Suspend-Bitlocker Command does not work when Cortex XDR Disk Encryption is Enabled

Suspend-Bitlocker Command does not work when Cortex XDR Disk Encryption is Enabled

2257
Created On 03/13/25 14:32 PM - Last Modified 03/13/25 17:57 PM


Symptom


When running Suspend-Bitlocker, the endpoint attempts to begin decryption before immediately re-encrypting the drive. The drive decryption never occurs and is always re-encrypted. 

Environment


Cortex XDR Windows Agent 

Cause


Suspend-Bitlocker does not work as intended is that the command does not change any of the Cortex XDR policies that control the device encryption. Cortex XDR maintains encryption on your Windows endpoints by ensuring that devices stay in compliance with your desired encryption state. If encryption is enabled in the Cortex XDR policy, then Cortex XDR will monitor the encryption status of your system and enforce encryption if it is out of compliance. You can see in the logs below that the agent detects that the BitLocker settings have changed and the agent attempts to bring it back into compliance: 

2025/02/20T14:53:09.374-04:00 <Information> U46067-L [5848:6332 ] {trapsd:Main} Starting Disk Encryption Management Service

2025/02/20T14:53:09.374-04:00 <Information> U46067-L [5848:6332 ] {trapsd:DiskEncryptionManager} Disk encryption management settings changed: enforcement enabled=true, periodic reports enabled=true, enforcement interval=5 min, periodics interval=60 min, recovery key interval=60 min

When the command Suspend-Bitlocker is run, it takes the endpoint out of compliance with the encryption state that is set in the Cortex XDR policy. Once Cortex XDR detects that the endpoint is out of compliance, it attempts to re-encrypt the device per the policy assigned to it.

This is why the BitLocker suspend command does not change the encryption status of the endpoint for more than a few minutes before Cortex XDR reinforces the encryption policy. 

Resolution


In order to have the command Suspend-Bitlocker work, Cortex XDR will have to be not managing encryption for that endpoint. Cortex XDR is working as intended in this instance as it is keeping your device in compliance with the encryption status that has been set for it in your Cortex XDR profile. 

Additional Information


https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Disk-encryption

https://learn.microsoft.com/en-us/powershell/module/bitlocker/suspend-bitlocker?view=windowsserver2025-ps

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HFDLCA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail