Turn on TPM backup to Active Directory Domain Services

This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of Trusted Platform Module (TPM) owner information.

TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM commands can only be run by the TPM owner. This hash authorizes the TPM to run these commands.

If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password.

If you select the option to "Require TPM backup to AD DS", a TPM owner password cannot be set or changed unless the computer is connected to the domain and the AD DS backup succeeds. This option is selected by default to help ensure that TPM owner information is available. Otherwise, AD DS backup is attempted but network or other backup failures do not impact TPM management. Backup is not automatically retried and the TPM owner information may not have been stored in AD DS during BitLocker setup.

If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS.

Note: You must first set up appropriate schema extensions and access control settings on the domain before AD DS backup can succeed. Consult online documentation for more information about setting up Active Directory Domain Services for TPM.

Note: The TPM cannot be used to provide enhanced security features for BitLocker Drive Encryption and other applications without first setting an owner. To take ownership of the TPM with an owner password, run "tpm.msc" and select the action to "Initialize TPM".

Note: If the TPM owner information is lost or is not available, limited TPM management is possible by running "tpm.msc" on the local computer.

Supported on: At least Windows Vista

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Microsoft\TPM
Value NameActiveDirectoryBackup
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

Require BitLocker backup to AD DS
Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Microsoft\TPM
Value NameRequireActiveDirectoryBackup
Value TypeREG_DWORD
Default Value1
True Value1
False Value0

If selected, cannot turn on BitLocker if backup fails (recommended default).

If not selected, can turn on BitLocker even if backup fails. Backup is not automatically retried.

Select BitLocker recovery information to store:



A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive.

A key package contains a drive's BitLocker encryption key secured by one or more recovery passwords

Key packages may help perform specialized recovery when the disk is damaged or corrupted.


tpm.admx

Administrative Templates (Computers)

Administrative Templates (Users)