It is designed for the very typical corporate situation of "I don't trust my users". If you don't have admin rights on that machine, you can't get or bypass them easily by e.g. taking the drive out, imaging it, and reading that on another computer. The keys stored in the TPM are also available to the domain controller, not (easily) to the (non-admin) Windows user.