It’s very important make a backup copy of the TPM key or Trusted Platform Module on Windows. It is a hardware component (it is a security chip) that is installed on the motherboard of the computer. What is it for? The idea is that TPM is responsible for safely storing confidential system information: authentication credentials, digital certificates, encryption keys, etc.
Back up the TPM key in Windows 11 and 10
The fundamental requirement to be able to use TPM is to take ownership of the TPM by generating our own unique key or password. This password is known as the TPM owner password and is separate from all other keys we store on the device. It is set the first time Windows boots and sets ownership with the TPM chip installed on a system.
System administrators are able to back up the TPM owner information of a domain-joined computer to Active Directory Domain Services, a set of services provided by Microsoft’s Active Directory that takes care of to manage computers and other devices in a network domain. This information is a cryptographic hash of the TPM owner’s password.
Backup, then, gives system administrators the ability to remotely configure the TPM on a local computer using Active Directory Domain Services when they need to reuse an old computer and reset the TPM to factory defaults. . The information that is saved can be used in recovery situations where the owner forgot the TPM password.
Creating a backup
So, in order to make a backup we can do it thanks to the group policy settings, for this we will have to do the following:
- Press the Windows + R keys to open the Run window.
- We will write gpedit.msc and we will press the Enter key.
- We should now see the Local Group Policy Editor window, so we are going to have to navigate to the following location: Computer ConfigurationAdministrative TemplatesSystemTrusted Platform Module Services
- Once we are here, in the right panel we will have to double click on the option Activate TPM backup in Active Directory domain services.
- In the policy configuration window, we will have to select the Enabled option and then we will click on the Apply button.
- Click on OK and proceed to restart the computer for the changes to take effect.
In order to use the above group policy objective, it is important to log on to the domain-joined computer with a domain account that is part of the local administrators group.
It is also quite possible that we will first need to configure the proper schema extensions on the domain so that the backup can take place properly.
After enabling the setting, the TPM owner password cannot be set or changed. The only way to do this is by connecting the computer to the network domain.