IsCommandBlocked method of the Win32_Tpm class

The IsCommandBlocked method of the Win32_Tpm class indicates whether the device command with the specified ordinal is blocked from running on the platform.

Syntax

uint32 IsCommandBlocked(
  [in]  uint32 CommandOrdinal,
  [out] uint32 IsCommandBlocked
);

Parameters

CommandOrdinal [in]

Type: uint32

An integer value that specifies a command on the device.

Value Meaning
TPM_ActivateIdentity
122 (0x7A)
Allows the TPM owner to unwrap the session key that allows for the decryption of the Attestation Identity Key (AIK) credential, thereby obtaining assurance that the credential is valid for the TPM.
TPM_AuthorizeMigrationKey
43 (0x2B)
Allows the TPM owner to create a migration authorization ticket so that users can migrate keys without involvement of the TPM owner.
TPM_CertifyKey
50 (0x32)
Certifies a loaded key with the public portion of another key. A TPM identity key can only certify keys that cannot be migrated, while signing and legacy keys can certify all keys.
TPM_CertifyKey2
51 (0x33)
Based on TPM_CertifyKey, but TPM_CertifyKey2 includes extra parameters to certify a Certifiable Migration Key (CMK).
TPM_CertifySelfTest
82 (0x52)
Performs a full self-test and returns an authenticated value if the test passes. This value is not upgraded in TPM v1.2. This value is blocked by default.
TPM_ChangeAuth
12 (0xC)
Allows the owner of an entity (for example, TPM key) to change the authorization value for that entity.
TPM_ChangeAuthAsymFinish
15 (0xF)
Superseded by establishing a transport session with the TPM and executing TPM_ChangeAuth. This value is blocked by default.
TPM_ChangeAuthAsymStart
14 (0xE)
Superseded by establishing a transport session with the TPM and executing TPM_ChangeAuth. This value is blocked by default.
TPM_ChangeAuthOwner
16 (0x10)
Allows the TPM owner to change the TPM owner authorization value or the storage root key (SRK) authorization value.
TPM_CMK_ApproveMA
29 (0x1D)
Allows the TPM owner to create an authorization ticket for one or more migration selection or migration authorities so that users can create certifiable migration keys (by using TPM_CMK_CreateKey) without involvement of the TPM owner.
TPM_CMK_ConvertMigration
36 (0x24)
Creates a certifiable migration key BLOB that can be loaded onto another platform by using the TPM_LoadKey2 command, given a random number and the certifiable migration key's migration BLOB (as generated by using TPM_CMK_CreateBlob).
TPM_CMK_CreateBlob
27 (0x1B)
Allows an entity with knowledge of the migration authorization ticket of a certifiable migration key (as generated by using TPM_AuthorizeMigrationKey) to create a migration BLOB necessary to move the key to a new platform or parent key.
TPM_CMK_CreateKey
19 (0x13)
Generates and creates a secure asymmetric certifiable migration key, given the authorization ticket for one or more migration selection or migration authorities (as generated by using TPM_CMK_ApproveMA).
TPM_CMK_CreateTicket
18 (0x12)
Allows the TPM owner to create a signature verification ticket for a certifiable migration key by using a provided public key.
TPM_CMK_SetRestrictions
28 (0x1C)
Allows the TPM owner to specify usage of a certifiable migration key.
TPM_ContinueSelfTest
83 (0x53)
Informs the TPM that it may complete the self-test of all TPM functions.
TPM_ConvertMigrationBlob
42 (0x2A)
Creates a key BLOB that can be loaded onto another platform by using the TPM_LoadKey2 command, given a random number and the key's migration BLOB (as generated by using TPM_CreateMigrationBlob).
TPM_CreateCounter
220 (0xDC)
Allows the TPM owner to create a new monotonic counter, assign an authorization value to that counter, increment the TPM's internal counter value by one, and set the new counter's start value to be the updated internal value.
TPM_CreateEndorsementKeyPair
120 (0x78)
Creates the TPM endorsement key, if this key does not already exist.
TPM_CreateMaintenanceArchive
44 (0x2C)
Allows the TPM owner to create a maintenance archive that enables the migration of all data held by the TPM, including the storage root key (SRK), TPM owner authorization, and keys that otherwise cannot be migrated using other functionality.
TPM_CreateMigrationBlob
40 (0x28)
Allows an entity with knowledge of the migration authorization ticket of a key to create a migration BLOB necessary to move a migration key to a new platform or parent key.
TPM_CreateRevocableEK
127 (0x7F)
Creates the TPM endorsement key (EK) by using options that specify whether the endorsement key can be reset and, if so, the authorization value necessary to reset this key (if this value is not to be generated by the TPM). This is an optional command that could expose a denial of service (DOS) attack if supported by the platform manufacturer.
TPM_CreateWrapKey
31 (0x1F)
Generates and creates a secure asymmetric key.
TPM_DAA_JOIN
41 (0x29)
Allows the TPM owner to establish the Direct Anonymous Attestation (DAA) parameters in the TPM for a specific DAA issuing authority.
TPM_DAA_SIGN
49 (0x31)
Allows the TPM owner to sign data using Direct Anonymous Attestation (DAA).
TPM_Delegate_CreateKeyDelegation
212 (0xD4)
Allows the owner of a key to delegate the privilege to use that key.
TPM_Delegate_CreateOwnerDelegation
213 (0xD5)
Allows the TPM owner to delegate the privilege to run commands that typically require owner authorization.
TPM_Delegate_LoadOwnerDelegation
216 (0xD8)
Allows the TPM owner to load a row of a delegation table into the TPM's nonvolatile storage. This command cannot be used to load key delegation BLOBs into the TPM.
TPM_Delegate_Manage
210 (0xD2)
Allows the TPM owner to manage delegation family tables. This command must be run at least once before delegation commands for that family table can be performed.
TPM_Delegate_ReadTable
219 (0xDB)
Reads the public contents of the family and delegate tables that are stored on the TPM.
TPM_Delegate_UpdateVerification
209 (0xD1)
Allows the TPM owner to update a delegation entity so that it will continue to be accepted by the TPM.
TPM_Delegate_VerifyDelegation
214 (0xD6)
Interprets a delegate BLOB and returns whether that BLOB is currently valid.
TPM_DirRead
26 (0x1A)
Superseded by TPM_NV_ReadValue and TPM_NV_ReadValueAuth. This value is blocked by default.
TPM_DirWriteAuth
25 (0x19)
Superseded by TPM_NV_WriteValue and TPM_NV_WriteValueAuth. This value is blocked by default.
TPM_DisableForceClear
94 (0x5E)
Disables the running of the TPM_ForceClear command until the platform restarts.
TPM_DisableOwnerClear
92 (0x5C)
Allows the TPM owner to permanently disable the ability to run the TPM_OwnerClear command. Once used, the only method of clearing the TPM will require executing the TPM_ForceClear command.
TPM_DisablePubekRead
126 (0x7E)
Superseded by having TPM_TakeOwnership automatically disable reading the public portion of the endorsement key (EK) by using TPM_ReadPubek. This value is blocked by default.
TPM_DSAP
17 (0x11)
Generates an authorization session handle for the Delegate-Specific Authorization Protocol (DSAP) used to securely pass delegated authorization data to the TPM and the information the TPM needs to track this authorization session handle.
TPM_EstablishTransport
230 (0xE6)
Establishes a transport session that can be used to confidentially transmit shared secrets, encryption keys, and session logs to the TPM (by using TPM_ExecuteTransport).
TPM_EvictKey
34 (0x22)
Superseded by TPM_FlushSpecific. This value is blocked by default.
TPM_ExecuteTransport
231 (0xE7)
Delivers a wrapped TPM command to the TPM within a transport session. The TPM unwraps the command and then runs the command.
TPM_Extend
20 (0x14)
Adds a new digest to a specified platform configuration register (PCR) and returns this extended digest.
TPM_FieldUpgrade
170 (0xAA)
Allows a manufacturer upgrade of TPM functionality. This command is specific to the TPM manufacturer.
TPM_FlushSpecific
186 (0xBA)
Flushes from the TPM a specified resource handle.
TPM_ForceClear
93 (0x5D)
Clears the TPM. This command requires physical presence at the platform and cannot be run by the operating system.
TPM_GetAuditDigest
133 (0x85)
Returns the TPM audit digest.
TPM_GetAuditDigestSigned
134 (0x86)
Returns a signed TPM audit digest and list of currently audited commands.
TPM_GetAuditEvent
130 (0x82)
Removed due to security concerns. This value is blocked by default.
TPM_GetAuditEventSigned
131 (0x83)
Removed due to security concerns. This value is blocked by default.
TPM_GetCapability
101 (0x65)
Returns TPM information.
TPM_GetCapabilityOwner
102 (0x66)
Removed due to security concerns. This value is blocked by default.
TPM_GetCapabilitySigned
100 (0x64)
Removed due to security concerns. This value is blocked by default.
TPM_GetOrdinalAuditStatus
140 (0x8C)
Removed due to security concerns. This value is blocked by default.
TPM_GetPubKey
33 (0x21)
Allows an owner of a loaded key to obtain the public key value of that key.
TPM_GetRandom
70 (0x46)
Returns random data of a specified length from the TPM random number generator.
TPM_GetTestResult
84 (0x54)
Provides manufacturer specific and diagnostic information regarding the results of the self-test.
TPM_GetTick
241 (0xF1)
Returns current tick count of TPM.
TSC_PhysicalPresence
1073741834 (0x4000000A)
Indicates physical presence at the platform. This command cannot be run by the operating system.
TSC_ResetEstablishmentBit
1073741835 (0x4000000B)
Indicates whether a special sequence to create a trusted operating system occurred on the platform.
TPM_IncrementCounter
221 (0xDD)
Allows the owner of the counter to increment that counter by one and return this updated value.
TPM_Init
151 (0x97)
Command first sent by the platform to the TPM during the start process. This command cannot be run by software.
TPM_KeyControlOwner
35 (0x23)
Allows the TPM owner to control certain attributes of keys that are stored within the TPM key cache.
TPM_KillMaintenanceFeature
46 (0x2E)
Allows the TPM owner to prevent the creation of a maintenance archive (by using TPM_CreateMaintenanceArchive). This action is valid until a new TPM owner is set (by using TPM_TakeOwnership).
TPM_LoadAuthContext
183 (0xB7)
Superseded by TPM_LoadContext. This value is blocked by default.
TPM_LoadContext
185 (0xB9)
Loads into the TPM a previously saved context.
TPM_LoadKey
32 (0x20)
Superseded by TPM_LoadKey2. This value is blocked by default.
TPM_LoadKey2
65 (0x41)
Loads into the TPM a key for further usage (for example, wrap, unwrap, bind, unbind, seal, unseal, sign).
TPM_LoadKeyContext
181 (0xB5)
Superseded by TPM_LoadContext. This value is blocked by default.
TPM_LoadMaintenanceArchive
45 (0x2D)
Allows the TPM owner to load a maintenance archive (generated by using TPM_CreateMaintenanceArchive). When loaded, the authorization value for the storage root key (SRK) is set to be same as the TPM owner authorization.
TPM_LoadManuMaintPub
47 (0x2F)
Loads the platform manufacturer's public key into the TPM for use in the maintenance process. This command can only be run once and should be run before a platform ships.
TPM_MakeIdentity
121 (0x79)
Allows the TPM owner to generate an Attestation Identity Key (AIK) that can be used to sign information generated internally by the TPM.
TPM_MigrateKey
37 (0x25)
Allows the TPM to migrate a BLOB (as generated by using TPM_CreateMigrationBlob or TPM_CMK_CreateBlob) to a destination by reencrypting it with a given public key.
TPM_NV_DefineSpace
204 (0xCC)
Allows the TPM owner to define space for an area of nonvolatile storage on the TPM. This definition include the access requirements for writing and reading the area.
TPM_NV_ReadValue
207 (0xCF)
Reads from a defined nonvolatile storage area.
TPM_NV_ReadValueAuth
208 (0xD0)
Reads from a defined nonvolatile storage area, given the required authorization for that area.
TPM_NV_WriteValue
205 (0xCD)
Writes a specified value to a defined nonvolatile storage area.
TPM_NV_WriteValueAuth
206 (0xCE)
Writes a specified value to a defined nonvolatile storage area, given the required authorization for that area.
TPM_OIAP
10 (0xA)
Generates an authorization session handle for the Object-Independent Authorization Protocol (OIAP) used to securely pass authorization data to the TPM and the information the TPM needs to track this authorization session handle.
TPM_OSAP
11 (0xB)
Generates an authorization session handle for the Object-Specific Authorization Protocol (OSAP) used to securely pass authorization data to the TPM and the information the TPM needs to track this authorization session handle.
TPM_OwnerClear
91 (0x5B)
Allows the TPM owner to clear the TPM.
TPM_OwnerReadInternalPub
129 (0x81)
Allows the TPM owner to return the public portion of the TPM endorsement key (EK) or storage root key (SRK).
TPM_OwnerReadPubek
125 (0x7D)
Superseded by TPM_OwnerReadInternalPub. This value is blocked by default.
TPM_OwnerSetDisable
110 (0x6E)
Allows the TPM owner to enable or disable the TPM.
TPM_PCR_Reset
200 (0xC8)
Resets the specified platform configuration registers (PCRs) to their default state.
TPM_PcrRead
21 (0x15)
Returns the contents of a specified platform configuration register (PCR).
TPM_PhysicalDisable
112 (0x70)
Disables the TPM. This command requires physical presence at the platform and cannot be run by the operating system.
TPM_PhysicalEnable
111 (0x6F)
Enables the TPM. This command requires physical presence at the platform and cannot be run by the operating system.
TPM_PhysicalSetDeactivated
114 (0x72)
Activates or deactivates the TPM. This command requires physical presence at the platform and cannot be run by the operating system.
TPM_Quote
22 (0x16)
Returns a signed digest that is a combination of the contents of a specified platform configuration register (PCR) and some specified external data. The digest is signed with a loaded key.
TPM_Quote2
62 (0x3E)
Similar to the command TPM_Quote with the inclusion of locality information to provide a more complete view of the current platform configuration.
TPM_ReadCounter
222 (0xDE)
Returns the value of the specified counter.
TPM_ReadManuMaintPub
48 (0x30)
Returns the digest of the platform manufacturer's public maintenance key (loaded by using TPM_LoadManuMaintPub).
TPM_ReadPubek
124 (0x7C)
Returns the public portion of the TPM endorsement key. This command is disabled when ownership of the TPM is taken.
TPM_ReleaseCounter
223 (0xDF)
Allows the owner of the counter to release the specified counter. No subsequent reads or increments of the counter will succeed.
TPM_ReleaseCounterOwner
224 (0xE0)
Allows the TPM owner to release the specified counter. No subsequent reads or increments of the counter will succeed.
TPM_ReleaseTransportSigned
232 (0xE8)
Completes the transport session. If logging is turned on, this command returns a hash of all operations performed during the session along with the digital signature of the hash.
TPM_Reset
90 (0x5A)
Releases all resources associated with existing authorization sessions. TPM_Reset is not upgraded in TPM v1.2. This value is blocked by default.
TPM_ResetLockValue
64 (0x40)
Resets the mechanisms used to protect against attacks on TPM authorization values.
TPM_RevokeTrust
128 (0x80)
Clears a revocable TPM endorsement key (generated by using TPM_CreateRevocableEK) and resets the TPM, given the necessary authorization value for this reset and platform support for this command. This command requires physical presence at the platform and cannot be run by the operating system.
TPM_SaveAuthContext
182 (0xB6)
Superseded by TPM_SaveContext. This value is blocked by default.
TPM_SaveContext
184 (0xB8)
Saves a loaded resource outside the TPM. After successfully running this command, the TPM automatically releases the internal memory for sessions but leaves keys in place.
TPM_SaveKeyContext
180 (0xB4)
Superseded by TPM_SaveContext. This value is blocked by default.
TPM_SaveState
152 (0x98)
Warns a TPM to save some state information.
TPM_Seal
23 (0x17)
Allows software to protect secrets so that they are released only if a specified platform configuration is validated.
TPM_Sealx
61 (0x3D)
Allows software to protect secrets so that they are released only if a specified platform configuration is validated. The secret must be encrypted.
TPM_SelfTestFull
80 (0x50)
Tests all of the TPM's internal functions. Any failure causes the TPM to enter into failure mode.
TPM_SetCapability
63 (0x3F)
Allows the TPM owner to set values in the TPM.
TPM_SetOperatorAuth
116 (0x74)
Defines the operator authorization value. This command requires physical presence at the platform and cannot be run by the operating system.
TPM_SetOrdinalAuditStatus
141 (0x8D)
Allows the TPM owner to set the audit flag for a given command number.
TPM_SetOwnerInstall
113 (0x71)
Allows or disallows the ability to insert an owner. This command requires physical presence at the platform and cannot be run by the operating system.
TPM_SetOwnerPointer
117 (0x75)
Sets the reference to the owner authorization that the TPM uses when executing an OIAP or OSAP session. This command should only be used to provide owner delegation functionality for legacy code that does not support DSAP.
TPM_SetRedirection
154 (0x9A)
Allows the TPM to directly communicate with a connected security processor by redirecting output.
TPM_SetTempDeactivated
115 (0x73)
Allows the operator of the platform to deactivate the TPM until the next start of the platform. The operator must either have physical presence at the platform or present the operator authorization value defined with the command TPM_SetOperatorAuth.
TPM_SHA1Complete
162 (0xA2)
Completes a pending SHA-1 digest process and returns the resulting SHA-1 hash output.
TPM_SHA1CompleteExtend
163 (0xA3)
Completes a pending SHA-1 digest process, returns the resulting SHA-1 hash output, and incorporates this hash into a platform configuration register (PCR).
TPM_SHA1Start
160 (0xA0)
Starts the process of calculating a SHA-1 digest. This command must be followed by running the TPM_SHA1Update command, or the SHA-1 process is invalidated.
TPM_SHA1Update
161 (0xA1)
Inputs complete blocks of data into a pending SHA-1 digest (started by using TPM_SHA1Start).
TPM_Sign
60 (0x3C)
Signs data with a loaded signing key and returns resulting digital signature.
TPM_Startup
153 (0x99)
Command that must be called after TPM_Init to transmit additional platform information to the TPM about the type of reset that is occurring.
TPM_StirRandom
71 (0x47)
Adds entropy to the TPM random number generator state.
TPM_TakeOwnership
13 (0xD)
Takes ownership of the TPM with a new owner authorization value, derived from the owner password. Among other conditions that must be met before this command can run, the TPM must be enabled and activated.
TPM_Terminate_Handle
150 (0x96)
Superseded by TPM_FlushSpecific. This value is blocked by default.
TPM_TickStampBlob
242 (0xF2)
Signs a specified digest with the TPM's current tick count by using a loaded signature key.
TPM_UnBind
30 (0x1E)
Decrypts data previously encrypted with the public portion of a TPM-bound key.
TPM_Unseal
24 (0x18)
Releases secrets previously sealed by the TPM if integrity, platform configuration, and authorization checks succeed.

 

IsCommandBlocked [out]

Type: uint32

A bitmap value that specifies whether the command is blocked from running through the default list of blocked commands, the local list of blocked commands, or by using Group Policy.

Value Meaning
0
The command is not blocked.
1
The command is blocked through the default list of blocked commands.
2
The command is blocked through the local list of blocked commands.
4
The command is blocked through the Group Policy list of blocked commands.
5
The command is blocked from running through both the default list of blocked commands and through the Group Policy list of blocked commands.
6
The command is blocked from running through both the local list of blocked commands and through the Group Policy list of blocked commands.
7
The command is blocked from running through the default list of blocked commands, the local list of blocked commands, and through the Group Policy list of blocked commands.

 

Bit values may be combined to fully specify what blocks the command. For example, if the command is blocked by both the default list of blocked commands (value 1) and through the group policy list of blocked commands (value 4) the combination would be indicated by IsCommandBlocked having a value of 5.

Return value

Type: uint32

All Win32 errors can be returned.

Return code/value Description
S_OK
0 (0x0)
The method was successful.

 

Remarks

This method reads the following registry keys:

  • Group Policy list of blocked TPM commands:

    KEY_LOCAL_MACHINE\Software\Policies\Microsoft\Tpm\BlockedCommands\List

  • Default list of blocked TPM commands:

    KEY_LOCAL_MACHINE\Software\Microsoft\Tpm\BlockedCommands\List

  • Group Policy setting to ignore the default list of blocked TPM commands:

    KEY_LOCAL_MACHINE\Software\Policies\Microsoft\Tpm\BlockedCommands\IgnoreDefaultList

  • Local list of blocked TPM commands:

    KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Tpm\BlockedCommands\List

  • Group Policy setting to ignore the local list of blocked TPM commands:

    KEY_LOCAL_MACHINE\Software\Policies\Microsoft\Tpm\BlockedCommands\IgnoreLocalList

The method return value can be derived as follows:

  • Assume that IsCommandBlockedTemp is a 3 bit value, initially set to 0.
  • If the Group Policy setting to ignore the default list of blocked TPM commands does not exist or is 0, and a value in the registry key that corresponds to the default list of blocked TPM commands is CommandOrdinal, then the least significant bit of IsCommandBlockedTemp is set to 1.
  • If the Group Policy setting to ignore the local list of blocked TPM commands does not exist or is 0, and a value in the registry key that corresponds to the local list of blocked TPM commands is CommandOrdinal, then the second least significant bit of IsCommandBlockedTemp is set to 1.
  • If a value in the registry keys that corresponds to the Group Policy list of blocked TPM commands is CommandOrdinal, then the most significant bit of IsCommandBlockedTemp is set to 1.
  • IsCommandBlocked returns IsCommandBlockedTemp.

Managed Object Format (MOF) files contain the definitions for Windows Management Instrumentation (WMI) classes. MOF files are not installed as part of the Windows SDK. They are installed on the server when you add the associated role by using the Server Manager. For more information about MOF files, see Managed Object Format (MOF).

Requirements

Requirement Value
Minimum supported client
Windows Vista [desktop apps only]
Minimum supported server
Windows Server 2008 [desktop apps only]
Namespace
Root\CIMV2\Security\MicrosoftTpm
MOF
Win32_tpm.mof
DLL
Win32_tpm.dll

See also

Win32_Tpm