Is it possible to stop computers which aren't Bitlocker encrypted logging in?

bitlocker login-script

Is it possible to somehow (startup script?) stop any unencrypted computers from being able to connect to the domain?

Environment: Windows Active directory, 1000-ish computers, mostly bitlocker encrypted, about 50/50 on win 7 or 10 enterprise.


Solution 1:

AFAIK it's not possible to automatically check this during AD domain join. However, it's possible to enable Bitlocker using GPO as soon as the computer has joined the domain. If every computer has these settings and no other than Domain Computers can access the resources, the outcome will be the same.

First you should have Turn on TPM Backup to AD Domain Services Enabled from Computer Configuration \ Policies \ Administrative Templates \ System \ Trusted Platform Module Service.

Then, under Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ Bitlocker Drive Encryption you can find all the other related settings:

  • Provide Unique Identifiers for your organization: Enabled
  • \ Fixed Data Drive \
    • Configure use of passwords for fixed data drives: Enabled
    • Choose how BitLocker-protected fixed drives...: Enabled
  • \ Operating System Drive \
    • Require additional authentication at startup: Enabled; configure as required
    • Configure minimum PIN length for startup: Enabled
    • Choose how BitLocker-protected fixed drives...: Enabled
  • \ Removable Data Drives \
    • Control use of BitLocker on removable drives: Enabled
    • Configure use of passwords for removable data drives: Enabled
    • Choose how BitLocker-protected fixed drives...: Enabled

Be sure to fill in the details and modify this example as required in your environment. Enable this GPO for the OU having the computers to be forced to use BitLocker. (And please first test your configuration with a small set of test computers. A small mistake in these settings can cause real pain as all the data will get encrypted.)

Solution 2:

While it's probably not exactly what you're asking for, I believe the official answer to this question is MBAM - Microsoft Bitlocker Administration and Monitoring. MBAM comes with (among other things) a bunch of Group Policy settings, and some of those settings allow you to enforce Bitlocker use on any domain-joined device. But of course this means that the domain-joined device has to join and authenticate to the domain first before downloading Group Policy, at which time the Bitlocker status of the device is unknown... but a startup or logon script would be no different in that regard.

Related

Best way to build home NAS with redundancy [closed]
What does booting in to Windows in safe mode do?
Securing Active Directory domains on a potentially hostile network
Should I ever DELETE (SQL and DB) anything?
Moving Active Directory computer to another OU - What are the affects?
Can't unmount a loop backed file but there's no open files?
ZFS and non Sun OS's
Is Hyper-V Server 2008 working on Intel's Atom platform
How to turn off airplane mode?
How to enable sudo password?
Failed to connect socket to '/var/run/libvirt/libvirt-sock'
Large text file viewer