IT Connect

Information technology tools and resources at the UW

Bitlocker Schema

#===============================================================================
#
# Active Directory Domain Services schema extension for
# BitLocker Drive Encryption and Trusted Platform Module (TPM) recovery
#
# This file contains attributes and class objects that enable
# Windows Server 2003 SP1 and Windows Server 2003 R2 domain controllers
# to store BitLocker and TPM recovery information.
#
# Change History:
# 11/2005 – Schema additions for Vista Beta 2 (matches “Longhorn” Server Beta 2)
# 5/2006 – Schema additions and updates for Vista RC1 (matches “Longhorn” Server Beta 3)
#
# NOTE: A schema extension is not necessary if the forest includes an installation
# of Windows Server Codename “Longhorn”.
#
# To extend the schema, use the LDIFDE tool on the schema master of the forest.
#
# Sample command:
# ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c “DC=X” “DC=nttest,dc=microsoft,dc=com” -k -j .
#
# For more information on LDIFDE tool, see
# http://support.microsoft.com/default.aspx?scid=kb;en-us;237677
#
# See related guide for setting up Active Directory Domain Services
# for BitLocker and TPM recovery.
#
#===============================================================================

#===============================================================================
# [Vista Beta 2 and up] TPM Recovery Information – Attributes
#===============================================================================

#
# ms-TPM-OwnerInformation
#
dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msTPM-OwnerInformation
adminDisplayName: TPM-OwnerInformation
adminDescription: This attribute contains the owner information of a particular TPM.
attributeId: 1.2.840.113556.1.4.1966
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 136
schemaIdGuid:: bRpOqg1VBU6MNUr8uRep/g==
showInAdvancedViewOnly: TRUE

#===============================================================================
# [Vista Beta 2 and up] Bitlocker Recovery Information – Attributes
# NOTE: FVE is the acronym for Full Volume Encryption, a pre-release name
#===============================================================================

#
# ms-FVE-RecoveryGuid
#
dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msFVE-RecoveryGuid
adminDisplayName: FVE-RecoveryGuid
adminDescription: This attribute contains the GUID associated with a Full Volume Encryption (FVE) recovery password.
attributeID: 1.2.840.113556.1.4.1965
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 137
schemaIdGuid:: vAlp93jmoEews/hqAETAbQ==
showInAdvancedViewOnly: TRUE

#
# ms-FVE-RecoveryPassword
#
dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msFVE-RecoveryPassword
adminDisplayName: FVE-RecoveryPassword
adminDescription: This attribute contains the password required to recover a Full Volume Encryption (FVE) volume.
attributeId: 1.2.840.113556.1.4.1964
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 136
schemaIdGuid:: wRoGQ63IzEy3hSv6wg/GCg==
showInAdvancedViewOnly: TRUE

#===============================================================================
# [Vista Beta 2 and up] Attributes – Schema Update
#===============================================================================

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1

#===============================================================================
# [Vista Beta 2 and up] BitLocker Recovery Information – Class
#===============================================================================

#
# ms-FVE-RecoveryInformation
#
dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: msFVE-RecoveryInformation
adminDisplayName: FVE-RecoveryInformation
adminDescription: This class contains a Full Volume Encryption recovery password with its associated GUID.
governsID: 1.2.840.113556.1.5.253
objectClassCategory: 1
subClassOf: top
systemMustContain: msFVE-RecoveryGuid
systemMustContain: msFVE-RecoveryPassword
systemPossSuperiors: computer
schemaIdGUID:: MF1x6lOP0EC9HmEJGG14LA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
defaultHidingValue: TRUE
defaultObjectCategory: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X

#===============================================================================
# [Vista Beta 2 and up] Classes – Schema Update
#===============================================================================

dn: CN=computer,CN=Schema,CN=Configuration,DC=X
#changetype: ntdsSchemaModify
changetype: modify
add: mayContain
mayContain: msTPM-OwnerInformation

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1

#===============================================================================
# [Vista RC1 and up] Bitlocker Recovery Information – Additional Attributes
#===============================================================================

#
# ms-FVE-VolumeGuid
#
dn: CN=ms-FVE-VolumeGuid,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msFVE-VolumeGuid
adminDisplayName: FVE-VolumeGuid
adminDescription: This attribute contains the GUID associated with a BitLocker-supported disk volume. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.
attributeID: 1.2.840.113556.1.4.1998
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 27
schemaIdGuid:: z6Xlhe7cdUCc/aydtqLyRQ==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
rangeUpper: 128

#
# ms-FVE-KeyPackage
#
dn: CN=ms-FVE-KeyPackage,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msFVE-KeyPackage
adminDisplayName: FVE-KeyPackage
adminDescription: This attribute contains a volume’s BitLocker encryption key secured by the corresponding recovery password. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.
attributeId: 1.2.840.113556.1.4.1999
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 152
schemaIdGuid:: qF7VH6eI3EeBKQ2qlxhqVA==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: FALSE
rangeUpper: 102400

#===============================================================================
# [Vista RC1 and up] Additional Attributes – Schema Update
#===============================================================================

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1

#===============================================================================
# [Vista RC1 and up] Updates to BitLocker Recovery Information Class
#===============================================================================

dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: adminDescription
adminDescription: This class contains BitLocker recovery information including GUIDs, recovery passwords, and keys. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.

dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: mayContain
mayContain: msFVE-VolumeGuid
mayContain: msFVE-KeyPackage

#===============================================================================
# [Vista RC1 and up] Updates to pre-RC1 Attributes
#===============================================================================

#
# Updates to ms-TPM-OwnerInformation
#

dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 152

dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: rangeUpper
rangeUpper: 128

#
# Updates to ms-FVE-RecoveryGuid
#

dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: adminDescription
adminDescription: This attribute contains the GUID associated with a BitLocker recovery password. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.

dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 27

dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: rangeUpper
rangeUpper: 128

dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE

#
# Updates to ms-FVE-RecoveryPassword
#

dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: adminDescription
adminDescription: This attribute contains a password that can recover a BitLocker-encrypted volume. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.

dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 152

dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: rangeUpper
rangeUpper: 256

#
# Reload the schema cache to pick up updated attributes
#

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1