Setting up BitLocker on laptops without TPM and save the password in the Active directory

I have laptops with Windows 7 enterprise installed and don’t have TPM modules in these laptop. Our management is concerned about the security of the data on the laptops if stolen or lost and have asked me to encrypt the laptop drive.

Is it possible to set up bit locker on Window 7 Enterprise laptops without using TPM and I would like to set password for the encryption.
Whenever the laptop boots, I would like to laptop to prompt for the password and when the user keys in the password, it must get into windows.

Also I would like the save the password (Keys) to Active Directory. In case the user forgets the password, we must be able to recover the password for them.

Please can step by step tutorial be posted and Thanks in advance.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

"I would like the save the password (Keys) to Active Directory"

Can you clarify this statement?  You mean a way to reset password just as we do with AD account?
Cliff GaliherCommented:
Bitlocker on windows 7 without a TPM requires the use of a USB key to store startup keys.  If the keys were stored on the hard drive itself, that'd utterly defeat the purpose of bitlocker.
lianne143Author Commented:
I mean once the bitlocker is set up on the laptop- The recovery keys saved on the AD.

We have 60 Laptops , that needs encrypted. It will be difficult to setup USB sticks to to each laptop and staff have to carry the USB with their laptops and if they misplace the USB or lose the laptop bag (with laptop and USB) the data can fall into wrong hands.

Is there any other way we can set up with windows 7 without the startup keys in USB.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Cliff GaliherCommented:
No.  To explain that answer, since you asked, apparently we need to look at what bitlocker is and what it does.

Bitlocker's sole purpose is to prevent someone from putting a hard drive into another machine and reading the data.  That's it.  

To accomplish that, data has to be encrypted.  But computers (no computer, anywhere) can boot from an encrypted drive.  So windows creates a *small* boot partition that is unencrypted.  This is true *EVEN WITH A TPM!*  That boot partition is responsible for retrieving the decryption key, loading it into memory, and loading the OS from the encrypted partition using that key.  You can encrypt data drives as well, but the basic premise is the same...the decryption key is stored somewhere, used to decrypt data so the OS can access it...etc.

There are only a few reasonable places to store a decryption key.

1) Store it in a TPM.  This is protected space, and if someone pulls the hard drive, they can't get to the decryption key.  TPM specs basically protect against tampering as well, making this *very* difficult to get to.  The UNENCRYPTED boot partition uses legitimate methods to get the decryption key from the TPM so this can be transparent...or can optionally be protected with a PIN or similar.  Recovery keys *can* be stored in AD so that if a motherboard fails, the drive can be pulled and manually decrypted.

2) Store it on a USB key.  Same basic idea as above.  If someone pulls a hard drive, they don't have the decryption key.  That's on a USB stick that hopefully the user keeps on them.  Data can't be decrypted by a bad actor.  A recovery key can be stored in AD to manually decrypt the drive.

3) Store the decryption key on the unencrypted boot partition itself.  IF someone pulls the hard drive, they have access to the decryption key (remember the boot partition *MUST* be unencrypted for any computer to boot from it.)  That basically negates the purpose of bitlocker in the first place, so storing a decryption key here would be pointless...thus is not an option.

That's really it.  Bitlockering a drive without using a USB key or a TPM would make bitlocker itself rather useless since the encrypted data could be decrypted by anybody anyways...making it a senseless performance hit.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Not sure if this helps but you can have a discussion about not using Bitlocker and maybe using a program like VeraCrypt which works quite well. You won't need to use a USB key. When the machine boots it will ask for password.
Lianne, you have asked the same some days ago and you selected my comments as answers.

You can use a password. 1st, you set the policy that allows Bitl. without TPM as you already did (indicated in your previous question).
Then you setup the policy I linked in my last comment, that will backup keys to AD.
Then you open an elevated command prompt and go
manage-bde -on c: -rp -pw -s

Open in new window

That's it.
Lianne, could you explain what you concluded after reading these suggestions? I would be glad to hear, because they could be seen as contradictory and all were answers to you.
lianne143Author Commented:
Hi McKnife

Our laptops are Windows 7 enterprise without TPM.I understand with the current configuration of our laptop, if I set bit locker laptops, I need to issue the USB sticks with the password on it for all the staff to boot up the laptop.
We are going to disable the USB stick on the Laptops on our network.
In case we don’t disable the USB and give USB stick (with password) to boot the laptop, we can’t expect every staff to carry the USB stick at all the times and also if they lose the stick with the laptop bag -Data is stolen?

I installed Veracrypt on a laptop and it encrypts the hard drive and also asks to create a recovery CD during the setup and instruction says to keep CD safe,  in case if any data needs recovered from the laptop hardisk. So planning to create the recovery disc for all the laptops and keep the disc in the safe location.

Now after installing the VeraCrypt on the laptop and when the laptop boots it asks for a password on the dos screen, Once this is keyed in, the laptop boot to windows and stays at the Cntrl+Alt+Del screen for the domain user credentials.
Why would you need veracrypt? You were shown how to use a a password with bitlocker on windows 7 - without needing anything else.
I had a feeling that you still had not understood that and you confirmed that.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.