To preserve integrity of operations, certain TPM commands are not allowed to be executed by software on the platform. For example, some commands are only executed by system software. When the TBS blocks a command, an error is returned as appropriate. By default, the TBS blocks commands that could impact system privacy, security, and stability. The TBS also assumes that other parts of the software stack may restrict access to certain commands to authorized entities.
For TPM version 1.2 commands, there are three lists of blocked commands: a list controlled by group policy, a list controlled by local administrators, and a default list. A TPM command is blocked if it is on any of the lists. However, there are group policy flags to allow the TBS to ignore the local list and the default list. The group policy flags can be edited directly or accessed through the Group Policy Object Editor.
For TPM version 2.0 commands, the logic for blocking is inverted; it uses a list of allowed commands. This logic will automatically block commands that were not known when the list was first made. When commands are added to the TPM specification after a version of Windows has shipped, these new commands are automatically blocked. Only an update of the registry will add these new commands to the list of allowed commands.
The Group Policy flags are under registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Tpm\BlockedCommands.
To determine which lists should be used to block TPM commands, there are two DWORD values that are used as Boolean flags:
If set (value exists and is nonzero), the TBS ignores the default blocked-commands list.
If set (value exists and is nonzero), the TBS ignores the local blocked-commands list.
To access the Group Policy object editor
- Click Start.
- Click Run.
- In the Open box, type gpedit.msc. Click OK. The Group Policy object editor opens.
- Expand Computer Configuration.
- Expand Administrative Templates.
- Expand System.
- Expand Trusted Platform Module Services.
The lists of specific blocked TPM1.2 commands can be edited directly in the following locations.
- Group policy list:
HKEY_LOCAL_MACHINE Software Policies Microsoft Tpm BlockedCommands List
- Local list:
HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services SharedAccess Parameters Tpm BlockedCommands List
- Default list:
HKEY_LOCAL_MACHINE Software Microsoft Tpm BlockedCommands List
The list of specific allowed TPM 2.0 commands can be edited directly in the following location. Under the registry key, there is a list of registry values of REG_DWORD type. Each value represents an allowed TPM 2.0 command. Each registry value has a name and a value field. The name matches the hexadecimal TPM 2.0 command ordinal that should be allowed. The value has a value of 1 if the command is allowed. If a command ordinal is not present or has a value of 0, the command will be blocked.
- Default list:
HKEY_LOCAL_MACHINE Software Microsoft Tpm AllowedW8Commands List
For Windows 8, Windows Server 2012 and later, the BlockedCommands and AllowedW8Commands registry keys respectively determine the blocked or allowed TPM commands for administrator accounts. User accounts have a list of blocked or allowed TPM commands in the BlockedUserCommands and AllowedW8UserCommands registry keys respectively. In Windows 10, version 1607, new registry keys have been introduces for AppContainer applications: BlockedAppContainerCommands and AllowedW8AppContainerCommands.