BitLocker Decrypting/Drive decrypted after enabling Cortex XDR Disk Encryption
1711
Created On 03/01/23 07:37 AM - Last Modified 04/22/24 07:03 AM
Symptom
- A Windows endpoint Operating system drive is already encrypted with BitLocker Drive Encryption.
- When enabling Cortex XDR/XSIAM Disk Encryption , BitLocker decrypts the drive then it remains decrypted.
- From the Cortex XDR/XSIAM console Endpoints → Disk Encryption Visibility table, the affected endpoint’s Encryption Status shows “Not Compliant”.
Environment
- Cortex XDR
- Cortex XSIAM
- Windows Endpoint
- Disk Encryption
Cause
- When the endpoint Operating System Drive is already encrypted and not compliant with Cortex XDR/XSIAM Disk Encryption, the Cortex XDR agent will decrypt the drive and encrypt it again. This is by design.
When in Compliant mode, running "manage-bde -protectors -get c:" should show two key protectors - one for TPM and one for a password (recovery key) which should be backed up in the active directory.
The key protectors id must match the ones added by the Cortex XDR agent, otherwise it will be considered as "incompliant".
The key protectors id must match the ones added by the Cortex XDR agent, otherwise it will be considered as "incompliant".
- After the decryption, the drive remains decrypted because the Cortex XDR/XSIAM disk encryption failed.
- The requirements for the Cortex XDR disk encryption are not met.
Example error during Cortex XDR/XSIAM Disk Encryption when endpoint is not joined to the domain.
2023/05/24T10:58:19.299+08:00 <Error> <Hostname> [5692:4336 ] {trapsd:DiskEncryption:DiskEncryptionManager:} Failed to get rootDSE object from AD (0x8007054b)
2023/05/24T10:58:19.299+08:00 <Error> <Hostname> [5692:4336 ] {trapsd:DiskEncryption:DiskEncryptionManager:} Failed to verify active directory connection pre-backup (Protector id {7F9A6465-C240-4D93-BFFB-47329A445630})
2023/05/24T10:58:19.311+08:00 <Error> <Hostname> [5692:4336 ] {trapsd:DiskEncryption:DiskEncryptionManager:} Failed to add key protectors for volume 'C:' (0x8007054b)
2023/05/24T10:58:19.327+08:00 <Error> <Hostname> [5692:4336 ] {trapsd:DiskEncryption:DiskEncryptionManager:} Failed to enforce policy on volume 'C:' (0x8007054b)
2023/05/24T10:58:19.358+08:00 <Error> <Hostname> [5692:4336 ] {trapsd:DiskEncryption:DiskEncryptionManager:} Failed to execute on volume 'C:' (0x8007054b), reporting an error
2023/05/24T10:58:19.358+08:00 <Info> <Hostname> [5692:4336 ] {trapsd:DiskEncryptionManager:DiskEncryptionManager:} Disk encryption enforcement status received from low-level: {
"volumes": [
{
"drive": "C:",
"type": "os",
"state": "decrypted",
"method": "none",
"protection": "unprotected",
"encryption_mode": "none",
"error": {
"code": 2147943755,
"text": "The specified domain either does not exist or could not be contacted."
}
}
]
}
Resolution
1. Make sure the Endpoint meets all the requirements for Cortex XDR/XSIAM Disk Encryption .
2. Check Cortex XDR agent trapsd.log to verify the disk encryption error. Retrieve Support Logs from an Endpoint and extract it. The extracted file has _CRYPTO-INFO file. It contains the encrypted password to Retrieve Support File Password.
3. Extract the agent tech support file and check the ..logs_*_encrypted\logs\trapsd.log
4. A tool like notepad++ can be used to filter the logs. Find/Search “Disk encryption enforcement status” in trapsd.log
5. Here are some of the errors with Cortex XDR/XSIAM disk encryption and the recommendation
a. The specified domain either does not exist or could not be contacted
- Join the endpoint to Domain
b. Access is denied
c. The parameter is incorrect
- Make sure GPO is enforcing the encryption method same as the Cortex XDR/XSIAM Disk Encryption method
d. A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
- Make sure TPM is enabled
Additional Information
- Cortex XDR : How to configure the Group Policy for the Disk Encryption feature
- How to Verify the Status of Disk Encryption by XDR Agent for Windows