By delegating control over Active Directory, you are granting users or groups the permissions they need without adding users to privileged groups like Domain Admins, etc. You can use organizational units (OUs) to delegate the administration of objects, such as users or computers, within the OU to a designated individual or group. The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the device. For example, by using the command-line tools remotely. The TPM owner password also allows manipulation of the TPM dictionary attack logic. Taking ownership of the TPM is performed by Windows as part of the provisioning process on each boot. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it.: How to hide the Default BitLocker Drive Encryption item in the Windows Control Panel, how to delegate control for Bitlocker recovery keys in Active Directory, how to deploy Microsoft BitLocker Administration and Monitoring Tool, How to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines, and how to clear, enable or disable TPM in Windows via the BIOS or UEFI.
Although the TPM owner password is not retained starting with Windows 10, version 1607, or Windows 11, you can change a default registry key to retain it. However, we strongly recommend that you do not make this change. To retain the TPM owner password, set the registry key 'HKLM\Software\Policies\Microsoft\TPM' [REG_DWORD] 'OSManagedAuthLevel' to 4. The default value for this key is 2, and unless it is changed to 4 before the TPM is provisioned, the owner password will not be saved.
Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded. Clearing or resetting the TPM resets it to an unowned state. After the TPM is cleared, Windows 10 or 11 OS will automatically re-initialize it and take ownership again. In this way, the BitLocker encryptions work without any issues.
Backing up the TPM owner information for a computer allows administrators in a domain to remotely configure the TPM security hardware on the local computer. For example, administrators might want to reset the TPM to the manufacturer’s defaults when they decommission or repurpose computers, without having to be present at the computer. To delegate this right to a non Administrator, please follow these steps below. Launch the Active Directory Users and Computers. I will be using the “
dsa.msc” to launch the ADUC snap-in as shown below.
This will open the Active Directory Users and Comuters console (ADUC). In ADUC (
dsa.msc), right-click on the OU that contains your computer objects and select “Delegate Control”.
– Click on Next to continue
This will open the Delegation of Control wizard. Click on Add
Add the group you wish to delegate the right to backup BitLocker passwords to AD. Here is a similar guide on how to do this “How to backup existing and new BitLocker recovery keys to Active Directory using a simple script“.
– Click on Next to proceed.
Select “Create a custom take to delegate”, then click “Next”.
Select “Only the following objects in the folder”, select “Computer objects”, and then click “Next”.
General“, and select select
Property-specific. Select “
Property-specific“, select “
Write msTPM-OwnerInformation“, and click “Next”.
Click on Finish to complete the process of delegating permissions for backing up TPM password information.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.