Is it possible to somehow (startup script?) stop any unencrypted computers from being able to connect to the domain?
Environment:
Windows Active directory, 1000-ish computers, mostly bitlocker encrypted, about 50/50 on win 7 or 10 enterprise.
bitlockerlogin-script
Is it possible to somehow (startup script?) stop any unencrypted computers from being able to connect to the domain?
Environment:
Windows Active directory, 1000-ish computers, mostly bitlocker encrypted, about 50/50 on win 7 or 10 enterprise.
Best Answer
AFAIK it's not possible to automatically check this during AD domain join. However, it's possible to enable Bitlocker using GPO as soon as the computer has joined the domain. If every computer has these settings and no other than Domain Computers can access the resources, the outcome will be the same.
First you should have Turn on TPM Backup to AD Domain Services
Enabled
from Computer Configuration \ Policies \ Administrative Templates \ System \ Trusted Platform Module Service.Then, under Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ Bitlocker Drive Encryption you can find all the other related settings:
Enabled
Enabled
Enabled
Enabled
; configure as requiredEnabled
Enabled
Enabled
Enabled
Enabled
Be sure to fill in the details and modify this example as required in your environment. Enable this GPO for the OU having the computers to be forced to use BitLocker. (And please first test your configuration with a small set of test computers. A small mistake in these settings can cause real pain as all the data will get encrypted.)