AddBlockedCommand method of the Win32_Tpm class

The AddBlockedCommand method of the Win32_Tpm class adds a TPM command to the local list of commands blocked from running on the operating system.

Caution

The operating system prevents a predefined set of commands from running by default. Changes to this default can affect the security, privacy, or functionality of your computer.

 

Syntax

uint32 AddBlockedCommand(
  [in] uint32 CommandOrdinal
);

Parameters

CommandOrdinal [in]

Type: uint32

An integer value that specifies a TPM command. If the TPM supports more commands than the ones listed, an ordinal for a new command can also be specified.

Value Meaning
TPM_ActivateIdentity
122 (0x7A)
Allows the TPM owner to unwrap the session key that allows for the decryption of the Attestation Identity Key credential, thereby obtaining assurance that the credential is valid for the TPM.
TPM_AuthorizeMigrationKey
43 (0x2B)
Allows the TPM owner to create a migration authorization ticket so that users can migrate keys without involvement of the TPM owner.
TPM_CertifyKey
50 (0x32)
Certifies a loaded key, created by TPM_LoadKey2, with the public portion of another key. A TPM identity key can only certify keys that cannot be migrated, while signing and legacy keys can certify all keys.
TPM_CertifyKey2
51 (0x33)
Based on TPM_CertifyKey, but includes extra parameters to certify a Certifiable Migration Key (CMK).
TPM_CertifySelfTest
82 (0x52)
Performs a full self-test and returns an authenticated value if the test passes. This command is not upgraded for version 1.2 of the TPM. This value is blocked by default.
TPM_ChangeAuth
12 (0xC)
Allows the owner of an entity (for example, TPM key) to change the authorization value for that entity.
TPM_ChangeAuthAsymFinish
15 (0xF)
Superseded by establishing a transport session with the TPM and running the TPM_ChangeAuth command. This value is blocked by default.
TPM_ChangeAuthAsymStart
14 (0xE)
Superseded by establishing a transport session with the TPM and running the TPM_ChangeAuth command. This value is blocked by default.
TPM_ChangeAuthOwner
16 (0x10)
Allows the TPM owner to change the TPM owner authorization value or the storage root key authorization value.
TPM_CMK_ApproveMA
29 (0x1D)
Allows the TPM owner to create an authorization ticket for one or more migration selection or migration authorities so that users can create certifiable migration keys (by using TPM_CMK_CreateKey) without involvement of the TPM owner.
TPM_CMK_ConvertMigration
36 (0x24)
Creates a certifiable migration key BLOB that can be loaded onto another computer by using the TPM_LoadKey2 command. This command is given a random number and the certifiable migration key's migration BLOB (as generated by using TPM_CMK_CreateBlob).
TPM_CMK_CreateBlob
27 (0x1B)
Allows an entity with knowledge of the migration authorization ticket of a certifiable migration key (as generated by using TPM_CMK_CreateTicket) of a certifiable migration key (as generated by using TPM_CMK_CreateKey) to create a migration BLOB necessary to move the key to a new computer or parent key.
TPM_CMK_CreateKey
19 (0x13)
Generates a secure asymmetric certifiable migration key using the authorization ticket for one or more migration selection or migration authorities (as generated by using TPM_CMK_ApproveMA).
TPM_CMK_CreateTicket
18 (0x12)
Allows the TPM owner to create a signature verification ticket for a certifiable migration key by using a provided public key. This ticket is used with a certifiable migration key (as generated by TPM_CMK_CreateKey) to create a migration BLOB needed to move the key to a new computer or parent key.
TPM_CMK_SetRestrictions
28 (0x1C)
Allows the TPM owner to specify usage of a certifiable migration key (as generated by TPM_CMK_CreateKey).
TPM_ContinueSelfTest
83 (0x53)
Informs the TPM that it may complete the self-test of all TPM functions that were not tested during the power-on self-test.
TPM_ConvertMigrationBlob
42 (0x2A)
Creates a key BLOB that can be loaded onto another computer by using the TPM_LoadKey2 command. This command is given a random number and the key's migration BLOB (as generated by using TPM_CreateMigrationBlob).
TPM_CreateCounter
220 (0xDC)
Allows the TPM owner to create a new monotonic counter, assign an authorization value to that counter, increment the TPM's internal counter value by one, and set the new counter's start value to be the updated internal value.
TPM_CreateEndorsementKeyPair
120 (0x78)
Creates the TPM endorsement key, if this key does not already exist.
TPM_CreateMaintenanceArchive
44 (0x2C)
Allows the TPM owner to create a maintenance archive that enables the migration of all data held by the TPM. This data includes the storage root key and the TPM owner authorization.
TPM_CreateMigrationBlob
40 (0x28)
Allows an entity with knowledge of the migration authorization ticket of a key (as created by TPM_CMK_CreateTicket) to create a migration BLOB necessary to move a migration key to a new computer or parent key.
TPM_CreateRevocableEK
127 (0x7F)
Creates the TPM endorsement key. The user can also specify whether the endorsement key can be reset and, if so, the authorization value necessary to reset this key (if this value is not to be generated by the TPM). This is an optional command that may not be supported by the computer manufacturer.
TPM_CreateWrapKey
31 (0x1F)
Generates and creates a secure asymmetric key.
TPM_DAA_JOIN
41 (0x29)
Allows the TPM owner to establish the Direct Anonymous Attestation (DAA) parameters in the TPM for a specific DAA issuing authority.
TPM_DAA_SIGN
49 (0x31)
Allows the TPM owner to sign data using Direct Anonymous Attestation.
TPM_Delegate_CreateKeyDelegation
212 (0xD4)
Allows the owner of a key to delegate the privilege to use that key.
TPM_Delegate_CreateOwnerDelegation
213 (0xD5)
Allows the TPM owner to delegate the privilege to run commands that typically require owner authorization.
TPM_Delegate_LoadOwnerDelegation
216 (0xD8)
Allows the TPM owner to load a row of a delegation table into the TPM's nonvolatile storage. This command cannot be used to load key delegation BLOBs into the TPM.
TPM_Delegate_Manage
210 (0xD2)
Allows the TPM owner to manage delegation family tables. This command must be run at least once before running delegation commands for a family table.
TPM_Delegate_ReadTable
219 (0xDB)
Reads the public contents of the family and delegate tables that are stored on the TPM.
TPM_Delegate_UpdateVerification
209 (0xD1)
Allows the TPM owner to update a delegation entity so that it will continue to be accepted by the TPM.
TPM_Delegate_VerifyDelegation
214 (0xD6)
Interprets a delegate BLOB and returns whether that BLOB is currently valid.
TPM_DirRead
26 (0x1A)
Superseded by the TPM_NV_ReadValue and TPM_NV_ReadValueAuth commands. This value is blocked by default.
TPM_DirWriteAuth
25 (0x19)
Superseded by the TPM_NV_WriteValue and TPM_NV_WriteValueAuth commands. This value is blocked by default.
TPM_DisableForceClear
94 (0x5E)
Disables the running of the TPM_ForceClear command until the computer restarts.
TPM_DisableOwnerClear
92 (0x5C)
Allows the TPM owner to permanently disable the TPM_OwnerClear command. After TPM_DisableOwnerClear is used, the owner must run the TPM_ForceClear command to clear the TPM.
TPM_DisablePubekRead
126 (0x7E)
Superseded by having the TPM_TakeOwnership command automatically disable the reading of the public portion of the endorsement key by using the TPM_ReadPubek command. This value is blocked by default.
TPM_DSAP
17 (0x11)
Generates an authorization session handle for the Delegate-Specific Authorization Protocol (DSAP) used to securely pass delegated authorization data to the TPM and the information the TPM needs to track this authorization session handle.
TPM_EstablishTransport
230 (0xE6)
Establishes a transport session that can be used to confidentially transmit shared secrets, encryption keys, and session logs to the TPM (by using TPM_ExecuteTransport).
TPM_EvictKey
34 (0x22)
Superseded by the TPM_FlushSpecific command. This value is blocked by default.
TPM_ExecuteTransport
231 (0xE7)
Delivers a wrapped TPM command to the TPM within a transport session. The TPM unwraps the command and then runs the command.
TPM_Extend
20 (0x14)
Adds a new digest to a specified platform configuration register and returns this extended digest.
TPM_FieldUpgrade
170 (0xAA)
Allows a manufacturer upgrade of TPM functionality. This command is specific to the TPM manufacturer.
TPM_FlushSpecific
186 (0xBA)
Flushes a specified resource handle from the TPM.
TPM_ForceClear
93 (0x5D)
Clears the TPM. This command requires physical presence at the computer and cannot be executed by the operating system.
TPM_GetAuditDigest
133 (0x85)
Returns the TPM audit digest.
TPM_GetAuditDigestSigned
134 (0x86)
Returns a signed TPM audit digest and a list of currently audited commands.
TPM_GetAuditEvent
130 (0x82)
Removed due to security concerns. This value is blocked by default.
TPM_GetAuditEventSigned
131 (0x83)
Removed due to security concerns. This value is blocked by default.
TPM_GetCapability
101 (0x65)
Returns TPM information.
TPM_GetCapabilityOwner
102 (0x66)
Removed due to security concerns. This value is blocked by default.
TPM_GetCapabilitySigned
100 (0x64)
Removed due to security concerns. This value is blocked by default.
TPM_GetOrdinalAuditStatus
140 (0x8C)
Removed due to security concerns. This value is blocked by default.
TPM_GetPubKey
33 (0x21)
Allows an owner of a loaded key to obtain the public key value of that key. The loaded key is created by using the TPM_LoadKey2 command.
TPM_GetRandom
70 (0x46)
Returns random data of a specified length from the TPM random number generator.
TPM_GetTestResult
84 (0x54)
Provides manufacturer-specific and diagnostic information regarding the results of the self-test.
TPM_GetTick
241 (0xF1)
Returns current tick count of TPM.
TPM_IncrementCounter
221 (0xDD)
Allows the owner of the monotonic counter to increment that counter by one and return this updated value.
TPM_Init
151 (0x97)
The command first sent by the computer. During the initial start process, this command is sent to the TPM. This command cannot be run by software.
TPM_KeyControlOwner
35 (0x23)
Allows the TPM owner to set certain attributes of keys that are stored within the TPM key cache. An example would be whether a key can be evicted by anyone other than the owner.
TPM_KillMaintenanceFeature
46 (0x2E)
Allows the TPM owner to prevent the creation of a maintenance archive by using the TPM_CreateMaintenanceArchive command. This action is valid until a new TPM owner is set by using the TPM_TakeOwnership command.
TPM_LoadAuthContext
183 (0xB7)
Superseded by the TPM_LoadContext command. This value is blocked by default.
TPM_LoadContext
185 (0xB9)
Loads a previously saved context into the TPM.
TPM_LoadKey
32 (0x20)
Superseded by the TPM_LoadKey2 command. This value is blocked by default.
TPM_LoadKey2
65 (0x41)
Loads a key into the TPM so that the owner can set other actions on it. These actions include wrap, unwrap, bind, unbind, seal, unseal, and sign.
TPM_LoadKeyContext
181 (0xB5)
Superseded by the TPM_LoadContext command. This value is blocked by default.
TPM_LoadMaintenanceArchive
45 (0x2D)
Allows the TPM owner to load a maintenance archive (generated by using the TPM_CreateMaintenanceArchive command). When loaded, the authorization value for the storage root key is set to be the same as the TPM owner authorization.
TPM_LoadManuMaintPub
47 (0x2F)
Loads the computer manufacturer's public key into the TPM for use in the maintenance process. This command can only be run once and should be executed before a computer ships.
TPM_MakeIdentity
121 (0x79)
Allows the TPM owner to generate an Attestation Identity Key that can be used to sign information generated internally by the TPM.
TPM_MigrateKey
37 (0x25)
Allows the TPM to migrate a BLOB (as generated by using the TPM_CreateMigrationBlob or the TPM_CMK_CreateBlob command) to a destination by reencrypting it with a given public key.
TPM_NV_DefineSpace
204 (0xCC)
Allows the TPM owner to define space for an area of nonvolatile storage on the TPM. This definition includes the access requirements for writing and reading the area.
TPM_NV_ReadValue
207 (0xCF)
Reads from a defined nonvolatile storage area.
TPM_NV_ReadValueAuth
208 (0xD0)
Reads from a defined nonvolatile storage area, given the required authorization for that area.
TPM_NV_WriteValue
205 (0xCD)
Writes a specified value to a defined nonvolatile storage area as created by the TPM_NV_DefineSpace command.
TPM_NV_WriteValueAuth
206 (0xCE)
Writes a specified value to a defined nonvolatile storage area, given the required authorization for that area.
TPM_OIAP
10 (0xA)
Generates an authorization session handle for the Object-Independent Authorization Protocol (OIAP) used to securely pass authorization data to the TPM and the information the TPM needs to track this authorization session handle.
TPM_OSAP
11 (0xB)
Generates an authorization session handle for the Object-Specific Authorization Protocol (OSAP) used to securely pass authorization data to the TPM and the information the TPM needs to track this authorization session handle.
TPM_OwnerClear
91 (0x5B)
Allows the TPM owner to clear the TPM. This means that the only key remaining on the TPM is the endorsement key.
TPM_OwnerReadInternalPub
129 (0x81)
Allows the TPM owner to return the public portion of the TPM endorsement key or storage root key.
TPM_OwnerReadPubek
125 (0x7D)
Superseded by the TPM_OwnerReadInternalPub command. This value is blocked by default.
TPM_OwnerSetDisable
110 (0x6E)
Allows the TPM owner to enable or disable the TPM. For more information, see the descriptions for the TPM_PhysicalEnable and TPM_PhysicalDisable commands.
TPM_PCR_Reset
200 (0xC8)
Resets the specified platform configuration registers (PCRs) to their default state.
TPM_PcrRead
21 (0x15)
Returns the contents of a specified PCR.
TPM_PhysicalDisable
112 (0x70)
Disables the TPM. This command requires physical presence at the computer and cannot be run by the operating system. Turning off the TPM involves disabling or deactivating the TPM by using the TPM_PhysicalSetDeactivated command.
TPM_PhysicalEnable
111 (0x6F)
Enables the TPM. This command requires physical presence at the computer and cannot be run by the operating system. Turning on the TPM involves enabling or activating the TPM by using the TPM_PhysicalSetDeactivated command.
TPM_PhysicalSetDeactivated
114 (0x72)
Activates or deactivates the TPM. This command requires physical presence at the computer and cannot be run by the operating system. We recommend that you do not block this command.
TPM_Quote
22 (0x16)
Returns a signed digest that is a combination of the contents of a specified PCR and some specified external data. The digest is signed with a loaded key. This command is blocked by default.
TPM_Quote2
62 (0x3E)
Similar to the TPM_Quote command but it includes locality information to provide a more complete view of the current computer configuration. This command is blocked by default.
TPM_ReadCounter
222 (0xDE)
Returns the value of the specified monotonic counter.
TPM_ReadManuMaintPub
48 (0x30)
Returns the digest of the computer manufacturer's public maintenance key (loaded by using the TPM_LoadManuMaintPub command).
TPM_ReadPubek
124 (0x7C)
Returns the public portion of the TPM endorsement key. This command is disabled when ownership of the TPM is taken by using the TPM_TakeOwnership command.
TPM_ReleaseCounter
223 (0xDF)
Allows the owner of the counter to release the specified counter. This command stops all subsequent reads or increments of the counter.
TPM_ReleaseCounterOwner
224 (0xE0)
Allows the TPM owner to release the specified counter. This command stops all subsequent reads or increments of the counter.
TPM_ReleaseTransportSigned
232 (0xE8)
Completes the transport session. If logging is turned on, this command returns a hash of all operations performed during the session along with the digital signature of the hash.
TPM_Reset
90 (0x5A)
Releases all resources associated with existing authorization sessions. This command is not upgraded for version 1.2 of the TPM. This value is blocked by default.
TPM_ResetLockValue
64 (0x40)
Resets the mechanisms used to protect against attacks on TPM authorization values.
TPM_RevokeTrust
128 (0x80)
Clears a revocable TPM endorsement key (generated by using the TPM_CreateRevocableEK command) and, if it finds the correct authorization value for this reset, resets the TPM. This command requires physical presence at the computer and cannot be executed by the operating system.
TPM_SaveAuthContext
182 (0xB6)
Superseded by the TPM_SaveContext command. This value is blocked by default.
TPM_SaveContext
184 (0xB8)
Saves a loaded resource outside the TPM. After successfully running this command, the TPM automatically releases the internal memory for sessions but leaves keys in place.
TPM_SaveKeyContext
180 (0xB4)
Superseded by the TPM_SaveContext command. This value is blocked by default.
TPM_SaveState
152 (0x98)
Warns the TPM to save state information before entering the sleep state. This value is blocked by default.
TPM_Seal
23 (0x17)
Allows the TPM to protect secrets until integrity, computer configuration, and authorization checks succeed.
TPM_Sealx
61 (0x3D)
Allows the TPM to protect secrets so that they are released only if a specified computer configuration is validated. The secret must be encrypted.
TPM_SelfTestFull
80 (0x50)
Tests all of the TPM's internal functions. Any failure causes the TPM to enter into failure mode.
TPM_SetCapability
63 (0x3F)
Allows the TPM owner to set values in the TPM.
TPM_SetOperatorAuth
116 (0x74)
Defines the operator authorization value. This command requires physical presence at the computer and cannot be run by the operating system.
TPM_SetOrdinalAuditStatus
141 (0x8D)
Allows the TPM owner to set the audit flag for a given command number. When this flag is turned on, the command returns an audit to the audit digest and the command is added to the list of currently audited commands.
TPM_SetOwnerInstall
113 (0x71)
Allows or disallows the ability to set an owner. This command requires physical presence at the computer and cannot be run by the operating system.
TPM_SetOwnerPointer
117 (0x75)
Sets the reference to the owner authorization that the TPM uses when executing an OIAP or OSAP session. This command should only be used to provide owner delegation functionality for legacy code that does not support DSAP.
TPM_SetRedirection
154 (0x9A)
Allows the TPM to directly communicate with a connected security processor by redirecting output.
TPM_SetTempDeactivated
115 (0x73)
Allows the operator of the platform to deactivate the TPM until the next computer reboot sequence. The operator must either have physical presence at the computer or present the operator authorization value defined by using the TPM_SetOperatorAuth command.
TPM_SHA1Complete
162 (0xA2)
Completes a pending SHA-1 digest process and returns the resulting SHA-1 hash output.
TPM_SHA1CompleteExtend
163 (0xA3)
Completes a pending SHA-1 digest process, returns the resulting SHA-1 hash output, and incorporates this hash into a platform configuration register (PCR).
TPM_SHA1Start
160 (0xA0)
Starts the process of calculating a SHA-1 digest. This command must be followed by running the TPM_SHA1Update command, or the SHA-1 process is invalidated.
TPM_SHA1Update
161 (0xA1)
Inputs complete blocks of data into a pending SHA-1 digest (started by using the TPM_SHA1Start command).
TPM_Sign
60 (0x3C)
Signs data with a loaded signing key and returns the resulting digital signature.
TPM_Startup
153 (0x99)
Command that must follow the TPM_Init command to transmit additional computer information to the TPM about the type of reset that is occurring at the time of the call.
TPM_StirRandom
71 (0x47)
Adds entropy to the TPM random number generator state.
TPM_TakeOwnership
13 (0xD)
Takes ownership of the TPM with a new owner authorization value, derived from the owner password. Among other conditions that must be met before this command can execute, the TPM must be enabled and activated.
TPM_Terminate_Handle
150 (0x96)
Superseded by the TPM_FlushSpecific command. This value is blocked by default.
TPM_TickStampBlob
242 (0xF2)
Signs a specified digest with the TPM's current tick count using a loaded signature key.
TPM_UnBind
30 (0x1E)
Decrypts data previously encrypted with the public portion of a TPM-bound key.
TPM_Unseal
24 (0x18)
Releases secrets previously sealed by the TPM if integrity, computer configuration, and authorization checks succeed.
TSC_PhysicalPresence
1073741834 (0x4000000A)
Asserts physical presence at the computer. This command cannot be run by the operating system.
TSC_ResetEstablishmentBit
1073741835 (0x4000000B)
Not used in the current version of BitLocker.

 

Return value

Type: uint32

All TPM errors as well as errors specific to TPM Base Services can be returned.

Common return codes are listed below.

Return code/value Description
S_OK
0 (0x0)
The method was successful.

 

Security Considerations

Changes to the default list of blocked commands can expose your computer to security and privacy risks.

Remarks

Group Policy can override the effect of the AddBlockedCommand method. An administrator can configure Group Policy to ignore the local list of blocked commands.

If a value indicated by CommandOrdinal already appears on the local list of blocked commands, zero is returned.

Managed Object Format (MOF) files contain the definitions for Windows Management Instrumentation (WMI) classes. MOF files are not installed as part of the Windows SDK. They are installed on the server when you add the associated role by using the Server Manager. For more information about MOF files, see Managed Object Format (MOF).

Requirements

Requirement Value
Minimum supported client
Windows Vista [desktop apps only]
Minimum supported server
Windows Server 2008 [desktop apps only]
Namespace
Root\CIMV2\Security\MicrosoftTpm
MOF
Win32_tpm.mof
DLL
Win32_tpm.dll

See also

Win32_Tpm

IsCommandBlocked

RemoveBlockedCommand