Appendix A: Checking BitLocker and TPM Schema Objects

To enable the backup of BitLocker and TPM recovery information in Active Directory, a total of six schema objects are created in the Active Directory schema.

You can use the following procedure to verify whether these objects exist in your Active Directory installation.

To examine and verify BitLocker and TPM schema objects

  1. Log on to the domain controller with an account in the Domain Admins group.

  2. Open the ADSI Edit snap-in. Click Start, click Run, type adsiedit.msc, and then click OK.


    This snap-in is in Windows Support Tools. To download the Windows Support Tools for Windows Server 2003 with Service Pack 1, see

  3. Open the Schema container, and then open the folder containing available schema objects (see the following figure).

  4. Find by name the following schema objects:

    • CN= ms-FVE-KeyPackage – attributeSchema object
    • CN=ms-FVE-RecoveryGuid – attributeSchema object
    • CN=ms-FVE-RecoveryInformation – classSchema object
    • CN=ms-FVE-RecoveryPassword – attributeSchema object
    • CN=ms-FVE-VolumeGuid – attributeSchema object
    • CN=ms-TPM-OwnerInformation – attributeSchema object

The following screen image represents a typical search for schema objects:

Viewing BitLocker and TPM objects in the ADSI Edit