Skip to content

TechDirectArchive

Hands-on IT, Cloud, Security, Veeam & DevOps

  • Home
  • About
  • Advertise With US
  • Reviews
  • Contact
  • Toggle search form

How to delegate permissions for backing up TPM password

Posted on 15/10/202117/07/2024 IT Expert By IT Expert No Comments on How to delegate permissions for backing up TPM password
  1. Home
  2. Network | Monitoring
  3. How to delegate permissions for backing up TPM password
Delegating permissions

By delegating control over Active Directory, you are granting users or groups the permissions they need without adding users to privileged groups like Domain Admins, etc. You can use organizational units (OUs) to delegate the administration of objects, such as users or computers, within the OU to a designated individual or group. In this article, we will discuss How to delegate permissions for backing up TPM password. Please see How to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines, and how to clear, enable or disable TPM in Windows via the BIOS or UEFI.

The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the device. For example, by using the command-line tools remotely. The TPM owner password also allows manipulation of the TPM dictionary attack logic. Taking ownership of the TPM is performed by Windows as part of the provisioning process on each boot.

Furthermore, Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it.: How to hide the Default BitLocker Drive Encryption item in the Windows Control Panel, how to delegate control for Bitlocker recovery keys in Active Directory, how to deploy Microsoft BitLocker Administration and Monitoring Tool,

Although the TPM owner password is not retained starting with Windows 10, version 1607, or Windows 11. You can change a default registry key to retain it.

However, we strongly recommend that you do not make this change. To retain the TPM owner password, set the registry key ‘HKLM\Software\Policies\Microsoft\TPM’ [REG_DWORD] ‘OSManagedAuthLevel’ to 4. The default value for this key is 2, and unless it is changed to 4 before the TPM is provisioned, the owner password will not be saved.

Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded. Clearing or resetting the TPM resets it to an unowned state. After the TPM is cleared, Windows 10 or 11 OS will automatically re-initialize it and take ownership again.  In this way, the BitLocker encryptions work without any issues.

Delegate permissions Backing up TPM Password

However, Backing up the TPM owner information for a computer allows administrators in a domain to configure the TPM security hardware on the local computer remotely. Moreover, administrators might want to reset the TPM to the manufacturer’s defaults when they decommission or repurpose computers without being present at the computer.

In addition, To delegate this right to an Administrator, please follow the steps below. Launch the Active Directory Users and Computers. I will be using the “dsa.msc” to launch the ADUC snap-in as shown below.

TPM password backup

Nonetheless, This will open the Active Directory Users and Computers console (ADUC). In ADUC (dsa.msc), right-click on the OU that contains your computer objects, and select “Delegate Control”.

Backing up TPM credentials

Click on Next to continue

Permission delegation process

Consequently, This will open the Delegation of Control wizard. Click on Add

Delegating permissions

Here is a similar guide on how to do this “How to backup existing and new BitLocker recovery keys to Active Directory using a simple script“.

Similarly, Add the group you wish to delegate the right to backup BitLocker passwords to AD. Click on Next to proceed.

Screenshot-2021-10-15-at-20.40.59

Select “Create a custom take to delegate”, then click “Next”.

TPM password backup

Select “Only the following objects in the folder”, select “Computer objects”, and then click “Next”.

Screenshot-2021-10-15-at-22.16.59

De-select “General“, and select select Property-specific. Select “Property-specific“, select “Write msTPM-OwnerInformation“, and click “Next”.

Screenshot-2021-10-15-at-22.19.32

Click on Finish to complete the process of delegating permissions for backing up TPM password information.

Screenshot-2021-10-15-at-22.22.30

FAQs

What happens if you return a BitLocker volume to its original PC?

After being moved to a different computer, if the volume is moved back to original TPM it may reuse its original keys, provided they were not over-written. Each BitLocker™ instance will have a single set of keys if the keys are stored and have not been removed from the original computer the volume should work without recovery when moved back to the original computer

What happens when a User loses his BitLocker PIN?

The recovery key (RK) or recovery password must be used if the PIN is lost. When the PIN scenario is enabled and the new encrypted VMK blob
is stored, the system shall remove the encrypted VMK blob that was encrypted with only the TPM, if such blob is present – except for RK/RK or Recovery Password. In this manner, at next boot, the system will require the two-factor authentication, instead of working with only a TPM. Note: A user is able to change PIN, but it will not be saved/escrowed programmatically

I hope you found this blog post on How to delegate permissions for backing up TPM password helpful. If you have any questions, please let me know in the comment session.

5/5 - (1 vote)

Thank you for reading this post. Kindly share it with others.

  • Share on X (Opens in new window) X
  • Share on Reddit (Opens in new window) Reddit
  • Share on LinkedIn (Opens in new window) LinkedIn
  • Share on Facebook (Opens in new window) Facebook
  • Share on Pinterest (Opens in new window) Pinterest
  • Share on Tumblr (Opens in new window) Tumblr
  • Share on Telegram (Opens in new window) Telegram
  • Share on WhatsApp (Opens in new window) WhatsApp
  • Share on Mastodon (Opens in new window) Mastodon
  • Share on Bluesky (Opens in new window) Bluesky
  • Share on Threads (Opens in new window) Threads
  • Share on Nextdoor (Opens in new window) Nextdoor
Network | Monitoring Tags:Bitlocker, TPM, Windows 10, Windows 11

Post navigation

Previous Post: Delegate control for BitLocker recovery keys in Active Directory
Next Post: Git config –global init.defaultBranch: Error cannot lock ref ‘refs/remotes/origin/windows’, not a directory

Related Posts

  • Reverse Image Search
    How to Perform a Reverse Image Search on Your Browsers Network | Monitoring
  • Screenshot 2020 05 14 at 19.09.08
    How to backup a Cisco IOS Network | Monitoring
  • screenshot 2020 03 15 at 00.58.30
    Fix failed to open session for the virtual machine GNS3 VM Network | Monitoring
  • cisco catalyst switch 1
    How to Reset a Cisco 3650 Catalyst Switch Network | Monitoring
  • Featured image Two Factor Authentication
    Change Two-Factor Authentication in Microsoft 365/Office 365 Network | Monitoring
  • Grammarly integration with Word on Mac
    Integrate Grammarly in Microsoft Word on Mac Network | Monitoring

More Related Articles

Reverse Image Search How to Perform a Reverse Image Search on Your Browsers Network | Monitoring
Screenshot 2020 05 14 at 19.09.08 How to backup a Cisco IOS Network | Monitoring
screenshot 2020 03 15 at 00.58.30 Fix failed to open session for the virtual machine GNS3 VM Network | Monitoring
cisco catalyst switch 1 How to Reset a Cisco 3650 Catalyst Switch Network | Monitoring
Featured image Two Factor Authentication Change Two-Factor Authentication in Microsoft 365/Office 365 Network | Monitoring
Grammarly integration with Word on Mac Integrate Grammarly in Microsoft Word on Mac Network | Monitoring

Leave a Reply Cancel reply

You must be logged in to post a comment.

Microsoft MVP

VEEAMLEGEND

vexpert-badge-stars-5

Virtual Background

GoogleNews

Categories

veeaam100

Veeam Vanguard

  • Resize Proxmox VM
    How to Resize or Expand Proxmox Hard Drive Virtualization
  • img 5c0128ea77f3f
    Systeminfo switches: How to use Systeminfo command-line tool switches Windows
  • Azure VMware Solution Private Cloud
    How To Deploy Azure VMware Solution Private Cloud AWS/Azure/OpenShift
  • FimageUbuntuUpgrade
    How to Upgrade From Ubuntu 20.04 LTS to 22.04 LTS Linux
  • Featured image 10
    Add a Printer Using an IP Address in Windows 11 Network | Monitoring
  • savds
    VM is not accessible: Fix Taking ownership of a VM failed Virtualization
  • vmwarevinchin
    3 Ways to Convert VMware VMs to Hyper-V Backup
  • Azure Load Balancer: Configuring for SQL Server Always On Availability Group Listener on Azure Virtual Machines AWS/Azure/OpenShift

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,784 other subscribers
  • RSS - Posts
  • RSS - Comments
  • About
  • Authors
  • Write for us
  • Advertise with us
  • General Terms and Conditions
  • Privacy policy
  • Feedly
  • Telegram
  • Youtube
  • Facebook
  • Instagram
  • LinkedIn
  • Tumblr
  • Pinterest
  • Twitter
  • mastodon

Tags

Active Directory Azure Bitlocker Microsoft Windows PowerShell WDS Windows 10 Windows 11 Windows Deployment Services Windows Server 2016

Copyright © 2025 TechDirectArchive

Loading Comments...

You must be logged in to post a comment.