IsCommandBlocked method of the Win32_Tpm class
The IsCommandBlocked method of the Win32_Tpm class indicates whether the device command with the specified ordinal is blocked from running on the platform.
Syntax
uint32 IsCommandBlocked(
[in] uint32 CommandOrdinal,
[out] uint32 IsCommandBlocked
);
Parameters
-
CommandOrdinal [in]
-
Type: uint32
An integer value that specifies a command on the device.
Value Meaning - TPM_ActivateIdentity
- 122 (0x7A)
Allows the TPM owner to unwrap the session key that allows for the decryption of the Attestation Identity Key (AIK) credential, thereby obtaining assurance that the credential is valid for the TPM. - TPM_AuthorizeMigrationKey
- 43 (0x2B)
Allows the TPM owner to create a migration authorization ticket so that users can migrate keys without involvement of the TPM owner. - TPM_CertifyKey
- 50 (0x32)
Certifies a loaded key with the public portion of another key. A TPM identity key can only certify keys that cannot be migrated, while signing and legacy keys can certify all keys. - TPM_CertifyKey2
- 51 (0x33)
Based on TPM_CertifyKey, but TPM_CertifyKey2 includes extra parameters to certify a Certifiable Migration Key (CMK). - TPM_CertifySelfTest
- 82 (0x52)
Performs a full self-test and returns an authenticated value if the test passes. This value is not upgraded in TPM v1.2. This value is blocked by default. - TPM_ChangeAuth
- 12 (0xC)
Allows the owner of an entity (for example, TPM key) to change the authorization value for that entity. - TPM_ChangeAuthAsymFinish
- 15 (0xF)
Superseded by establishing a transport session with the TPM and executing TPM_ChangeAuth. This value is blocked by default. - TPM_ChangeAuthAsymStart
- 14 (0xE)
Superseded by establishing a transport session with the TPM and executing TPM_ChangeAuth. This value is blocked by default. - TPM_ChangeAuthOwner
- 16 (0x10)
Allows the TPM owner to change the TPM owner authorization value or the storage root key (SRK) authorization value. - TPM_CMK_ApproveMA
- 29 (0x1D)
Allows the TPM owner to create an authorization ticket for one or more migration selection or migration authorities so that users can create certifiable migration keys (by using TPM_CMK_CreateKey) without involvement of the TPM owner. - TPM_CMK_ConvertMigration
- 36 (0x24)
Creates a certifiable migration key BLOB that can be loaded onto another platform by using the TPM_LoadKey2 command, given a random number and the certifiable migration key's migration BLOB (as generated by using TPM_CMK_CreateBlob). - TPM_CMK_CreateBlob
- 27 (0x1B)
Allows an entity with knowledge of the migration authorization ticket of a certifiable migration key (as generated by using TPM_AuthorizeMigrationKey) to create a migration BLOB necessary to move the key to a new platform or parent key. - TPM_CMK_CreateKey
- 19 (0x13)
Generates and creates a secure asymmetric certifiable migration key, given the authorization ticket for one or more migration selection or migration authorities (as generated by using TPM_CMK_ApproveMA). - TPM_CMK_CreateTicket
- 18 (0x12)
Allows the TPM owner to create a signature verification ticket for a certifiable migration key by using a provided public key. - TPM_CMK_SetRestrictions
- 28 (0x1C)
Allows the TPM owner to specify usage of a certifiable migration key. - TPM_ContinueSelfTest
- 83 (0x53)
Informs the TPM that it may complete the self-test of all TPM functions. - TPM_ConvertMigrationBlob
- 42 (0x2A)
Creates a key BLOB that can be loaded onto another platform by using the TPM_LoadKey2 command, given a random number and the key's migration BLOB (as generated by using TPM_CreateMigrationBlob). - TPM_CreateCounter
- 220 (0xDC)
Allows the TPM owner to create a new monotonic counter, assign an authorization value to that counter, increment the TPM's internal counter value by one, and set the new counter's start value to be the updated internal value. - TPM_CreateEndorsementKeyPair
- 120 (0x78)
Creates the TPM endorsement key, if this key does not already exist. - TPM_CreateMaintenanceArchive
- 44 (0x2C)
Allows the TPM owner to create a maintenance archive that enables the migration of all data held by the TPM, including the storage root key (SRK), TPM owner authorization, and keys that otherwise cannot be migrated using other functionality. - TPM_CreateMigrationBlob
- 40 (0x28)
Allows an entity with knowledge of the migration authorization ticket of a key to create a migration BLOB necessary to move a migration key to a new platform or parent key. - TPM_CreateRevocableEK
- 127 (0x7F)
Creates the TPM endorsement key (EK) by using options that specify whether the endorsement key can be reset and, if so, the authorization value necessary to reset this key (if this value is not to be generated by the TPM). This is an optional command that could expose a denial of service (DOS) attack if supported by the platform manufacturer. - TPM_CreateWrapKey
- 31 (0x1F)
Generates and creates a secure asymmetric key. - TPM_DAA_JOIN
- 41 (0x29)
Allows the TPM owner to establish the Direct Anonymous Attestation (DAA) parameters in the TPM for a specific DAA issuing authority. - TPM_DAA_SIGN
- 49 (0x31)
Allows the TPM owner to sign data using Direct Anonymous Attestation (DAA). - TPM_Delegate_CreateKeyDelegation
- 212 (0xD4)
Allows the owner of a key to delegate the privilege to use that key. - TPM_Delegate_CreateOwnerDelegation
- 213 (0xD5)
Allows the TPM owner to delegate the privilege to run commands that typically require owner authorization. - TPM_Delegate_LoadOwnerDelegation
- 216 (0xD8)
Allows the TPM owner to load a row of a delegation table into the TPM's nonvolatile storage. This command cannot be used to load key delegation BLOBs into the TPM. - TPM_Delegate_Manage
- 210 (0xD2)
Allows the TPM owner to manage delegation family tables. This command must be run at least once before delegation commands for that family table can be performed. - TPM_Delegate_ReadTable
- 219 (0xDB)
Reads the public contents of the family and delegate tables that are stored on the TPM. - TPM_Delegate_UpdateVerification
- 209 (0xD1)
Allows the TPM owner to update a delegation entity so that it will continue to be accepted by the TPM. - TPM_Delegate_VerifyDelegation
- 214 (0xD6)
Interprets a delegate BLOB and returns whether that BLOB is currently valid. - TPM_DirRead
- 26 (0x1A)
Superseded by TPM_NV_ReadValue and TPM_NV_ReadValueAuth. This value is blocked by default. - TPM_DirWriteAuth
- 25 (0x19)
Superseded by TPM_NV_WriteValue and TPM_NV_WriteValueAuth. This value is blocked by default. - TPM_DisableForceClear
- 94 (0x5E)
Disables the running of the TPM_ForceClear command until the platform restarts. - TPM_DisableOwnerClear
- 92 (0x5C)
Allows the TPM owner to permanently disable the ability to run the TPM_OwnerClear command. Once used, the only method of clearing the TPM will require executing the TPM_ForceClear command. - TPM_DisablePubekRead
- 126 (0x7E)
Superseded by having TPM_TakeOwnership automatically disable reading the public portion of the endorsement key (EK) by using TPM_ReadPubek. This value is blocked by default. - TPM_DSAP
- 17 (0x11)
Generates an authorization session handle for the Delegate-Specific Authorization Protocol (DSAP) used to securely pass delegated authorization data to the TPM and the information the TPM needs to track this authorization session handle. - TPM_EstablishTransport
- 230 (0xE6)
Establishes a transport session that can be used to confidentially transmit shared secrets, encryption keys, and session logs to the TPM (by using TPM_ExecuteTransport). - TPM_EvictKey
- 34 (0x22)
Superseded by TPM_FlushSpecific. This value is blocked by default. - TPM_ExecuteTransport
- 231 (0xE7)
Delivers a wrapped TPM command to the TPM within a transport session. The TPM unwraps the command and then runs the command. - TPM_Extend
- 20 (0x14)
Adds a new digest to a specified platform configuration register (PCR) and returns this extended digest. - TPM_FieldUpgrade
- 170 (0xAA)
Allows a manufacturer upgrade of TPM functionality. This command is specific to the TPM manufacturer. - TPM_FlushSpecific
- 186 (0xBA)
Flushes from the TPM a specified resource handle. - TPM_ForceClear
- 93 (0x5D)
Clears the TPM. This command requires physical presence at the platform and cannot be run by the operating system. - TPM_GetAuditDigest
- 133 (0x85)
Returns the TPM audit digest. - TPM_GetAuditDigestSigned
- 134 (0x86)
Returns a signed TPM audit digest and list of currently audited commands. - TPM_GetAuditEvent
- 130 (0x82)
Removed due to security concerns. This value is blocked by default. - TPM_GetAuditEventSigned
- 131 (0x83)
Removed due to security concerns. This value is blocked by default. - TPM_GetCapability
- 101 (0x65)
Returns TPM information. - TPM_GetCapabilityOwner
- 102 (0x66)
Removed due to security concerns. This value is blocked by default. - TPM_GetCapabilitySigned
- 100 (0x64)
Removed due to security concerns. This value is blocked by default. - TPM_GetOrdinalAuditStatus
- 140 (0x8C)
Removed due to security concerns. This value is blocked by default. - TPM_GetPubKey
- 33 (0x21)
Allows an owner of a loaded key to obtain the public key value of that key. - TPM_GetRandom
- 70 (0x46)
Returns random data of a specified length from the TPM random number generator. - TPM_GetTestResult
- 84 (0x54)
Provides manufacturer specific and diagnostic information regarding the results of the self-test. - TPM_GetTick
- 241 (0xF1)
Returns current tick count of TPM. - TSC_PhysicalPresence
- 1073741834 (0x4000000A)
Indicates physical presence at the platform. This command cannot be run by the operating system. - TSC_ResetEstablishmentBit
- 1073741835 (0x4000000B)
Indicates whether a special sequence to create a trusted operating system occurred on the platform. - TPM_IncrementCounter
- 221 (0xDD)
Allows the owner of the counter to increment that counter by one and return this updated value. - TPM_Init
- 151 (0x97)
Command first sent by the platform to the TPM during the start process. This command cannot be run by software. - TPM_KeyControlOwner
- 35 (0x23)
Allows the TPM owner to control certain attributes of keys that are stored within the TPM key cache. - TPM_KillMaintenanceFeature
- 46 (0x2E)
Allows the TPM owner to prevent the creation of a maintenance archive (by using TPM_CreateMaintenanceArchive). This action is valid until a new TPM owner is set (by using TPM_TakeOwnership). - TPM_LoadAuthContext
- 183 (0xB7)
Superseded by TPM_LoadContext. This value is blocked by default. - TPM_LoadContext
- 185 (0xB9)
Loads into the TPM a previously saved context. - TPM_LoadKey
- 32 (0x20)
Superseded by TPM_LoadKey2. This value is blocked by default. - TPM_LoadKey2
- 65 (0x41)
Loads into the TPM a key for further usage (for example, wrap, unwrap, bind, unbind, seal, unseal, sign). - TPM_LoadKeyContext
- 181 (0xB5)
Superseded by TPM_LoadContext. This value is blocked by default. - TPM_LoadMaintenanceArchive
- 45 (0x2D)
Allows the TPM owner to load a maintenance archive (generated by using TPM_CreateMaintenanceArchive). When loaded, the authorization value for the storage root key (SRK) is set to be same as the TPM owner authorization. - TPM_LoadManuMaintPub
- 47 (0x2F)
Loads the platform manufacturer's public key into the TPM for use in the maintenance process. This command can only be run once and should be run before a platform ships. - TPM_MakeIdentity
- 121 (0x79)
Allows the TPM owner to generate an Attestation Identity Key (AIK) that can be used to sign information generated internally by the TPM. - TPM_MigrateKey
- 37 (0x25)
Allows the TPM to migrate a BLOB (as generated by using TPM_CreateMigrationBlob or TPM_CMK_CreateBlob) to a destination by reencrypting it with a given public key. - TPM_NV_DefineSpace
- 204 (0xCC)
Allows the TPM owner to define space for an area of nonvolatile storage on the TPM. This definition include the access requirements for writing and reading the area. - TPM_NV_ReadValue
- 207 (0xCF)
Reads from a defined nonvolatile storage area. - TPM_NV_ReadValueAuth
- 208 (0xD0)
Reads from a defined nonvolatile storage area, given the required authorization for that area. - TPM_NV_WriteValue
- 205 (0xCD)
Writes a specified value to a defined nonvolatile storage area. - TPM_NV_WriteValueAuth
- 206 (0xCE)
Writes a specified value to a defined nonvolatile storage area, given the required authorization for that area. - TPM_OIAP
- 10 (0xA)
Generates an authorization session handle for the Object-Independent Authorization Protocol (OIAP) used to securely pass authorization data to the TPM and the information the TPM needs to track this authorization session handle. - TPM_OSAP
- 11 (0xB)
Generates an authorization session handle for the Object-Specific Authorization Protocol (OSAP) used to securely pass authorization data to the TPM and the information the TPM needs to track this authorization session handle. - TPM_OwnerClear
- 91 (0x5B)
Allows the TPM owner to clear the TPM. - TPM_OwnerReadInternalPub
- 129 (0x81)
Allows the TPM owner to return the public portion of the TPM endorsement key (EK) or storage root key (SRK). - TPM_OwnerReadPubek
- 125 (0x7D)
Superseded by TPM_OwnerReadInternalPub. This value is blocked by default. - TPM_OwnerSetDisable
- 110 (0x6E)
Allows the TPM owner to enable or disable the TPM. - TPM_PCR_Reset
- 200 (0xC8)
Resets the specified platform configuration registers (PCRs) to their default state. - TPM_PcrRead
- 21 (0x15)
Returns the contents of a specified platform configuration register (PCR). - TPM_PhysicalDisable
- 112 (0x70)
Disables the TPM. This command requires physical presence at the platform and cannot be run by the operating system. - TPM_PhysicalEnable
- 111 (0x6F)
Enables the TPM. This command requires physical presence at the platform and cannot be run by the operating system. - TPM_PhysicalSetDeactivated
- 114 (0x72)
Activates or deactivates the TPM. This command requires physical presence at the platform and cannot be run by the operating system. - TPM_Quote
- 22 (0x16)
Returns a signed digest that is a combination of the contents of a specified platform configuration register (PCR) and some specified external data. The digest is signed with a loaded key. - TPM_Quote2
- 62 (0x3E)
Similar to the command TPM_Quote with the inclusion of locality information to provide a more complete view of the current platform configuration. - TPM_ReadCounter
- 222 (0xDE)
Returns the value of the specified counter. - TPM_ReadManuMaintPub
- 48 (0x30)
Returns the digest of the platform manufacturer's public maintenance key (loaded by using TPM_LoadManuMaintPub). - TPM_ReadPubek
- 124 (0x7C)
Returns the public portion of the TPM endorsement key. This command is disabled when ownership of the TPM is taken. - TPM_ReleaseCounter
- 223 (0xDF)
Allows the owner of the counter to release the specified counter. No subsequent reads or increments of the counter will succeed. - TPM_ReleaseCounterOwner
- 224 (0xE0)
Allows the TPM owner to release the specified counter. No subsequent reads or increments of the counter will succeed. - TPM_ReleaseTransportSigned
- 232 (0xE8)
Completes the transport session. If logging is turned on, this command returns a hash of all operations performed during the session along with the digital signature of the hash. - TPM_Reset
- 90 (0x5A)
Releases all resources associated with existing authorization sessions. TPM_Reset is not upgraded in TPM v1.2. This value is blocked by default. - TPM_ResetLockValue
- 64 (0x40)
Resets the mechanisms used to protect against attacks on TPM authorization values. - TPM_RevokeTrust
- 128 (0x80)
Clears a revocable TPM endorsement key (generated by using TPM_CreateRevocableEK) and resets the TPM, given the necessary authorization value for this reset and platform support for this command. This command requires physical presence at the platform and cannot be run by the operating system. - TPM_SaveAuthContext
- 182 (0xB6)
Superseded by TPM_SaveContext. This value is blocked by default. - TPM_SaveContext
- 184 (0xB8)
Saves a loaded resource outside the TPM. After successfully running this command, the TPM automatically releases the internal memory for sessions but leaves keys in place. - TPM_SaveKeyContext
- 180 (0xB4)
Superseded by TPM_SaveContext. This value is blocked by default. - TPM_SaveState
- 152 (0x98)
Warns a TPM to save some state information. - TPM_Seal
- 23 (0x17)
Allows software to protect secrets so that they are released only if a specified platform configuration is validated. - TPM_Sealx
- 61 (0x3D)
Allows software to protect secrets so that they are released only if a specified platform configuration is validated. The secret must be encrypted. - TPM_SelfTestFull
- 80 (0x50)
Tests all of the TPM's internal functions. Any failure causes the TPM to enter into failure mode. - TPM_SetCapability
- 63 (0x3F)
Allows the TPM owner to set values in the TPM. - TPM_SetOperatorAuth
- 116 (0x74)
Defines the operator authorization value. This command requires physical presence at the platform and cannot be run by the operating system. - TPM_SetOrdinalAuditStatus
- 141 (0x8D)
Allows the TPM owner to set the audit flag for a given command number. - TPM_SetOwnerInstall
- 113 (0x71)
Allows or disallows the ability to insert an owner. This command requires physical presence at the platform and cannot be run by the operating system. - TPM_SetOwnerPointer
- 117 (0x75)
Sets the reference to the owner authorization that the TPM uses when executing an OIAP or OSAP session. This command should only be used to provide owner delegation functionality for legacy code that does not support DSAP. - TPM_SetRedirection
- 154 (0x9A)
Allows the TPM to directly communicate with a connected security processor by redirecting output. - TPM_SetTempDeactivated
- 115 (0x73)
Allows the operator of the platform to deactivate the TPM until the next start of the platform. The operator must either have physical presence at the platform or present the operator authorization value defined with the command TPM_SetOperatorAuth. - TPM_SHA1Complete
- 162 (0xA2)
Completes a pending SHA-1 digest process and returns the resulting SHA-1 hash output. - TPM_SHA1CompleteExtend
- 163 (0xA3)
Completes a pending SHA-1 digest process, returns the resulting SHA-1 hash output, and incorporates this hash into a platform configuration register (PCR). - TPM_SHA1Start
- 160 (0xA0)
Starts the process of calculating a SHA-1 digest. This command must be followed by running the TPM_SHA1Update command, or the SHA-1 process is invalidated. - TPM_SHA1Update
- 161 (0xA1)
Inputs complete blocks of data into a pending SHA-1 digest (started by using TPM_SHA1Start). - TPM_Sign
- 60 (0x3C)
Signs data with a loaded signing key and returns resulting digital signature. - TPM_Startup
- 153 (0x99)
Command that must be called after TPM_Init to transmit additional platform information to the TPM about the type of reset that is occurring. - TPM_StirRandom
- 71 (0x47)
Adds entropy to the TPM random number generator state. - TPM_TakeOwnership
- 13 (0xD)
Takes ownership of the TPM with a new owner authorization value, derived from the owner password. Among other conditions that must be met before this command can run, the TPM must be enabled and activated. - TPM_Terminate_Handle
- 150 (0x96)
Superseded by TPM_FlushSpecific. This value is blocked by default. - TPM_TickStampBlob
- 242 (0xF2)
Signs a specified digest with the TPM's current tick count by using a loaded signature key. - TPM_UnBind
- 30 (0x1E)
Decrypts data previously encrypted with the public portion of a TPM-bound key. - TPM_Unseal
- 24 (0x18)
Releases secrets previously sealed by the TPM if integrity, platform configuration, and authorization checks succeed. -
IsCommandBlocked [out]
-
Type: uint32
A bitmap value that specifies whether the command is blocked from running through the default list of blocked commands, the local list of blocked commands, or by using Group Policy.
Value Meaning - 0
The command is not blocked. - 1
The command is blocked through the default list of blocked commands. - 2
The command is blocked through the local list of blocked commands. - 4
The command is blocked through the Group Policy list of blocked commands. - 5
The command is blocked from running through both the default list of blocked commands and through the Group Policy list of blocked commands. - 6
The command is blocked from running through both the local list of blocked commands and through the Group Policy list of blocked commands. - 7
The command is blocked from running through the default list of blocked commands, the local list of blocked commands, and through the Group Policy list of blocked commands. Bit values may be combined to fully specify what blocks the command. For example, if the command is blocked by both the default list of blocked commands (value 1) and through the group policy list of blocked commands (value 4) the combination would be indicated by IsCommandBlocked having a value of 5.
Return value
Type: uint32
All Win32 errors can be returned.
Return code/value | Description |
---|---|
|
The method was successful. |
Remarks
This method reads the following registry keys:
Group Policy list of blocked TPM commands:
KEY_LOCAL_MACHINE\Software\Policies\Microsoft\Tpm\BlockedCommands\List
Default list of blocked TPM commands:
KEY_LOCAL_MACHINE\Software\Microsoft\Tpm\BlockedCommands\List
Group Policy setting to ignore the default list of blocked TPM commands:
KEY_LOCAL_MACHINE\Software\Policies\Microsoft\Tpm\BlockedCommands\IgnoreDefaultList
Local list of blocked TPM commands:
KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Tpm\BlockedCommands\List
Group Policy setting to ignore the local list of blocked TPM commands:
KEY_LOCAL_MACHINE\Software\Policies\Microsoft\Tpm\BlockedCommands\IgnoreLocalList
The method return value can be derived as follows:
- Assume that IsCommandBlockedTemp is a 3 bit value, initially set to 0.
- If the Group Policy setting to ignore the default list of blocked TPM commands does not exist or is 0, and a value in the registry key that corresponds to the default list of blocked TPM commands is CommandOrdinal, then the least significant bit of IsCommandBlockedTemp is set to 1.
- If the Group Policy setting to ignore the local list of blocked TPM commands does not exist or is 0, and a value in the registry key that corresponds to the local list of blocked TPM commands is CommandOrdinal, then the second least significant bit of IsCommandBlockedTemp is set to 1.
- If a value in the registry keys that corresponds to the Group Policy list of blocked TPM commands is CommandOrdinal, then the most significant bit of IsCommandBlockedTemp is set to 1.
- IsCommandBlocked returns IsCommandBlockedTemp.
Managed Object Format (MOF) files contain the definitions for Windows Management Instrumentation (WMI) classes. MOF files are not installed as part of the Windows SDK. They are installed on the server when you add the associated role by using the Server Manager. For more information about MOF files, see Managed Object Format (MOF).
Requirements
Requirement | Value |
---|---|
Minimum supported client |
Windows Vista [desktop apps only] |
Minimum supported server |
Windows Server 2008 [desktop apps only] |
Namespace |
Root\CIMV2\Security\MicrosoftTpm |
MOF |
|
DLL |
|
See also