybe just because it is a third party software. Not a huge deal as we weren't expecting to control encryption from Cortex when we purchased anyway.
If I just wanted to test, I am assuming adding the RSAT ADDS and Lightweight Directory Tools feature in Win10 1909 will fulfill the requirements?
05-21-2020 07:56 AM
@pkawula that is what we do. We implement Bitlocker via GPO and monitor through the Cortex XDR console. Using the Cortex XDR console alerted us to the fact that we were only using 128-bit encryption. We have since used GPO to enable 256-bit encryption going forward. Prior to Cortex XDR we had no visibility into this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!