To preserve integrity of operations, certain TPM commands are not allowed to be executed by software on the platform. For example, some commands are only executed by system software. When the TBS blocks a command, an error is returned as appropriate. By default, the TBS blocks commands that could impact system privacy, security, and stability. The TBS also assumes that other parts of the software stack may restrict access to certain commands to authorized entities.
There are three lists of blocked commands: a list controlled by group policy, a list controlled by local administrators, and a default list. A TPM command is blocked if it is on any of the lists. However, there are group policy flags to allow the TBS to ignore the local list and the default list. The group policy flags can be edited directly or accessed through the Group Policy Object Editor.
The Group Policy flags are under registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Tpm\BlockedCommands.
To determine which lists should be used to block TPM commands, there are two DWORD values that are used as Boolean flags:
If set (value exists and is nonzero), the TBS ignores the default blocked-commands list.
If set (value exists and is nonzero), the TBS ignores the local blocked-commands list.
To access the Group Policy object editor
- Click Start.
- Click Run.
- In the Open box, type gpedit.msc. Click OK. The Group Policy object editor opens.
- Expand Computer Configuration.
- Expand Administrative Templates.
- Expand System.
- Expand Trusted Platform Module Services.
The lists of specific blocked commands can be edited directly in the following locations.
- Group policy list:
HKEY_LOCAL_MACHINE Software Policies Microsoft Tpm BlockedCommands List
- Local list:
HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services SharedAccess Parameters Tpm BlockedCommands List
- Default list:
HKEY_LOCAL_MACHINE Software Microsoft Tpm BlockedCommands List