7

Is it possible to somehow (startup script?) stop any unencrypted computers from being able to connect to the domain?

Environment: Windows Active directory, 1000-ish computers, mostly bitlocker encrypted, about 50/50 on win 7 or 10 enterprise.

Digital Lightcraft
  • 369
  • 4
  • 19
  • Prevent the computer from logging on or prevent users from logging on to the computers? – Greg Askew Sep 11 '17 at 12:41
  • Either really, probably best at computer level. – Digital Lightcraft Sep 11 '17 at 12:42
  • 4
    There isn't, in general, a solution to the problem "is this untrusted hardware running this trusted software?", which is what it sounds like you're asking for. If it *were* possible, it would revolutionize several fields; e.g. Internet voting would be trivial and computer games would no longer have cheaters. – Daniel Wagner Sep 11 '17 at 16:53
  • @DanielWagner In practical IT security you often aren't looking for a 100% malicious-user-proof way of doing something, just one that will stop a "regular person". So if there was a way to do this, and a user had to modify Windows to bypass it, that is much much better than nothing. – user253751 Sep 12 '17 at 05:43

3 Answers3

9

AFAIK it's not possible to automatically check this during AD domain join. However, it's possible to enable Bitlocker using GPO as soon as the computer has joined the domain. If every computer has these settings and no other than Domain Computers can access the resources, the outcome will be the same.

First you should have Turn on TPM Backup to AD Domain Services Enabled from Computer Configuration \ Policies \ Administrative Templates \ System \ Trusted Platform Module Service.

Then, under Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ Bitlocker Drive Encryption you can find all the other related settings:

  • Provide Unique Identifiers for your organization: Enabled
  • \ Fixed Data Drive \
    • Configure use of passwords for fixed data drives: Enabled
    • Choose how BitLocker-protected fixed drives...: Enabled
  • \ Operating System Drive \
    • Require additional authentication at startup: Enabled; configure as required
    • Configure minimum PIN length for startup: Enabled
    • Choose how BitLocker-protected fixed drives...: Enabled
  • \ Removable Data Drives \
    • Control use of BitLocker on removable drives: Enabled
    • Configure use of passwords for removable data drives: Enabled
    • Choose how BitLocker-protected fixed drives...: Enabled

Be sure to fill in the details and modify this example as required in your environment. Enable this GPO for the OU having the computers to be forced to use BitLocker. (And please first test your configuration with a small set of test computers. A small mistake in these settings can cause real pain as all the data will get encrypted.)

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • 4
    TPM backup should not be used. If fact, it is no longer a valid policy beginning with Windows 10 1607/Windows Server 2016. This is due to it most likely could never be used when needed, but could be used in an offline attack to retrieve the startup key. More information: https://blogs.technet.microsoft.com/dubaisec/2017/02/28/tpm-owner-password/ – Greg Askew Sep 11 '17 at 14:16
  • Seems like the OP could do this for all members in the domain, i.e. the `Domain Users` group, then have a secondary group, e.g. `Compliant Domain Users`, that users can then join once their GP is updated such that they have prereqs like BitLocker established. Would a scheme like that be viable? – Nat Sep 12 '17 at 05:19
  • IIRC this is kind of what Measured Boot is aiming for but I'm not sure it's available at log-on. – Ginnungagap Sep 12 '17 at 06:20
6

While it's probably not exactly what you're asking for, I believe the official answer to this question is MBAM - Microsoft Bitlocker Administration and Monitoring. MBAM comes with (among other things) a bunch of Group Policy settings, and some of those settings allow you to enforce Bitlocker use on any domain-joined device. But of course this means that the domain-joined device has to join and authenticate to the domain first before downloading Group Policy, at which time the Bitlocker status of the device is unknown... but a startup or logon script would be no different in that regard.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
4

There aren't many good options. Anything that runs in the context of the user logon most likely would not have permissions to check BitLocker status. A computer startup script such as below may be of some use: 

REM Exclude domain controllers. This command may be repeated to check for "3" to exclude member servers.
wmic os get producttype | FIND /I "2"
IF %ERRORLEVEL%==0 GOTO :EOF
manage-bde -status | FIND /I "Protection On"
IF %ERRORLEVEL%==0 GOTO :EOF
REM Not protected
SHUTDOWN /S /F /T 120 /C "Shutting down due to computer does not have BitLocker protection enabled."

The amount of time could be adjusted, and after logging on, it is possible for an administrator to cancel with the shutdown /a command.

If you prefer to not shut down, you could use the SETX command to set a system environment variable in a computer startup script that could be checked during user logon: 

SETX BDE 1 /M
wmic os get producttype | FIND /I "2"
IF %ERRORLEVEL%==0 GOTO :EOF
manage-bde -status | FIND /I "Protection On"
IF %ERRORLEVEL%==0 GOTO :EOF
REM Not protected
SETX BDE 0 /M

And the user logon script:

IF %BDE%==0 logoff.exe
Greg Askew
  • 34,339
  • 3
  • 52
  • 81