Active Directory Domain Services (AD DS) can be used to store Trusted Platform Module (TPM) recovery information.
There is only one TPM owner password per computer; therefore, the hash of the TPM owner password is stored as an attribute of the computer object in AD DS. The attribute has the common name (CN) of ms-TPM-OwnerInformation.
Active Directory requirements
To store TPM information in AD DS, all domain controllers must be running Windows Server 2003 with Service Pack 1 or later. You also need to install schema extensions if all domain controllers are running Windows Server 2003.
Step-by-step instructions
For step-by-step instructions for configuring AD DS and Group Policy to support the storage of recovery and owner information, see BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory (
Additional references
-
Windows BitLocker Drive Encryption Step-by-Step Guide (
https://go.microsoft.com/fwlink/?LinkId=140225 )
-
Windows Trusted Platform Module Step-by-Step Guide (
https://go.microsoft.com/fwlink?linkid=139769 )