Microsoft

Technologies
Documentation
Resources
Sign in
Search Microsoft
Windows IT Center
Explore
Docs
Downloads
Scripts
Support
Windows Vista Windows Vista Technical Library Roadmap Management and Operations
Device Management and Installation
Using Windows Vista: Controlling Communication with the Internet
Windows Trusted Platform Module Management Step-by-Step Guide
BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Rec
overy Information to Active Directory
Implementing and Administering the ActiveX Installer Service
Understanding and Configuring User Account Control in Windows Vista
BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Rec
overy Information to Active Directory
Updated: June 21, 2008
Overview
This document describes how to configure Active Directory to back up recovery inf
ormation for Windows BitLocker Drive Encryption (BitLocker) and the Trusted Platfo
rm Module (TPM). Recovery information includes the recovery password for each Bi
tLocker-enabled volume, the TPM owner password, and the information required to
identify which computers and volumes the recovery information applies to. Option
ally, you can also save a package containing the actual keys used to encrypt the
data as well as the recovery password required to access those keys.
noteNote
Active Directory is known as Active Directory Domain Services in Microsoft Window
s Server 2008.
Backing up recovery passwords for a BitLocker-protected disk volume allows admin
istrators to recover the volume if it is locked. This ensures that encrypted dat
a belonging to the enterprise can always be accessed by authorized users.
Backing up the TPM owner information for a computer allows administrators to loc
ally and remotely configure the TPM security hardware on that computer. As an ex
ample, an administrator might want to reset the TPM to factory defaults when dec
ommissioning or repurposing computers.
ImportantImportant
You can save recovery information in Active Directory if your domain controllers
are running Microsoft Windows Server 2003 with Service Pack 1 (SP1), Windows Serv
er 2003 R2, or Windows Server 2008. You cannot save recovery information in Acti
ve Directory if the domain controller is running a version of Windows Server ear
lier than Windows Server 2003 with SP1.
If you are running Windows Server 2008, follow the same process described for Wi
ndows Server 2003 with SP1 or later, with one exception: you do not need to upda
te the schema as described later in this document. However, you must still run t
he Add-TPMSelfWriteACE.vbs script in order to back up the TPM recovery password
in a domain upgraded from Windows Server 2003 to Windows Server 2008.
ImportantImportant
Perform these steps in a test or pre-production environment prior to rolling out
to production environments.
Required files
The following sample scripts and LDF file available from Microsoft are required
to configure Active Directory for backing up recovery information:
Add-TPMSelfWriteACE.vbs
BitLockerTPMSchemaExtension.ldf
List-ACEs.vbs
Get-TPMOwnerInfo.vbs
Get-BitLockerRecoveryInfo.vbs
To download the files, see http://go.microsoft.com/fwlink/?LinkId=78953. The con
tents of these files and other useful information are included in the following
appendices:
Appendix A: Checking BitLocker and TPM Schema Objects
Appendix B: Sample Ldifde output
Appendix C: Default Permissions for a Computer Object
Appendix D: BitLockerTPMSchemaExtension.ldf File Contents
Appendix E: Add-TPMSelfWriteACE.vbs File Contents
Appendix F: Sample Test Scripts
noteNote
If you tested a pre-release or beta version of Windows Vista, and configured you
r Active Directory installation with earlier versions of the scripts or schema e
xtensions, you must use ensure that you use the final, released versions of thes
e files. In addition, if you ran an earlier version of List-ACEs.vbs, you must r
emove the previously-added BitLocker-related access control entries (ACEs) befor
e proceeding.
Background
This section provides information about how BitLocker and TPM recovery informati
on can be backed up in Active Directory.
By default, no recovery information is backed up. Administrators can configure G
roup Policy settings to enable backup of BitLocker or TPM recovery information.
Before configuring these settings, as a domain administrator you must ensure tha
t the Active Directory schema has been extended with the necessary storage locat
ions and that access permissions have been granted to perform the backup.
You should also configure Active Directory before configuring BitLocker on clien
t computers. If BitLocker is enabled first, recovery information for those compu
ters will not be added to Active Directory. For more information, see the sectio
n Questions and Answers later in this document.
Storage of BitLocker recovery information in Active Directory
Backed up BitLocker recovery information is stored in a child object of the Comp
uter object. That is, the Computer object is the container for a BitLocker recov
ery object.
Each BitLocker recovery object includes the recovery password and other recovery
information. More than one BitLocker recovery object can exist under each Compu
ter object, because there can be more than one recovery password associated with
 a BitLocker-enabled volume.
The name of the BitLocker recovery object incorporates a globally unique identif
ier (GUID) and date and time information, for a fixed length of 63 characters. T
he form is:
<Object Creation Date and Time><Recovery GUID>
For example:
2005-09-30T17:08:23-08:00{063EA4E1-220C-4293-BA01-4754620A96E7}
The common name (cn) for the BitLocker recovery object is ms-FVE-RecoveryInforma
tion. Each ms-FVE-RecoveryInformation object has the following attributes:
ms-FVE-RecoveryPassword
This attribute contains the 48-digit recovery password used to recover a Bit
Locker-encrypted disk volume. Users enter this password to unlock a volume when
BitLocker enters recovery mode.
ms-FVE-RecoveryGuid
This attribute contains the GUID associated with a BitLocker recovery passwo
rd. In BitLocker's recovery mode, this GUID is displayed to the user so that the
correct recovery password can be located to unlock the volume. This GUID is als
o included in the name of the recovery object.
ms-FVE-VolumeGuid
This attribute contains the GUID associated with a BitLocker-supported disk
volume.
While the password (stored in ms-FVE-RecoveryGuid) is unique for each recove
ry password, this volume identifier is unique for each BitLocker-encrypted volum
e.
ms-FVE-KeyPackage
This attribute contains a volume's BitLocker encryption key secured by the c
orresponding recovery password.
With this key package and the recovery password (stored in ms-FVE-RecoveryPa
ssword), you can decrypt portions of a BitLocker-protected volume if the disk is
corrupted. Each key package will work only for a volume that has the correspond
ing volume identifier (stored in ms-FVE-VolumeGuid). You must use a specialized
tool to make use of this key package.
If you tested BitLocker and Windows Vista prior to its release, you should note
the following changes that were made to the attributes of the recovery object si
nce pre-release or beta versions of Windows Vista:
GUIDs added to the global catalog to facilitate forest-wide searches (isMemb
erOfPartialAttributeSet)
Use of the confidential bit for GUID attributes (bit 128 of searchFlags) rem
oved
Size of each attribute restricted to minimize replication slowdowns in the c
ase of a flooding attack on the Active Directory database (rangeUpper)
Updated attribute descriptions for clarity (adminDescription)
Additional bit set to save attribute values when creating copies of objects
(bit 16 of searchFlags)
Additional bit set to create a per-container index for GUID attributes (bit
2 of searchFlags).
For more details about attribute syntax, see the schema extension file in Append
ix D: BitLockerTPMSchemaExtension.ldf File Contents.
Storage of TPM recovery information in Active Directory
There is only one TPM owner password per computer. When the TPM is initialized o
r when this password is changed, the hash of the TPM ownership password gets bac
ked up as an attribute of the Computer object.
The common name (cn) for the TPM attribute is ms-TPM-OwnerInformation.
Configuring Active Directory
Complete the following tasks to configure Active Directory to back up BitLocker
and TPM recovery information.
Check general prerequisites
Check the following prerequisites:
All domain controllers accessible by BitLocker-capable clients are running W
indows Server 2003 with SP1 or later. On each domain controller, click Start, ri
ght-click My Computer, and then click the General tab.
ImportantImportant
If the General tab lists Windows Server 2003 but no service pack information
, you need to upgrade. For more information about upgrading to Windows Server 20
03 with SP1, see http://go.microsoft.com/fwlink/?LinkID=43106.
ImportantImportant
The use of domain controllers running Windows Server 2000 or Windows Server
2003 without SP1 to back up BitLocker or TPM recovery information has not been t
ested and is not supported. Furthermore, these earlier operating systems lack th
e Active Directory confidential flag feature used to protect access to BitLocker
and TPM recovery information. The confidential flag is a feature available in W
indows Server 2003 with SP1 and later. With this feature, only domain administra
tors and appropriate delegates have Read access to attributes marked with the co
nfidential flag. The BitLocker and TPM schema extension marks selected attribute
s as "confidential" using the "searchFlags" property. For more information about
this flag, see "How the Active Directory Schema Works" at http://go.microsoft.c
om/fwlink/?LinkID=38556. BitLocker does not impose any requirements on domain or
forest functional levels. However, domain controllers running operating systems
earlier than Windows Server 2003 with SP1 should be removed from mixed-function
al level environments (or upgraded), because backed up BitLocker and TPM informa
tion will not be protected on those domain controllers.
You have either Enterprise Admin or Schema Admin privileges in the target fo
rest or are using an account that has been granted appropriate permissions to ex
tend the schema for the target forest.
You have obtained the following files:
BitLockerTPMSchemaExtension.ldf
Add-TPMSelfWriteACE.vbs
Extend the schema
The following procedure extends the schema to allow information to be saved in A
ctive Directory.
If you have installed a domain controller running Windows Server 2008 Beta 3 or
later, doing so has automatically performed the required extensions to the schem
a, and you do not need to complete this procedure.
If you have installed a domain controller running Windows Server 2008 Beta 2, yo
u must upgrade the schema to sch39 or later, or complete the following procedure
.
To extend the Active Directory schema with BitLocker and TPM attributes
Log on with a domain account in the Schema Admins group. This account must b
e used to extend the schema.
By default, the built-in Administrator account in the forest root domain is
part of the Schema Admins group. For more information, see the section "Granting
access rights to make schema changes" in "How the Active Directory Schema Works
" (http://go.microsoft.com/fwlink/?LinkID=79649).
Check that your Windows Server installation enables schema updates.
In Windows Server 2003, Active Directory schema updates are enabled by defau
lt. For more information, including the steps required to enable schema updates,
see article 285172 in the Microsoft Knowledge Base (http://go.microsoft.com/fwl
ink/?LinkId=79644).
Check that you have access to the domain controller that is the schema opera
tions master in the Active Directory forest. Schema updates can only be performe
d at the schema operations master.
Review BitLockerTPMSchemaExtension.ldf, the LDIF file containing the schema
extension.
For background information about changes made by the schema extension, see B
ackground earlier in this document.
For reference information about schema extensions, see "How the Active Direc
tory Schema Works" (http://go.microsoft.com/fwlink/?LinkId=79649).
Use the Ldifde command-line tool to extend the schema on the domain controll
er that serves as the schema operations master. For example, to import the schem
a extension on a domain named nttest.microsoft.com, log on as a user in the Sche
ma Admins group, and then type the following at a command prompt:
ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X" "DC=nttest,dc=micr
osoft,dc=com" -k -j .
This command should be entered as one line, although it is displayed on mult
iple lines for readability in this document. The trailing period (".") is part o
f the command.
The use of -k suppresses "Object Already Exists" errors if the portions of t
he schema already exist. The use of -j . saves an extended log file to the curre
nt working directory.
For more information about Ldifde parameters, see article 237677 in the Microsof
t Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=79650). Sample output f
rom running this command is included in Appendix B: Sample Ldifde output later i
n this document.
Set the required permissions for backing up TPM password information
The following procedure adds an access control entry (ACE) so that backing up TP
M recovery information is possible.
A Windows Vista client can back up BitLocker recovery information under the Comp
uter object s default permission. However, a Windows Vista client cannot back up T
PM owner information unless this additional ACE is added.
Appendix C: Default Permissions for a Computer Object, later in this document, d
escribes the default Active Directory permissions on the Computer class object t
hat contains the BitLocker recovery information class and the TPM owner informat
ion attribute.
To add an ACE to allow TPM recovery information to be backed up
Review Add-TPMSelfWriteACE.vbs, the sample script containing the permission
extension.
Type the following at a command prompt, and then press ENTER:
cscript Add-TPMSelfWriteACE.vbs
This script adds a single ACE to the top-level domain object. The ACE is an inhe
ritable permission that allows SELF (the computer itself) to write to the ms-TPM
-OwnerInformation attribute for Computer objects in the domain.
For additional reference information, see "Using Scripts to Manage Active Direct
ory Security" (http://go.microsoft.com/fwlink/?LinkId=79652).
The sample script provided operates under the following assumptions:
You have domain administrator privileges to set permissions for the top-leve
l domain object.
Your target domain is the same as the domain for the user account running th
e script.
For example, running the script as TESTDOMAIN\admin will extend permissions
for TESTDOMAIN. You might need to modify the sample script if you want to set pe
rmissions for multiple domains, but do not have domain administrator accounts fo
r each of those domains. Find the variable strPathToDomain in the script and mod
ify it for your target domain, for example:
"LDAP://DC=testdomain,DC=nttest,DC=microsoft,DC=com"
Your domain is configured so that permissions inherit from the top-level dom
ain object to targeted Computer objects.
Permissions will not go into effect if any container in the hierarchy does n
ot allow inherited permissions from the parent. By default, inheritance of permi
ssions is set by Active Directory. If you are not sure whether your configuratio
n differs from this default, you can continue with the setup steps to set the pe
rmission. You can then verify your configuration as described later in this docu
ment, or by clicking the Effective Permissions button while viewing the properti
es of a Computer object to check that SELF can write the msTPM-OwnerInformation
attribute.
Configure Group Policy to enable backup of BitLocker and TPM recovery informatio
n in Active Directory
These instructions are for configuring the local policy on a Windows Vista clien
t computer. In a production environment, you would likely edit a Group Policy ob
ject (GPO) that applies to computers in the domain instead.
For more information about configuring Windows Vista GPO in the domain, see the
"Managing Group Policy ADMX Files Step by Step Guide" (http://go.microsoft.com/f
wlink/?LinkId=79653).
noteNote
We recommend that you keep the default options when you enable each Group Policy
setting. Be sure to read the Explain text before making any changes
To enable the local policy settings to back up BitLocker and TPM recovery inform
ation to Active Directory
Log on to the computer as an administrator.
Click Start, type the following in the Start Search box, and then click ENTE
R:
gpedit.msc
To enable Group Policy settings to back up BitLocker recovery information to
 Active Directory:
Open Computer Configuration, open Administrative Templates, open Windows
Components, and then open BitLocker Drive Encryption.
In the right pane, double-click Turn on BitLocker backup to Active Direc
tory.
Select the Enabled option.
Verify that the Require BitLocker backup to AD DS check box is selected.
Enable Group Policy setting to back up TPM recovery information to Active Di
rectory.
Open Computer Configuration, open Administrative Templates, open System,
and then open Trusted Platform Module Services.
In the right pane, double-click Turn on TPM backup to Active Directory.
Select the Enabled option.
Verify that the Require TPM backup to AD DS check box is selected.
Testing Your Active Directory Configuration
By joining the Windows Vista-based client computers to the domain that you just
configured and enabling BitLocker, you can test whether BitLocker and TPM recove
ry information is backed up to Active Directory successfully.
All user interfaces and programming interfaces within BitLocker and TPM Manageme
nt features will adhere to your configured Group Policy settings. When these set
tings are enabled, recovery information (such as recovery passwords) will be aut
omatically backed up to Active Directory whenever this information is created an
d changed.
If you select the option to require backup, initializing the TPM or enabling Bit
Locker through any method is blocked until the backup succeeds. In that case, no
one will be allowed to turn on BitLocker or initialize the TPM unless the domai
n controller is configured correctly, the client computer has network connectivi
ty to the domain controller, and no other errors occur during the backup process
.
Testing backup with Windows Vista
You should use a Windows Vista-based client computer to test backup.
BitLocker recovery information is backed up when you:
Create a recovery password during BitLocker setup, using the wizard availabl
e through the Control Panel.
Create a recovery password after the disk has already been encrypted, using
the manage-bde.wsf command-line tool.
TPM recovery information is backed up when you:
Set the TPM owner password during TPM initialization.
Change the TPM owner password.
Sample test scenario with Windows Vista
This sample test scenario illustrates how to verify your Active Directory config
uration using Windows Vista. The included sample scripts you download assist in
the test process.
ImportantImportant
You should perform additional tests as required to satisfy yourself that everyth
ing is working correctly in your environment; do not assume that this scenario w
ill completely test all aspects of your configuration.
Test scenarios can also vary based on your organization's policies. For example,
in organizations where users are the Creator Owner of Computer objects they joi
n to the domain, it might be possible for these users to read the TPM owner info
rmation for their own Computer objects.
To perform a sample test
Log on to a domain controller as a domain administrator.
Copy the sample script files to a suitable location.
Open a command prompt window and change the default location to the location
of the sample script files.
At the command prompt type the following:
cscript List-ACEs.vbs
Expected Output: Assuming the default Add-TPMSelfWriteACE.vbs was used and o
ther deprecated ACEs have been removed, there should be only one ACE related to
BitLocker and the TPM:
Accessing
> AceFlags: 10
> AceType: 5
> Flags: 3
> AccessMask: 32
> ObjectType: {AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}
> InheritedObjectType: {BF967A86-0DE6-11D0-A285-00AA003049E2}
> Trustee: NT AUTHORITY\SELF
1 ACE(s) found in DC=nttest,DC=microsoft,DC=com related to BitLocker and TPM
Log on as a local administrator (non-domain administrator) on a Windows Vist
a client joined to the domain.
Click Start, type the followingin the Start Search box, and then click ENTER
:
tpm.msc
Click either the Initialize TPM or Change Owner Password link.
Set an owner password, and select the option to back up the information by p
rinting or saving to a file as needed.
Expected Output: The action will succeed without an error message.
Using this same account, open an elevated command prompt window, and then ch
ange to the folder in which you have saved a copy of the sample scripts provided
with this document.
noteNote
To open an elevated command prompt window, right-click a command prompt shor
tcut, and then click Run as Administrator.
 At the command prompt type the following:
cscript Get-TPMOwnerInfo.vbs
Expected Output: The error Active Directory: The directory property cannot be
found in the cache. No information is displayed because a non-domain administra
tor should not be able to read the ms-TPM-OwnerInformation attribute.
noteNote
If users are the Creator Owner of Computer objects they join to the domain,
it might be possible for these users to read the TPM owner information for their
own Computer objects.
Log on as a domain administrator on the same client computer.
Using this domain administrator account, open an elevated command prompt win
dow, and change to the directory in which you have saved a copy of the sample sc
ripts provided with this document.
At the command prompt type the following:
cscript Get-TPMOwnerInfo.vbs
Expected Output: A string that is the hash of the password you created earli
er.
As a domain administrator, you should have Read access to the ms-TPM-OwnerIn
formation attribute.
At the elevated command prompt, type the following to create a recovery pass
word:
manage-bde -protectors -add -RecoveryPassword C:
Expected Output: The action will succeed without an error message.
At the command prompt type the following to read all BitLocker child objects
of the client computer s Active Directory object:
cscript Get-BitLockerRecoveryInfo.vbs
Expected Output: A domain administrator should see one or more recovery pass
words, including the one created in step 14.
A non-domain administrator will not be able to read these passwords.
Delete any created BitLocker recovery child objects using Active Directory t
ools such as the Active Directory Users and Computers administrative tool. By de
fault, clients running Windows Vista do not have permissions to delete stale Bit
Locker recovery passwords.
Troubleshooting Common Problems
The following section discusses some common potential problems and their solutio
ns.
Access permission problems
If you are able to read backed up BitLocker and TPM recovery information using a
non domain administrator account, check that you are running supported installati
ons of Windows Server on all the domain controllers in your network.
ImportantImportant
Domain controllers running Windows 2000 Server or the initial release of Windows
Server 2003 are not supported for backing up BitLocker and TPM recovery informa
tion.
Script errors
You might receive an error when you run a script. The following sections explain
the causes of and solutions for the most frequent script errors.
Get-TPMOwnerInfo.vbs
When running Get-TPMOwnerInfo.vbs, if an error appears stating "Active Directory
: The directory property cannot be found in the cache," you do not have permissi
on to read the TPM owner information attribute object in Active Directory.
General
If an error appears stating "The specified domain either does not exist or could
not be contacted, ensure that the computer is joined to the domain and that netw
ork connectivity is available.
If an error appears stating "There is no such object on the server," check that
any computer specified by name on the command line is currently connected to the
network.
Errors are accompanied by the line number in which the error occurred. Consult t
he script source code to assist in troubleshooting the issue.
Questions and Answers
This section includes related questions that the BitLocker team has fielded sinc
e the first release of this document.
Is this schema part of Windows Server 2008?
Yes, the schema is part of Windows Server 2008. Windows Windows Server 2008 Beta
2 contains the objects that will allow backup of all BitLocker and TPM recovery
information in pre-release versions of Windows Vista. The schema update for the
released version of Windows Vista matches the changes in Windows Server 2008.
Can I apply the schema update to a Windows Server 2003-based domain controller?
Microsoft supports BitLocker schema extensions only on Windows Server 2003 with
SP1 and later and in Windows Server 2008. The first release of Windows Server 20
03 does not include the confidential flag feature that appropriately locks down
access to backed up recovery information.
Is this schema supported by Microsoft for production use?
Yes, this schema is supported through your normal support channels. For more inf
ormation about Microsoft support options, see http://go.microsoft.com/fwlink/?Li
nkID=76619.
Is there an event log entry recorded on the client to indicate the success or fa
ilure of the Active Directory backup?
An event log entry that indicates the success or failure of an Active Directory
backup is recorded on the client.
However, this log entry is only useful to an extent. Even though an event log en
try says "Success," the information could have been subsequently removed from Ac
tive Directory, or BitLocker could have been reconfigured in such a way that the
Active Directory information can no longer unlock the drive (such as by removin
g the recovery password key protector). In addition, it is also possible that th
e log entry could be spoofed.
Ultimately, determining whether a legitimate backup exists in Active Directory r
equires querying Active Directory with domain administrator credentials.
What if BitLocker is enabled on a computer before the computer has joined the do
main?
You might wonder what happens if BitLocker is enabled on a computer before Group
Policy has been applied to enforce backup. Will the recovery information automa
tically be backed up to Active Directory when the computer joins the domain or w
hen Group Policy is subsequently applied?
This functionality is not available in Windows Vista. Generally, joining a compu
ter to the domain is the first step for new computers within an enterprise.
The BitLocker Windows Management Instrumentation (WMI) interface allows administ
rators to write a script to back up or synchronize an online client's existing r
ecovery passwords. An administrative account can list the recovery passwords of
an unlocked volume by using the GetKeyProtectorNumericalPassword method of the B
itLocker WMI interface or the "-protectors -get" parameters of the BitLocker com
mand-line tool (manage-bde.wsf).
What happens if the backup initially fails? Will BitLocker retry?
If the backup initially fails, such as when a domain controller is unreachable a
t the time when the BitLocker setup wizard is run, BitLocker does not try repeat
edly to back up the recovery information to Active Directory.
When an administrator selects the Require BitLocker backup to AD DS check box or
the Require TPM backup to AD DS check box, if the backup fails, BitLocker canno
t be enabled.
When an administrator clears these check boxes, the administrator is allowing a
volume to be BitLocker-encrypted without having the recovery information success
fully backed up to Active Directory, however, BitLocker will not automatically r
etry. Instead, administrators can script a backup, as described in the previous
question, to capture the information after connectivity is restored.
Does BitLocker encrypt recovery information as it is sent to Active Directory?
Yes, the transmission of recovery information from a Windows Vista client to Act
ive Directory is protected by using Kerberos. Specifically, the connection uses
the authentication flags ADS_SECURE_AUTHENTICATION, ADS_USE_SEALING, and ADS_USE
_SIGNING.
For more information about Active Directory authentication flags, see http://go.
microsoft.com/fwlink/?LinkId=79643.
noteNote
Once recovery information is transmitted, Active Directory does not store the Bi
tLocker and TPM recovery information in an encrypted format. However, access con
trol permissions are set so that only domain administrators or appropriate deleg
ates can read the stored information when the server is online. Enterprises conc
erned about offline attacks on branch office servers should consider enabling Bi
tLocker on those servers, once they are upgraded to Windows Server 2008.
Community Additions
ADD
Bitlocker Drive Encryption Configuration Guide: Backing Up Bitblocker and TPM Re
covery information t
TPM Recovery information to active directory
kanubhai vaidya
8/2/2015
Group Policy Settings for Windows 7
Note that for Windows 7, the group policy setting to enable backup of BitLocker
recovery info to AD is:
Computer Configuration, Administrative Templates, Windows Components, BitLocker
Drive Encryption, Drive-Type Drives, Choose how BitLocker-protected drive-type d
rives can be recovered.
The setting specified in this article is for Vista only. It will NOT work with W
indows 7. And, as far as I can tell, there is no equivalent guide specifically f
or Windows 7 with this important correction.
EDIT: Here is a link to an article that describes the specific settings for use
with Windows 7...
http://windows.microsoft.com/en-US/windows7/What-Group-Policy-settings-are-used-
with-BitLocker
GregPick
1/3/2012
this worked for me
ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X" "dc=microsoft,dc=com"
-k -j <path to save log C:\>
i needed to add a path to save the logs on my windows 2003 AD sp2

thank you,
DropZone67
7/20/2011
Add error on line 111: No Such Attribute
After running this command:
ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X" "DC=nttest,dc=microsof
t,dc=com" -k -j .
We received this error:
Add error on line 111: No Such Attribute
We then ran this command instead and were successful:
ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X" "dc=microsoft,dc=com"
-k -j .
dougzuck
11/12/2010
Print
Export (0)
Share
Is this page helpful?
Popular
Windows Dev Center
Microsoft Azure
Microsoft Visual Studio
Office Dev Center
ASP.NET
IIS.NET
Learning Resources
Channel 9
Windows Development Videos
Microsoft Virtual Academy
Programs
 App Developer Agreement
Windows Insider Program
Microsoft Affiliate Program
BizSpark (for startups)
Microsoft Imagine
For IT Pros
Microsoft Power BI
Microsoft SQL Server
Internet of Things
Operations Management Suite
Values
Diversity and inclusion
Accessibility
Microsoft in education
Microsoft philanthropies
Corporate social responsibility
Privacy at Microsoft
Company
Careers
About Microsoft
Company news
Investors
Research
Site map
English (United States)?
Contact us Privacy & cookies Terms of use Trademarks About our ads 2017 Micr
osoft