The storage architecture on a Computer Object is not a simple single-value attribute. Instead, it utilizes a child-object structure.
However, beginning with Windows 10 and Windows Server 2016, the default behavior changed. The TPM OwnerAuth is now stored only locally in the TPM registry hive (if the registry is configured for this) and is no longer automatically backed up to AD by default, as the TPM 2.0 standard handles authorization differently than TPM 1.2. Administrators must be aware of this distinction when managing mixed environments. where are bitlocker keys stored in ad
msFVE-KeyPackage: An optional package used to recover data if the drive is physically damaged. Requirements for Storage The storage architecture on a Computer Object is
To facilitate management, Microsoft provides the . This is a feature that must be installed via Server Manager (under Remote Server Administration Tools > Feature Administration Tools). Once installed: The TPM OwnerAuth is now stored only locally
In the modern ADAC tool, you can search for a computer and find the recovery keys listed under the "Extensions" or "BitLocker Recovery" section, depending on your server version.
To store BitLocker recovery keys in AD, the following requirements must be met: