After ownership of the Trusted Platform Module (TPM) has been taken, the TPM owner can limit which TPM commands can be run by using Group Policy or TPM Management.
Understanding TPM commands
The TPM hardware is a passive hardware device. It does not initiate or interrupt processes on the computer. Instead, it accepts and responds to commands from other applications, such as device drivers and operating systems. The current version of the TPM command specification defined by the Trusted Computing Group provides a set of 120 standard commands for use in directing the operation of the TPM. These commands are displayed when you select Command Management in TPM Management.
For a reference to the list of commands in TPM Management, see the Trusted Platform Module (TPM) Specifications (http://go.microsoft.com/fwlink/?LinkID=139770).
Blocking and allowing TPM commands
You can control which commands the TPM on your computer can accept and respond to by selecting the command in Command Management and then deciding whether that command is allowed to be accepted by the TPM or blocked from being accepted by the TPM. There are three possible lists of blocked commands: the default list provided with the operating system, a list maintained on the local computer and managed by local administrators, and the list of commands controlled by Group Policy objects. If a TPM command exists in any of the lists, it will be blocked from the TPM. If a service or application attempts to run a blocked command, an error will be returned to the service or application that sent the command.
For more information, see Control TPM Command Blocking by Using TPM Management.
Using Group Policy to control TPM commands
The Group Policy settings for TPM services are located in Computer Configuration\Administrative Templates\System\Trusted Platform Module Services. The following table details the policy settings that can be used to control TPM commands.
Setting name | Description |
---|---|
Configure the list of blocked TPM commands |
This policy setting allows you to manage the Group Policy list of TPM commands blocked by Windows. If you enable this policy setting, Windows will block the commands you specify in this setting from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is TPM_OwnerReadInternalPub, and command number 170 is TPM_FieldUpgrade. To add commands to this list, enable the setting and then click Show to open the list of blocked commands. In the Show Contents dialog box, click in the Value field and type the command number that you want to block. If you want to block multiple commands, enter each command number on a separate line of the list. If this setting is disabled or not configured, the Group Policy block list is not used, and only those TPM commands specified through the default or local lists will be blocked by Windows. |
Ignore the default list of blocked TPM commands |
This policy setting allows you to enforce or ignore the computer's default list of blocked TPM commands. If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the local list. The default list of blocked TPM commands is preconfigured by Windows. The commands on the default list have either been deprecated by the Trusted Computing Group or have privacy implications that should be considered before allowing these commands to be used with TPMs in your organization. |
Ignore the local list of blocked TPM commands |
This policy setting allows you to enforce or ignore the computer's local list of blocked TPM commands. If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the default list. |
For more information, see Control TPM Command Blocking by Using Group Policy.
Blocking new commands
Because some hardware vendors may have provided additional commands or the Trusted Computing Group may decide to add new commands in the future, TPM Management supports the ability to block new commands through the Block New Command item on the Action menu. If there is an additional command that you do not want your TPM to be able to accept, click Block New Command and then type the number of the command.