How to delegate permissions for backing up TPM password

Delegating permissions

By delegating control over Active Directory, you are granting users or groups the permissions they need without adding users to privileged groups like Domain Admins, etc. You can use organizational units (OUs) to delegate the administration of objects, such as users or computers, within the OU to a designated individual or group. The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the device. For example, by using the command-line tools remotely. The TPM owner password also allows manipulation of the TPM dictionary attack logic. Taking ownership of the TPM is performed by Windows as part of the provisioning process on each boot.

Furthermore, Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it.: How to hide the Default BitLocker Drive Encryption item in the Windows Control Panel, how to delegate control for Bitlocker recovery keys in Active Directory, how to deploy Microsoft BitLocker Administration and Monitoring Tool, How to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines, and how to clear, enable or disable TPM in Windows via the BIOS or UEFI.

Although the TPM owner password is not retained starting with Windows 10, version 1607, or Windows 11, you can change a default registry key to retain it. However, we strongly recommend that you do not make this change. To retain the TPM owner password, set the registry key 'HKLM\Software\Policies\Microsoft\TPM' [REG_DWORD] 'OSManagedAuthLevel' to 4. The default value for this key is 2, and unless it is changed to 4 before the TPM is provisioned, the owner password will not be saved.

Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded. Clearing or resetting the TPM resets it to an unowned state. After the TPM is cleared, Windows 10 or 11 OS will automatically re-initialize it and take ownership again.  In this way, the BitLocker encryptions work without any issues.

However, Backing up the TPM owner information for a computer allows administrators in a domain to configure the TPM security hardware on the local computer remotely. Moreover, administrators might want to reset the TPM to the manufacturer’s defaults when they decommission or repurpose computers without being present at the computer. In addition, To delegate this right to an Administrator, please follow the steps below. Launch the Active Directory Users and Computers. I will be using the “dsa.msc” to launch the ADUC snap-in as shown below.

TPM password backup

Nonetheless, This will open the Active Directory Users and Computers console (ADUC). In ADUC (dsa.msc), right-click on the OU that contains your computer objects, and select “Delegate Control”.
– Click on Next to continue

Consequently, This will open the Delegation of Control wizard. Click on Add

Delegating permissions

Similarly, Add the group you wish to delegate the right to backup BitLocker passwords to AD. Here is a similar guide on how to do this “How to backup existing and new BitLocker recovery keys to Active Directory using a simple script“.
– Click on Next to proceed.


Select “Create a custom take to delegate”, then click “Next”.

TPM password backup

Select “Only the following objects in the folder”, select “Computer objects”, and then click “Next”.


De-select “General“, and select select Property-specific. Select “Property-specific“, select “Write msTPM-OwnerInformation“, and click “Next”.


Click on Finish to complete the process of delegating permissions for backing up TPM password information.


I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x