Store TPM Recovery Information in Active Directory Domain Services

Applies To: Windows 7, Windows Server 2008 R2

Active Directory Domain Services (AD DS) can be used to store Trusted Platform Module (TPM) recovery information.

There is only one TPM owner password per computer; therefore, the hash of the TPM owner password is stored as an attribute of the computer object in AD DS. The attribute has the common name (CN) of ms-TPM-OwnerInformation.

Active Directory requirements

To store TPM information in AD DS, all domain controllers must be running Windows Server 2003 with Service Pack 1 or later. You also need to install schema extensions if all domain controllers are running Windows Server 2003.

Step-by-step instructions

For step-by-step instructions for configuring AD DS and Group Policy to support the storage of recovery and owner information, see BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory (

Additional references