Store TPM recovery information in Active Directory Domain Services

Applies To: Windows Server 2008

Active Directory Domain Services (AD DS) can be used to store Trusted Platform Module (TPM) recovery information.

There is only one TPM owner password per computer; therefore, the hash of the TPM owner password is stored as an attribute of the computer object in AD DS. The attribute has the common name (cn) of ms-TPM-OwnerInformation.

Active Directory Requirements

In order to store TPM information in Active Directory Domain Services, all domain controllers must run Windows Server 2003 (with Service Pack 1) or later. You also need to install schema extensions, if all domain controllers are running Windows Server 2003.

Step-by-Step Instructions

For step-by-step instructions for configuring Active Directory Domain Services and Group Policy to support the storage of recovery and owner information, see Guide to Using Active Directory Domain Services with Windows BitLocker™Drive Encryption and TPM Services on the Microsoft Web site (

Additional references