Manage TPM Commands
Applies To: Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2
This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. The list can be created and applied to all computers in a domain by using Group Policy, or a list can be created for individual computers by using the TPM MMC. Because some hardware vendors might provide additional commands or the Trusted Computing Group may decide to add commands in the future, the TPM MMC also supports the ability to block new commands.
Domain administrators can configure a list of blocked TPM commands by using Group Policy. Local administrators cannot allow TPM commands that are blocked through Group Policy. For more information about this Group Policy setting, see Configure the list of blocked TPM commands.
Local administrators can block commands by using the TPM MMC, and commands on the default block list are also blocked unless the Group Policy settings are changed from the default settings.
Two policy settings control the enforcement which allows TPM commands to run. For more information about these policy settings, see:
Ignore the default list of blocked TPM commands
This policy setting allows you to enforce or ignore the computer's default list of blocked TPM commands.
Ignore the local list of blocked TPM commands
This policy setting allows you to enforce or ignore the computer's local list of blocked TPM commands.
The following procedures describe how to manage the TPM command lists. Membership in the local Administrators group or the ability to administer Group Policy are the minimum requirements for completing these procedures.
Note
Different versions of the Windows operating system have different methods to run a program or access a tool, so steps can vary. For example:
- In Windows 8, one way to run the TPM MMC is: On the Start screen, type tpm.msc.
- In Windows 8.1, one way to run the TPM MMC is: On the Start screen, click the Apps arrow. On the Apps screen, type tpm.msc.
To block TPM commands by using the Local Group Policy Editor
- Open the Local Group Policy Editor (gpedit.msc). If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
Note
Administrators with appropriate rights in a domain can configure a Group Policy Object (GPO) that can be applied through Active Directory Domain Services (AD DS).
In the console tree, under Computer Configuration, expand Administrative Templates, and then expand System.
Under System, click Trusted Platform Module Services.
In the details pane, double-click Configure the list of blocked TPM commands.
Click Enabled, and then click Show.
For each command that you want to block, click Add, enter the command number, and then click OK.
Note
There are hundreds of commands listed in the TPM MMC, and they are organized into many categories of functionality. For a reference to the list of commands in the TPM MMC, see the Trusted Platform Module (TPM) Specifications.
After you have added numbers for each command that you want to block, click OK twice.
Close the Local Group Policy Editor.
To block or allow TPM commands by using the TPM MMC
Open the TPM MMC (tpm.msc)
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
In the console tree, click Command Management. A list of TPM commands is displayed.
In the list, select a command that you want to block or allow.
Under Actions, click Block Selected Command or Allow Selected Command as needed. If Allow Selected Command is unavailable, that command is currently blocked by Group Policy.
To block new commands
Open the TPM MMC.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
In the console tree, click Command Management. A list of TPM commands is displayed.
In the Action pane, click Block New Command. The Block New Command dialog box is displayed.
In the Command Number text box, type the number of the new command that you want to block, and then click OK. The command number you entered is added to the blocked list.
Use the TPM cmdlets
If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
dism /online /enable-feature /FeatureName:tpm-psh-cmdlets
For details about the individual cmdlets, see TPM Cmdlets in Windows PowerShell
Additional resources
For more information about TPM, see the Additional Resources section in the Trusted Platform Module Technology Overview.