Is it possible to stop computers which aren't Bitlocker encrypted logging in?
Is it possible to somehow (startup script?) stop any unencrypted computers from being able to connect to the domain?
Environment: Windows Active directory, 1000-ish computers, mostly bitlocker encrypted, about 50/50 on win 7 or 10 enterprise.
Solution 1:
AFAIK it's not possible to automatically check this during AD domain join. However, it's possible to enable Bitlocker using GPO as soon as the computer has joined the domain. If every computer has these settings and no other than Domain Computers can access the resources, the outcome will be the same.
First you should have Turn on TPM Backup to AD Domain Services Enabled
from Computer Configuration \ Policies \ Administrative Templates \ System \ Trusted Platform Module Service.
Then, under Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ Bitlocker Drive Encryption you can find all the other related settings:
-
Provide Unique Identifiers for your organization:
Enabled
- \ Fixed Data Drive \
-
Configure use of passwords for fixed data drives:
Enabled
-
Choose how BitLocker-protected fixed drives...:
Enabled
-
Configure use of passwords for fixed data drives:
- \ Operating System Drive \
-
Require additional authentication at startup:
Enabled
; configure as required -
Configure minimum PIN length for startup:
Enabled
-
Choose how BitLocker-protected fixed drives...:
Enabled
-
Require additional authentication at startup:
- \ Removable Data Drives \
-
Control use of BitLocker on removable drives:
Enabled
-
Configure use of passwords for removable data drives:
Enabled
-
Choose how BitLocker-protected fixed drives...:
Enabled
-
Control use of BitLocker on removable drives:
Be sure to fill in the details and modify this example as required in your environment. Enable this GPO for the OU having the computers to be forced to use BitLocker. (And please first test your configuration with a small set of test computers. A small mistake in these settings can cause real pain as all the data will get encrypted.)
Solution 2:
While it's probably not exactly what you're asking for, I believe the official answer to this question is MBAM - Microsoft Bitlocker Administration and Monitoring. MBAM comes with (among other things) a bunch of Group Policy settings, and some of those settings allow you to enforce Bitlocker use on any domain-joined device. But of course this means that the domain-joined device has to join and authenticate to the domain first before downloading Group Policy, at which time the Bitlocker status of the device is unknown... but a startup or logon script would be no different in that regard.