Home / server / Questions / 873019
In Process
Digital Lightcraft
Asked: 2017-09-12 03:17:15 +0800 CST

Is it possible to stop computers which aren't Bitlocker encrypted logging in?

  • 772

Is it possible to somehow (startup script?) stop any unencrypted computers from being able to connect to the domain?

Environment: Windows Active directory, 1000-ish computers, mostly bitlocker encrypted, about 50/50 on win 7 or 10 enterprise.

bitlocker

3 Answers

  1. AFAIK it's not possible to automatically check this during AD domain join. However, it's possible to enable Bitlocker using GPO as soon as the computer has joined the domain. If every computer has these settings and no other than Domain Computers can access the resources, the outcome will be the same.

    First you should have Turn on TPM Backup to AD Domain Services Enabled from Computer Configuration \ Policies \ Administrative Templates \ System \ Trusted Platform Module Service.

    Then, under Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ Bitlocker Drive Encryption you can find all the other related settings:

    • Provide Unique Identifiers for your organization: Enabled
    • \ Fixed Data Drive \
      • Configure use of passwords for fixed data drives: Enabled
      • Choose how BitLocker-protected fixed drives...: Enabled
    • \ Operating System Drive \
      • Require additional authentication at startup: Enabled; configure as required
      • Configure minimum PIN length for startup: Enabled
      • Choose how BitLocker-protected fixed drives...: Enabled
    • \ Removable Data Drives \
      • Control use of BitLocker on removable drives: Enabled
      • Configure use of passwords for removable data drives: Enabled
      • Choose how BitLocker-protected fixed drives...: Enabled

    Be sure to fill in the details and modify this example as required in your environment. Enable this GPO for the OU having the computers to be forced to use BitLocker. (And please first test your configuration with a small set of test computers. A small mistake in these settings can cause real pain as all the data will get encrypted.)

    • 9

  2. While it's probably not exactly what you're asking for, I believe the official answer to this question is MBAM - Microsoft Bitlocker Administration and Monitoring. MBAM comes with (among other things) a bunch of Group Policy settings, and some of those settings allow you to enforce Bitlocker use on any domain-joined device. But of course this means that the domain-joined device has to join and authenticate to the domain first before downloading Group Policy, at which time the Bitlocker status of the device is unknown... but a startup or logon script would be no different in that regard.

    • 6

  3. There aren't many good options. Anything that runs in the context of the user logon most likely would not have permissions to check BitLocker status. A computer startup script such as below may be of some use: 

    REM Exclude domain controllers. This command may be repeated to check for "3" to exclude member servers.
wmic os get producttype | FIND /I "2"
IF %ERRORLEVEL%==0 GOTO :EOF
manage-bde -status | FIND /I "Protection On"
IF %ERRORLEVEL%==0 GOTO :EOF
REM Not protected
SHUTDOWN /S /F /T 120 /C "Shutting down due to computer does not have BitLocker protection enabled."

    The amount of time could be adjusted, and after logging on, it is possible for an administrator to cancel with the shutdown /a command.

    If you prefer to not shut down, you could use the SETX command to set a system environment variable in a computer startup script that could be checked during user logon: 

    SETX BDE 1 /M
wmic os get producttype | FIND /I "2"
IF %ERRORLEVEL%==0 GOTO :EOF
manage-bde -status | FIND /I "Protection On"
IF %ERRORLEVEL%==0 GOTO :EOF
REM Not protected
SETX BDE 0 /M

    And the user logon script:

    IF %BDE%==0 logoff.exe
    • 4