how to configure Active Directory to store BitLocker and TPM recovery information (Part I)

Store recovery passwords for a BitLocker protected volume permit autorized users to recover BitLockerit if it's protected by this technology. This grants of course, that the encrypted information who belongs to the company always can be accesed by at least someone which may be autorized.

Storing the TPM information of a computer is very useful because for example, if the owner of the computer is sacked and you wish  to get access to the content of his hard disk, which is protected with BitLocker.

To be able to store this kind of information in Active Directory, you need Windows Server 2003 with SP1 domain controllers, at least, or Windows Server 2008.


In addition to the above regarding the operating system, the schema must be extended, adding the corresponding extensions for BitLocker. Without this, if BitLocker is enabled before preparing the schema, any kind of recover information will be saved in Active Directory. The name of the BitLocker recovery object adds a GUID and information of date and time with a length of 63 characters:

The common name (cn) for the BitLocker recovery object is ms-FVE-RecoveryInformation. Each of this objects contains the following attributes:

  • ms-FVE-RecoveryPassword.

  • ms-FVE-RecoveryGuid.

  • ms-FVE-VolumeGrid.

  • ms-FVE-KeyPackage.

  • GUID added to the global catalog in order to simplify forest-wide searches (isMemberOfPartialAttributeSet).

  • A bit to confidential use for the GUID attributes (bit 128 of searchFlags).

  • Size of each attribute restricted to minimize the replication times in case of a flood attack to the Active Directory database (rangeUpper).

  • Descriptions of attributes updated for clarity (adminDescription).

  • additional bit defined setted to store values when creates copies of objects ( bit 16 of searchFlags).

  • An addition bit defined to create indexes per-container of GUID attributes (bit 2 of searchFlags).

Store of recovery information of TPM in Active Directory

Only one TPM recovery password exists per computer. When TPM initializes or the password is changed, a backup of the hash of the TPM ownership password is maded, as an attribute of the computer object.

The cn of this attribute is ms-TPM-OwnerInformation.

In the next part we will see the required steps to make the configuration of Active Directory in order to be able to use BitLocker and TPM. Also, I will continue with the Authotitative Restore in Active Directory post.

More information:

Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information (document that I'm using to write this article) .



Comments (0)

Skip to main content