Is it possible to somehow (startup script?) stop any unencrypted computers from being able to connect to the domain?
Environment: Windows Active directory, 1000-ish computers, mostly bitlocker encrypted, about 50/50 on win 7 or 10 enterprise.
Windows 10, server 2012 R2 domain
I'm confused about the options for recovering a bitlocker encrypted drive offline.
Lets say I'm encrypting the HDDs of domain computers with bitlocker using TPM (not storing the keys on usb/floppy drives) and backing up the keys to AD and the keys are available to me.
Can I pull a HDD from one of these TPM bitlocker encrypted computers then attach it to another computer as an external drive (with usb to sata cable or whatever) and then recover the bitlocker key from AD for that drive and use it to decrypt it and read the data?
Some way some how, a user's machine couldn't get read the bitlocker password off of the TPM chip, and I had to enter the recovery key (stored in AD) to get in. No big deal, but once in the machine, I tried to suspend bitlocker per recovery documentation, and got an error message about the TPM not being initialized. I knew the TPM was on and activated in the BIOS, but Windows still made me reinitialize the TPM chip, and in the process it created a new TPM owner password.
I found that odd because it prompted me to save this password or print it (there wasn't an option not to), but it made no reference of a recovery password, nor did it back this password up to AD.
After the user took her laptop and left I started thinking that if the TPM password change, does the recovery password change also? If so, that new recovery password will need to be uploaded to AD, but MS' documentation doesn't make that clear, and doesn't back up the new recovery key (if one exists) to AD automatically when the group policy says it must, and from a network standpoint AD is accessible.
I will soon be purchasing a number of laptops running Windows 7 for our mobile staff. Due to the nature of our business I will need drive encryption. Windows BitLocker seems the obvious choice, but it looks like I need to purchase either Windows 7 Enterprise or Ultimate editions to get it. Can anyone offer suggestions on the best course of action:
a) Use BitLocker, bite the bullet and pay to upgrade to Enterprise/Ultimate
b) Pay for another 3rd party drive encryption product that is cheaper (suggestions appreciated)
c) Use a free drive encryption product such as TrueCrypt
Ideally I am also interested in 'real world' experience from people who are using drive encryption software and any pitfalls to look out for.
Many thanks in advance...
UPDATE
Decided to go with TrueCrypt for the following reasons:
a) The product has a good track record
b) I am not managing a large quantity of laptops so integration with Active Directory, Management consoles etc is not a huge benefit
c) Although eks did make a good point about Evil Maid (EM) attacks, our data is not that desirable to consider it a major factor
d) The cost (free) is a big plus but not the primary motivator
The next problem I face is imaging (Acronis/Ghost/..) encrypted drives will not work unless I perform sector-by-sector imaging. That means an 80Gb encrypted partition creates an 80Gb image file :(
I am running Windows 7 RTM and have both physical drives BitLockered. Because my machine has a TPM it will boot all very nicely when I turn it on. But my employers would prefer if I was challenged for a password at boot time.
I have found this article: http://4sysops.com/archives/review-windows-7-bitlocker/ that tells me which group policy flags to set to get it BitLocker to challenge for a PIN at startup.
What I can't find is how to set this PIN given the system is already encrypted?
I have also come across http://technet.microsoft.com/en-us/library/dd875532%28WS.10%29.aspx and am curious to know which of these recommendations it is safe to apply to an already encrypted system?