Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

Command Blocking

To preserve integrity of operations, certain TPM commands are not allowed to be executed by software on the platform. For example, some commands are only executed by system software. When the TBS blocks a command, an error is returned as appropriate. By default, the TBS blocks commands that could impact system privacy, security, and stability. The TBS also assumes that other parts of the software stack may restrict access to certain commands to authorized entities.

There are three lists of blocked commands: a list controlled by group policy, a list controlled by local administrators, and a default list. A TPM command is blocked if it is on any of the lists. However, there are group policy flags to allow the TBS to ignore the local list and the default list. The group policy flags can be edited directly or accessed through the Group Policy Object Editor.

Note  The list of locally blocked commands is not preserved after an upgrade to the operating system. Commands that are blocked on the Group Policy list are preserved.

Direct Registry Access

The Group Policy flags are under registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Tpm\BlockedCommands.

To determine which lists should be used to block TPM commands, there are two DWORD values that are used as Boolean flags:

  • "IgnoreDefaultList"

    If set (value exists and is nonzero), the TBS ignores the default blocked-commands list.

  • "IgnoreLocalList"

    If set (value exists and is nonzero), the TBS ignores the local blocked-commands list.

Group Policy Object Editor

Aa965898.wedge(en-us,VS.85).gifTo access the Group Policy object editor

  1. Click Start.
  2. Click Run.
  3. In the Open box, type gpedit.msc. Click OK. The Group Policy object editor opens.
  4. Expand Computer Configuration.
  5. Expand Administrative Templates.
  6. Expand System.
  7. Expand Trusted Platform Module Services.

The lists of specific blocked commands can be edited directly in the following locations.

  • Group policy list:
  • Local list:
  • Default list:
Under each of these registry keys, there is a list of registry values of REG_SZ type. Each value represents a blocked TPM command. Each registry key has a "Value name" field and a "Value data" field. Both fields ("Value Name" and "Value data"), should exactly match the decimal value of the TPM command ordinal to be blocked.



Community Additions

© 2015 Microsoft