Store TPM Recovery Information in Active Directory Domain Services
Applies To: Windows 7, Windows Server 2008 R2
Active Directory Domain Services (AD DS) can be used to store Trusted Platform Module (TPM) recovery information.
There is only one TPM owner password per computer; therefore, the hash of the TPM owner password is stored as an attribute of the computer object in AD DS. The attribute has the common name (CN) of ms-TPM-OwnerInformation.
Active Directory requirements
To store TPM information in AD DS, all domain controllers must be running Windows Server 2003 with Service Pack 1 or later. You also need to install schema extensions if all domain controllers are running Windows Server 2003.
Step-by-step instructions
For step-by-step instructions for configuring AD DS and Group Policy to support the storage of recovery and owner information, see BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory (https://go.microsoft.com/fwlink/?LinkId=140308).
Additional references
Windows BitLocker Drive Encryption Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=140225)
Windows Trusted Platform Module Step-by-Step Guide (https://go.microsoft.com/fwlink?linkid=139769)