Control TPM Command Blocking with Group Policy

Applies To: Windows Server 2008

Administrators can use Group Policy to block or allow specific TPM commands.

Commands that are blocked by policy cannot be enabled using the TPM Management console. However, commands that are allowed by policy can be blocked using the TPM Management console.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To block and allow TPM command using the Local Group Policy Editor

  1. Click Start, click All Programs, click Accessories, and then click Run.

  2. Type gpedit.msc in the Open box, and then click OK.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. The Local Group Policy Editor is displayed with the Local Computer Policy open for editing.


Administrators with appropriate privileges in a domain can configure a Group Policy object (GPO) to apply through Active Directory Domain Services (AD DS).

  1. In the console tree, under Local Computer Policy, under Computer Configuration, expand Administrative Templates, then expand System.

  2. Under System, click Trusted Platform Module Services.

  3. In the details pane (the right-hand pane), double-click Configure the list of blocked TPM commands.

  4. In the Configure the list of blocked TPM commands Properties window, click Enabled, then click Show.

  5. For each command you wish to block, click Add, then enter the command number, and click OK.


Refer to the list of commands in the TPM Management console, or the TCG specification for a list of command numbers.

  1. After you have added numbers for each command you wish to block, click OK, then click OK again.

  2. If desired, you can enable policies that prevent the blocking of commands based on the default block list or the local list. For more information about each of these options, read the help text displayed in the Local Group Policy Editor for the Ignore the default list of blocked TPM commands setting and the Ignore the local list of blocked commands setting.


Local administrators cannot allow TPM commands blocked through Group Policy. Commands blocked by local administrators using the TPM Management console and commands on the default block list are also blocked unless the Group Policy settings are changed from the default settings.

  1. Close the LocalGroup Policy Editor window.