The Turn on TPM backup to Active Directory Domain Services machine setting should be configured correctly. This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of Trusted Platform Module (TPM) owner information. TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM commands can only be run by the TPM owner. This hash authorizes the TPM to run these commands. If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password. If you select the option to "Require TPM backup to AD DS", a TPM owner password cannot be set or changed unless the computer is connected to the domain and the AD DS backup succeeds. This option is selected by default to help ensure that TPM owner information is available. Otherwise, AD DS backup is attempted but network or other backup failures do not impact TPM management. Backup is not automatically retried and the TPM owner information may not have been stored in AD DS during BitLocker setup. If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Trusted Platform Module Services\Turn on TPM backup to Active Directory Domain Services (2) KEY: HKLM\Software\Policies\Microsoft\TPM\ActiveDirectoryBackup