Setting up BitLocker on laptops without TPM and save the password in the Active directory

I have laptops with Windows 7 enterprise installed and don’t have TPM modules in these laptop. Our management is concerned about the security of the data on the laptops if stolen or lost and have asked me to encrypt the laptop drive.

Is it possible to set up bit locker on Window 7 Enterprise laptops without using TPM and I would like to set password for the encryption.
Whenever the laptop boots, I would like to laptop to prompt for the password and when the user keys in the password, it must get into windows.

Also I would like the save the password (Keys) to Active Directory. In case the user forgets the password, we must be able to recover the password for them.

Please can step by step tutorial be posted and Thanks in advance.
Who is Participating?
Cliff GaliherCommented:
No.  To explain that answer, since you asked, apparently we need to look at what bitlocker is and what it does.

Bitlocker's sole purpose is to prevent someone from putting a hard drive into another machine and reading the data.  That's it.  

To accomplish that, data has to be encrypted.  But computers (no computer, anywhere) can boot from an encrypted drive.  So windows creates a *small* boot partition that is unencrypted.  This is true *EVEN WITH A TPM!*  That boot partition is responsible for retrieving the decryption key, loading it into memory, and loading the OS from the encrypted partition using that key.  You can encrypt data drives as well, but the basic premise is the same...the decryption key is stored somewhere, used to decrypt data so the OS can access it...etc.

There are only a few reasonable places to store a decryption key.

1) Store it in a TPM.  This is protected space, and if someone pulls the hard drive, they can't get to the decryption key.  TPM specs basically protect against tampering as well, making this *very* difficult to get to.  The UNENCRYPTED boot partition uses legitimate methods to get the decryption key from the TPM so this can be transparent...or can optionally be protected with a PIN or similar.  Recovery keys *can* be stored in AD so that if a motherboard fails, the drive can be pulled and manually decrypted.

2) Store it on a USB key.  Same basic idea as above.  If someone pulls a hard drive, they don't have the decryption key.  That's on a USB stick that hopefully the user keeps on them.  Data can't be decrypted by a bad actor.  A recovery key can be stored in AD to manually decrypt the drive.

3) Store the decryption key on the unencrypted boot partition itself.  IF someone pulls the hard drive, they have access to the decryption key (remember the boot partition *MUST* be unencrypted for any computer to boot from it.)  That basically negates the purpose of bitlocker in the first place, so storing a decryption key here would be pointless...thus is not an option.

That's really it.  Bitlockering a drive without using a USB key or a TPM would make bitlocker itself rather useless since the encrypted data could be decrypted by anybody anyways...making it a senseless performance hit.
"I would like the save the password (Keys) to Active Directory"

Can you clarify this statement?  You mean a way to reset password just as we do with AD account?
Cliff GaliherCommented:
Bitlocker on windows 7 without a TPM requires the use of a USB key to store startup keys.  If the keys were stored on the hard drive itself, that'd utterly defeat the purpose of bitlocker.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

lianne143Author Commented:
I mean once the bitlocker is set up on the laptop- The recovery keys saved on the AD.

We have 60 Laptops , that needs encrypted. It will be difficult to setup USB sticks to to each laptop and staff have to carry the USB with their laptops and if they misplace the USB or lose the laptop bag (with laptop and USB) the data can fall into wrong hands.

Is there any other way we can set up with windows 7 without the startup keys in USB.
Not sure if this helps but you can have a discussion about not using Bitlocker and maybe using a program like VeraCrypt which works quite well. You won't need to use a USB key. When the machine boots it will ask for password.
Lianne, you have asked the same some days ago and you selected my comments as answers.

You can use a password. 1st, you set the policy that allows Bitl. without TPM as you already did (indicated in your previous question).
Then you setup the policy I linked in my last comment, that will backup keys to AD.
Then you open an elevated command prompt and go
manage-bde -on c: -rp -pw -s

Open in new window

That's it.
Lianne, could you explain what you concluded after reading these suggestions? I would be glad to hear, because they could be seen as contradictory and all were answers to you.
lianne143Author Commented:
Hi McKnife

Our laptops are Windows 7 enterprise without TPM.I understand with the current configuration of our laptop, if I set bit locker laptops, I need to issue the USB sticks with the password on it for all the staff to boot up the laptop.
We are going to disable the USB stick on the Laptops on our network.
In case we don’t disable the USB and give USB stick (with password) to boot the laptop, we can’t expect every staff to carry the USB stick at all the times and also if they lose the stick with the laptop bag -Data is stolen?

I installed Veracrypt on a laptop and it encrypts the hard drive and also asks to create a recovery CD during the setup and instruction says to keep CD safe,  in case if any data needs recovered from the laptop hardisk. So planning to create the recovery disc for all the laptops and keep the disc in the safe location.

Now after installing the VeraCrypt on the laptop and when the laptop boots it asks for a password on the dos screen, Once this is keyed in, the laptop boot to windows and stays at the Cntrl+Alt+Del screen for the domain user credentials.
Why would you need veracrypt? You were shown how to use a a password with bitlocker on windows 7 - without needing anything else.
I had a feeling that you still had not understood that and you confirmed that.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.