Just wondering how many people are doing Preboot authentication, or setting systems up to preboot autologon? We use preboot authentication but I have heard of many people doing the other. I can see how using autologon preboot authentication would elimate a lot of procedural steps in setting up id's passwords, etc. Just wanting to hear some other Encryption Administrator's opinion on this.
We use pre-boot authentication, especially since without it you are always loading the encryption keys. It is kind of like writing the combination on the outside of the safe or motion sensors to open the vault for any passer by, which is a bad idea for any security system.
We sync our user list from LDAP (or you can use Active Directory), use a custom script similar to AutoDomain template they provide, and provide a mechanism for adding additional users on a machine later if necessary.
I'm very serious when I suggest that you not have machines always auto-login past pre-boot. It would put you in a poor defensive position if you ever had to explain your encryption process in court. It also removes accountability, in that anyone with physical access can boot the OS. Once the machine is stolen, you have lost the physical control aspect.