Bitlocker Schema

The following is the verbatim specification for the Bitlocker schema.

#=============================================================================== # # Active Directory Domain Services schema extension for # BitLocker Drive Encryption and Trusted Platform Module (TPM) recovery # # This file contains attributes and class objects that enable # Windows Server 2003 SP1 and Windows Server 2003 R2 domain controllers # to store BitLocker and TPM recovery information. # # Change History: # 11/2005 - Schema additions for Vista Beta 2 (matches "Longhorn" Server Beta 2) # 5/2006 - Schema additions and updates for Vista RC1 (matches "Longhorn" Server Beta 3) # # NOTE: A schema extension is not necessary if the forest includes an installation # of Windows Server Codename "Longhorn". # # To extend the schema, use the LDIFDE tool on the schema master of the forest. # # Sample command: # ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X" "DC=nttest,dc=microsoft,dc=com" -k -j . # # For more information on LDIFDE tool, see # http://support.microsoft.com/default.aspx?scid=kb;en-us;237677 # # See related guide for setting up Active Directory Domain Services # for BitLocker and TPM recovery. # #=============================================================================== #=============================================================================== # [Vista Beta 2 and up] TPM Recovery Information - Attributes #=============================================================================== # # ms-TPM-OwnerInformation # dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X changetype: add objectClass: attributeSchema ldapDisplayName: msTPM-OwnerInformation adminDisplayName: TPM-OwnerInformation adminDescription: This attribute contains the owner information of a particular TPM. attributeId: 1.2.840.113556.1.4.1966 attributeSyntax: 2.5.5.12 omSyntax: 64 isSingleValued: TRUE searchFlags: 136 schemaIdGuid:: bRpOqg1VBU6MNUr8uRep/g== showInAdvancedViewOnly: TRUE #=============================================================================== # [Vista Beta 2 and up] Bitlocker Recovery Information - Attributes # NOTE: FVE is the acronym for Full Volume Encryption, a pre-release name #=============================================================================== # # ms-FVE-RecoveryGuid # dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X changetype: add objectClass: attributeSchema ldapDisplayName: msFVE-RecoveryGuid adminDisplayName: FVE-RecoveryGuid adminDescription: This attribute contains the GUID associated with a Full Volume Encryption (FVE) recovery password. attributeID: 1.2.840.113556.1.4.1965 attributeSyntax: 2.5.5.10 omSyntax: 4 isSingleValued: TRUE searchFlags: 137 schemaIdGuid:: vAlp93jmoEews/hqAETAbQ== showInAdvancedViewOnly: TRUE # # ms-FVE-RecoveryPassword # dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X changetype: add objectClass: attributeSchema ldapDisplayName: msFVE-RecoveryPassword adminDisplayName: FVE-RecoveryPassword adminDescription: This attribute contains the password required to recover a Full Volume Encryption (FVE) volume. attributeId: 1.2.840.113556.1.4.1964 attributeSyntax: 2.5.5.12 omSyntax: 64 isSingleValued: TRUE searchFlags: 136 schemaIdGuid:: wRoGQ63IzEy3hSv6wg/GCg== showInAdvancedViewOnly: TRUE #=============================================================================== # [Vista Beta 2 and up] Attributes - Schema Update #=============================================================================== dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - #=============================================================================== # [Vista Beta 2 and up] BitLocker Recovery Information - Class #=============================================================================== # # ms-FVE-RecoveryInformation # dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X changetype: add objectClass: classSchema ldapDisplayName: msFVE-RecoveryInformation adminDisplayName: FVE-RecoveryInformation adminDescription: This class contains a Full Volume Encryption recovery password with its associated GUID. governsID: 1.2.840.113556.1.5.253 objectClassCategory: 1 subClassOf: top systemMustContain: msFVE-RecoveryGuid systemMustContain: msFVE-RecoveryPassword systemPossSuperiors: computer schemaIdGUID:: MF1x6lOP0EC9HmEJGG14LA== defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY) defaultHidingValue: TRUE defaultObjectCategory: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X #=============================================================================== # [Vista Beta 2 and up] Classes - Schema Update #=============================================================================== dn: CN=computer,CN=Schema,CN=Configuration,DC=X #changetype: ntdsSchemaModify changetype: modify add: mayContain mayContain: msTPM-OwnerInformation - dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - #=============================================================================== # [Vista RC1 and up] Bitlocker Recovery Information - Additional Attributes #=============================================================================== # # ms-FVE-VolumeGuid # dn: CN=ms-FVE-VolumeGuid,CN=Schema,CN=Configuration,DC=X changetype: add objectClass: attributeSchema ldapDisplayName: msFVE-VolumeGuid adminDisplayName: FVE-VolumeGuid adminDescription: This attribute contains the GUID associated with a BitLocker-supported disk volume. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption. attributeID: 1.2.840.113556.1.4.1998 attributeSyntax: 2.5.5.10 omSyntax: 4 isSingleValued: TRUE searchFlags: 27 schemaIdGuid:: z6Xlhe7cdUCc/aydtqLyRQ== showInAdvancedViewOnly: TRUE isMemberOfPartialAttributeSet: TRUE rangeUpper: 128 # # ms-FVE-KeyPackage # dn: CN=ms-FVE-KeyPackage,CN=Schema,CN=Configuration,DC=X changetype: add objectClass: attributeSchema ldapDisplayName: msFVE-KeyPackage adminDisplayName: FVE-KeyPackage adminDescription: This attribute contains a volume's BitLocker encryption key secured by the corresponding recovery password. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption. attributeId: 1.2.840.113556.1.4.1999 attributeSyntax: 2.5.5.10 omSyntax: 4 isSingleValued: TRUE searchFlags: 152 schemaIdGuid:: qF7VH6eI3EeBKQ2qlxhqVA== showInAdvancedViewOnly: TRUE isMemberOfPartialAttributeSet: FALSE rangeUpper: 102400 #=============================================================================== # [Vista RC1 and up] Additional Attributes - Schema Update #=============================================================================== dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - #=============================================================================== # [Vista RC1 and up] Updates to BitLocker Recovery Information Class #=============================================================================== dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X changetype: modify replace: adminDescription adminDescription: This class contains BitLocker recovery information including GUIDs, recovery passwords, and keys. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption. - dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X changetype: modify add: mayContain mayContain: msFVE-VolumeGuid mayContain: msFVE-KeyPackage - #=============================================================================== # [Vista RC1 and up] Updates to pre-RC1 Attributes #=============================================================================== # # Updates to ms-TPM-OwnerInformation # dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X changetype: modify replace: searchFlags searchFlags: 152 - dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X changetype: modify replace: rangeUpper rangeUpper: 128 - # # Updates to ms-FVE-RecoveryGuid # dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X changetype: modify replace: adminDescription adminDescription: This attribute contains the GUID associated with a BitLocker recovery password. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption. - dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X changetype: modify replace: searchFlags searchFlags: 27 - dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X changetype: modify replace: rangeUpper rangeUpper: 128 - dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X changetype: modify replace: isMemberOfPartialAttributeSet isMemberOfPartialAttributeSet: TRUE - # # Updates to ms-FVE-RecoveryPassword # dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X changetype: modify replace: adminDescription adminDescription: This attribute contains a password that can recover a BitLocker-encrypted volume. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption. - dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X changetype: modify replace: searchFlags searchFlags: 152 - dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X changetype: modify replace: rangeUpper rangeUpper: 256 - # # Reload the schema cache to pick up updated attributes # dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 -