Control TPM Command Blocking by Using Group Policy

Applies To: Windows 7, Windows Server 2008 R2

Administrators can use Group Policy to block or allow specific Trusted Platform Module (TPM) commands. Commands that are blocked by policy cannot be enabled by using TPM Management. However, commands that are allowed by policy can be blocked by using TPM Management.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To block and allow TPM commands by using the Local Group Policy Editor

  1. Click Start, click All Programs, click Accessories, and then click Run.

  2. In the Open box, type gpedit.msc, and then press ENTER.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  4. The Local Group Policy Editor is displayed with the local computer policy open for editing.

Note

Administrators with appropriate privileges in a domain can configure a Group Policy object (GPO) to apply through Active Directory Domain Services (AD DS).

  1. In the console tree, under Computer Configuration, expand Administrative Templates, and then expand System.

  2. Under System, click Trusted Platform Module Services.

  3. In the details pane, double-click Configure the list of blocked TPM commands.

  4. Click Enabled, and then click Show.

  5. For each command that you want to block, click Add, enter the command number, and then click OK.

Note

There are currently 120 commands listed in TPM Management, organized into 27 categories of functionality. For a reference to the list of commands in TPM Management, see the Trusted Platform Module (TPM) Specifications (http://go.microsoft.com/fwlink/?LinkID=139770).

  1. After you have added numbers for each command that you want to block, click OK, and then click OK again.

  2. If desired, you can enable policies that prevent the blocking of commands based on the default block list or the local list. For more information about each of these options, read the help text displayed in the Local Group Policy Editor for the Ignore the default list of blocked TPM commands policy setting and the Ignore the local list of blocked commands policy setting.

Note

Local administrators cannot allow TPM commands that are blocked through Group Policy. Commands blocked by local administrators using TPM Management and commands on the default block list are also blocked unless the Group Policy settings are changed from the default settings.

  1. Close the Local Group Policy Editor.