How to delegate permissions for backing up TPM password

Posted on Christian By Christian No Comments on How to delegate permissions for backing up TPM password
Delegating permissions

By delegating control over Active Directory, you are granting users or groups the permissions they need without adding users to privileged groups like Domain Admins, etc. You can use organizational units (OUs) to delegate the administration of objects, such as users or computers, within the OU to a designated individual or group. In this article, we will discuss How to delegate permissions for backing up TPM password. Please see How to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines, and how to clear, enable or disable TPM in Windows via the BIOS or UEFI.

The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the device. For example, by using the command-line tools remotely. The TPM owner password also allows manipulation of the TPM dictionary attack logic. Taking ownership of the TPM is performed by Windows as part of the provisioning process on each boot.

Furthermore, Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it.: How to hide the Default BitLocker Drive Encryption item in the Windows Control Panel, how to delegate control for Bitlocker recovery keys in Active Directory, how to deploy Microsoft BitLocker Administration and Monitoring Tool,

Although the TPM owner password is not retained starting with Windows 10, version 1607, or Windows 11. You can change a default registry key to retain it.

However, we strongly recommend that you do not make this change. To retain the TPM owner password, set the registry key ‘HKLM\Software\Policies\Microsoft\TPM’ [REG_DWORD] ‘OSManagedAuthLevel’ to 4. The default value for this key is 2, and unless it is changed to 4 before the TPM is provisioned, the owner password will not be saved.

Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded. Clearing or resetting the TPM resets it to an unowned state. After the TPM is cleared, Windows 10 or 11 OS will automatically re-initialize it and take ownership again.  In this way, the BitLocker encryptions work without any issues.

Delegate permissions Backing up TPM Password

However, Backing up the TPM owner information for a computer allows administrators in a domain to configure the TPM security hardware on the local computer remotely. Moreover, administrators might want to reset the TPM to the manufacturer’s defaults when they decommission or repurpose computers without being present at the computer.

In addition, To delegate this right to an Administrator, please follow the steps below. Launch the Active Directory Users and Computers. I will be using the “dsa.msc” to launch the ADUC snap-in as shown below.

TPM password backup

Nonetheless, This will open the Active Directory Users and Computers console (ADUC). In ADUC (dsa.msc), right-click on the OU that contains your computer objects, and select “Delegate Control”.

Backing up TPM credentials

Click on Next to continue

Permission delegation process

Consequently, This will open the Delegation of Control wizard. Click on Add

Delegating permissions

Here is a similar guide on how to do this “How to backup existing and new BitLocker recovery keys to Active Directory using a simple script“.

Similarly, Add the group you wish to delegate the right to backup BitLocker passwords to AD. Click on Next to proceed.

Screenshot-2021-10-15-at-20.40.59

Select “Create a custom take to delegate”, then click “Next”.

TPM password backup

Select “Only the following objects in the folder”, select “Computer objects”, and then click “Next”.

Screenshot-2021-10-15-at-22.16.59

De-select “General“, and select select Property-specific. Select “Property-specific“, select “Write msTPM-OwnerInformation“, and click “Next”.

Screenshot-2021-10-15-at-22.19.32

Click on Finish to complete the process of delegating permissions for backing up TPM password information.

Screenshot-2021-10-15-at-22.22.30

FAQs

What happens if you return a BitLocker volume to its original PC?

After being moved to a different computer, if the volume is moved back to original TPM it may reuse its original keys, provided they were not over-written. Each BitLocker™ instance will have a single set of keys if the keys are stored and have not been removed from the original computer the volume should work without recovery when moved back to the original computer

What happens when a User loses his BitLocker PIN?

The recovery key (RK) or recovery password must be used if the PIN is lost. When the PIN scenario is enabled and the new encrypted VMK blob
is stored, the system shall remove the encrypted VMK blob that was encrypted with only the TPM, if such blob is present – except for RK/RK or Recovery Password. In this manner, at next boot, the system will require the two-factor authentication, instead of working with only a TPM. Note: A user is able to change PIN, but it will not be saved/escrowed programmatically

I hope you found this blog post on How to delegate permissions for backing up TPM password helpful. If you have any questions, please let me know in the comment session.

5/5 - (1 vote)
Network | Monitoring Tags:, , ,

Related Posts

More Related Articles

How to determine Active Directory Site Name How to determine Active Directory Site Name Network | Monitoring
Restrict the number of tabs a user can open in Chrome and Edge Restrict the number of tabs a user can open in Chrome and Edge Network | Monitoring
create Microsoft 365 Account How to create Microsoft 365 Account Network | Monitoring
pst Outlook Data File: Fix PST Error – Exceeded Maximum Large Items Network | Monitoring
Featured image Domain Naming System: Enabling DNS over TLS in Windows 11 Network | Monitoring
cisco catalyst switch 1 How to Reset a Cisco 3650 Catalyst Switch Network | Monitoring

Leave a Reply