Group Policy Quick Tip – Enable Backup of the TPM Password

If you’re using BitLocker, you need to be backing up the TPM ownwer password.  By default, Windows does not back up this information when you encrypt a computer with BitLocker.  Should you need to make changes to the TPM device, you’ll need this password.

Where is the policy located?
Computer Configuration > Policies > Administrative Templates > System > Trusted Platform Module Services > Turn on TPM backup to Active Directory Domain Services

How should the policy be configured?
Set the policy to Enabled and check Require TPM backup to AD DS.

Enable TPM Password Backup Group Policy

Where do I view the TPM password in Active Directory? 
In Active Directory Users and Comptuers, make sure that you’ve got the Advanced Features enabled.  Go to the View menu and make sure there is a checkbox by Advanced Features.

In the Computer object Properties, click on the Attribute Editor tab. Scroll down to the msTPM-OwnerInformation attribute.  Click the Edit button to view the full value.

TPM Password Backup - View in GPMC
Kyle Beckman

Kyle Beckman

Kyle is a Systems Administrator with 15+ years of experience. He currently works in Higher Education supporting everything from smartphones to desktop PC's to Hyper-V Failover Clusters. (If it has a IP address, he probably supports it!) He has also worked in Small Business IT consulting supporting a wide variety of businesses and non-profit organizations.

Kyle is also the Vice President of the Atlanta Windows Infrastructure and Virtualization User Group (WINVUG).You can find additional articles he's written on 4sysops.com.
Kyle Beckman

1 Comment

Add a Comment
  1. I believe windows 10 anniversary update (1607) has removed this functionality.

Leave a Reply

Your email address will not be published. Required fields are marked *

© trekker.net