AddBlockedCommand method of the Win32_Tpm class

The AddBlockedCommand method of the Win32_Tpm class adds a TPM command to the local list of commands blocked from running on the operating system.

Syntax

uint32 AddBlockedCommand(
  [in] uint32 CommandOrdinal
);

Parameters

CommandOrdinal [in]

Type: uint32

An integer value that specifies a TPM command. If the TPM supports more commands than the ones listed, an ordinal for a new command can also be specified.

Value	Meaning
TPM_ActivateIdentity 122 (0x7A)	Allows the TPM owner to unwrap the session key that allows for the decryption of the Attestation Identity Key credential, thereby obtaining assurance that the credential is valid for the TPM.
TPM_AuthorizeMigrationKey 43 (0x2B)	Allows the TPM owner to create a migration authorization ticket so that users can migrate keys without involvement of the TPM owner.
TPM_CertifyKey 50 (0x32)	Certifies a loaded key, created by TPM_LoadKey2, with the public portion of another key. A TPM identity key can only certify keys that cannot be migrated, while signing and legacy keys can certify all keys.
TPM_CertifyKey2 51 (0x33)	Based on TPM_CertifyKey, but includes extra parameters to certify a Certifiable Migration Key (CMK).
TPM_CertifySelfTest 82 (0x52)	Performs a full self-test and returns an authenticated value if the test passes. This command is not upgraded for version 1.2 of the TPM. This value is blocked by default.
TPM_ChangeAuth 12 (0xC)	Allows the owner of an entity (for example, TPM key) to change the authorization value for that entity.
TPM_ChangeAuthAsymFinish 15 (0xF)	Superseded by establishing a transport session with the TPM and running the TPM_ChangeAuth command. This value is blocked by default.
TPM_ChangeAuthAsymStart 14 (0xE)	Superseded by establishing a transport session with the TPM and running the TPM_ChangeAuth command. This value is blocked by default.
TPM_ChangeAuthOwner 16 (0x10)	Allows the TPM owner to change the TPM owner authorization value or the storage root key authorization value.
TPM_CMK_ApproveMA 29 (0x1D)	Allows the TPM owner to create an authorization ticket for one or more migration selection or migration authorities so that users can create certifiable migration keys (by using TPM_CMK_CreateKey) without involvement of the TPM owner.
TPM_CMK_ConvertMigration 36 (0x24)	Creates a certifiable migration key BLOB that can be loaded onto another computer by using the TPM_LoadKey2 command. This command is given a random number and the certifiable migration key's migration BLOB (as generated by using TPM_CMK_CreateBlob).
TPM_CMK_CreateBlob 27 (0x1B)	Allows an entity with knowledge of the migration authorization ticket of a certifiable migration key (as generated by using TPM_CMK_CreateTicket) of a certifiable migration key (as generated by using TPM_CMK_CreateKey) to create a migration BLOB necessary to move the key to a new computer or parent key.
TPM_CMK_CreateKey 19 (0x13)	Generates a secure asymmetric certifiable migration key using the authorization ticket for one or more migration selection or migration authorities (as generated by using TPM_CMK_ApproveMA).
TPM_CMK_CreateTicket 18 (0x12)	Allows the TPM owner to create a signature verification ticket for a certifiable migration key by using a provided public key. This ticket is used with a certifiable migration key (as generated by TPM_CMK_CreateKey) to create a migration BLOB needed to move the key to a new computer or parent key.
TPM_CMK_SetRestrictions 28 (0x1C)	Allows the TPM owner to specify usage of a certifiable migration key (as generated by TPM_CMK_CreateKey).
TPM_ContinueSelfTest 83 (0x53)	Informs the TPM that it may complete the self-test of all TPM functions that were not tested during the power-on self-test.
TPM_ConvertMigrationBlob 42 (0x2A)	Creates a key BLOB that can be loaded onto another computer by using the TPM_LoadKey2 command. This command is given a random number and the key's migration BLOB (as generated by using TPM_CreateMigrationBlob).
TPM_CreateCounter 220 (0xDC)	Allows the TPM owner to create a new monotonic counter, assign an authorization value to that counter, increment the TPM's internal counter value by one, and set the new counter's start value to be the updated internal value.
TPM_CreateEndorsementKeyPair 120 (0x78)	Creates the TPM endorsement key, if this key does not already exist.
TPM_CreateMaintenanceArchive 44 (0x2C)	Allows the TPM owner to create a maintenance archive that enables the migration of all data held by the TPM. This data includes the storage root key and the TPM owner authorization.
TPM_CreateMigrationBlob 40 (0x28)	Allows an entity with knowledge of the migration authorization ticket of a key (as created by TPM_CMK_CreateTicket) to create a migration BLOB necessary to move a migration key to a new computer or parent key.
TPM_CreateRevocableEK 127 (0x7F)	Creates the TPM endorsement key. The user can also specify whether the endorsement key can be reset and, if so, the authorization value necessary to reset this key (if this value is not to be generated by the TPM). This is an optional command that may not be supported by the computer manufacturer.
TPM_CreateWrapKey 31 (0x1F)	Generates and creates a secure asymmetric key.
TPM_DAA_JOIN 41 (0x29)	Allows the TPM owner to establish the Direct Anonymous Attestation (DAA) parameters in the TPM for a specific DAA issuing authority.
TPM_DAA_SIGN 49 (0x31)	Allows the TPM owner to sign data using Direct Anonymous Attestation.
TPM_Delegate_CreateKeyDelegation 212 (0xD4)	Allows the owner of a key to delegate the privilege to use that key.
TPM_Delegate_CreateOwnerDelegation 213 (0xD5)	Allows the TPM owner to delegate the privilege to run commands that typically require owner authorization.
TPM_Delegate_LoadOwnerDelegation 216 (0xD8)	Allows the TPM owner to load a row of a delegation table into the TPM's nonvolatile storage. This command cannot be used to load key delegation BLOBs into the TPM.
TPM_Delegate_Manage 210 (0xD2)	Allows the TPM owner to manage delegation family tables. This command must be run at least once before running delegation commands for a family table.
TPM_Delegate_ReadTable 219 (0xDB)	Reads the public contents of the family and delegate tables that are stored on the TPM.
TPM_Delegate_UpdateVerification 209 (0xD1)	Allows the TPM owner to update a delegation entity so that it will continue to be accepted by the TPM.
TPM_Delegate_VerifyDelegation 214 (0xD6)	Interprets a delegate BLOB and returns whether that BLOB is currently valid.
TPM_DirRead 26 (0x1A)	Superseded by the TPM_NV_ReadValue and TPM_NV_ReadValueAuth commands. This value is blocked by default.
TPM_DirWriteAuth 25 (0x19)	Superseded by the TPM_NV_WriteValue and TPM_NV_WriteValueAuth commands. This value is blocked by default.
TPM_DisableForceClear 94 (0x5E)	Disables the running of the TPM_ForceClear command until the computer restarts.
TPM_DisableOwnerClear 92 (0x5C)	Allows the TPM owner to permanently disable the TPM_OwnerClear command. After TPM_DisableOwnerClear is used, the owner must run the TPM_ForceClear command to clear the TPM.
TPM_DisablePubekRead 126 (0x7E)	Superseded by having the TPM_TakeOwnership command automatically disable the reading of the public portion of the endorsement key by using the TPM_ReadPubek command. This value is blocked by default.
TPM_DSAP 17 (0x11)	Generates an authorization session handle for the Delegate-Specific Authorization Protocol (DSAP) used to securely pass delegated authorization data to the TPM and the information the TPM needs to track this authorization session handle.
TPM_EstablishTransport 230 (0xE6)	Establishes a transport session that can be used to confidentially transmit shared secrets, encryption keys, and session logs to the TPM (by using TPM_ExecuteTransport).
TPM_EvictKey 34 (0x22)	Superseded by the TPM_FlushSpecific command. This value is blocked by default.
TPM_ExecuteTransport 231 (0xE7)	Delivers a wrapped TPM command to the TPM within a transport session. The TPM unwraps the command and then runs the command.
TPM_Extend 20 (0x14)	Adds a new digest to a specified platform configuration register and returns this extended digest.
TPM_FieldUpgrade 170 (0xAA)	Allows a manufacturer upgrade of TPM functionality. This command is specific to the TPM manufacturer.
TPM_FlushSpecific 186 (0xBA)	Flushes a specified resource handle from the TPM.
TPM_ForceClear 93 (0x5D)	Clears the TPM. This command requires physical presence at the computer and cannot be executed by the operating system.
TPM_GetAuditDigest 133 (0x85)	Returns the TPM audit digest.
TPM_GetAuditDigestSigned 134 (0x86)	Returns a signed TPM audit digest and a list of currently audited commands.
TPM_GetAuditEvent 130 (0x82)	Removed due to security concerns. This value is blocked by default.
TPM_GetAuditEventSigned 131 (0x83)	Removed due to security concerns. This value is blocked by default.
TPM_GetCapability 101 (0x65)	Returns TPM information.
TPM_GetCapabilityOwner 102 (0x66)	Removed due to security concerns. This value is blocked by default.
TPM_GetCapabilitySigned 100 (0x64)	Removed due to security concerns. This value is blocked by default.
TPM_GetOrdinalAuditStatus 140 (0x8C)	Removed due to security concerns. This value is blocked by default.
TPM_GetPubKey 33 (0x21)	Allows an owner of a loaded key to obtain the public key value of that key. The loaded key is created by using the TPM_LoadKey2 command.
TPM_GetRandom 70 (0x46)	Returns random data of a specified length from the TPM random number generator.
TPM_GetTestResult 84 (0x54)	Provides manufacturer-specific and diagnostic information regarding the results of the self-test.
TPM_GetTick 241 (0xF1)	Returns current tick count of TPM.
TPM_IncrementCounter 221 (0xDD)	Allows the owner of the monotonic counter to increment that counter by one and return this updated value.
TPM_Init 151 (0x97)	The command first sent by the computer. During the initial start process, this command is sent to the TPM. This command cannot be run by software.
TPM_KeyControlOwner 35 (0x23)	Allows the TPM owner to set certain attributes of keys that are stored within the TPM key cache. An example would be whether a key can be evicted by anyone other than the owner.
TPM_KillMaintenanceFeature 46 (0x2E)	Allows the TPM owner to prevent the creation of a maintenance archive by using the TPM_CreateMaintenanceArchive command. This action is valid until a new TPM owner is set by using the TPM_TakeOwnership command.
TPM_LoadAuthContext 183 (0xB7)	Superseded by the TPM_LoadContext command. This value is blocked by default.
TPM_LoadContext 185 (0xB9)	Loads a previously saved context into the TPM.
TPM_LoadKey 32 (0x20)	Superseded by the TPM_LoadKey2 command. This value is blocked by default.
TPM_LoadKey2 65 (0x41)	Loads a key into the TPM so that the owner can set other actions on it. These actions include wrap, unwrap, bind, unbind, seal, unseal, and sign.
TPM_LoadKeyContext 181 (0xB5)	Superseded by the TPM_LoadContext command. This value is blocked by default.
TPM_LoadMaintenanceArchive 45 (0x2D)	Allows the TPM owner to load a maintenance archive (generated by using the TPM_CreateMaintenanceArchive command). When loaded, the authorization value for the storage root key is set to be the same as the TPM owner authorization.
TPM_LoadManuMaintPub 47 (0x2F)	Loads the computer manufacturer's public key into the TPM for use in the maintenance process. This command can only be run once and should be executed before a computer ships.
TPM_MakeIdentity 121 (0x79)	Allows the TPM owner to generate an Attestation Identity Key that can be used to sign information generated internally by the TPM.
TPM_MigrateKey 37 (0x25)	Allows the TPM to migrate a BLOB (as generated by using the TPM_CreateMigrationBlob or the TPM_CMK_CreateBlob command) to a destination by reencrypting it with a given public key.
TPM_NV_DefineSpace 204 (0xCC)	Allows the TPM owner to define space for an area of nonvolatile storage on the TPM. This definition includes the access requirements for writing and reading the area.
TPM_NV_ReadValue 207 (0xCF)	Reads from a defined nonvolatile storage area.
TPM_NV_ReadValueAuth 208 (0xD0)	Reads from a defined nonvolatile storage area, given the required authorization for that area.
TPM_NV_WriteValue 205 (0xCD)	Writes a specified value to a defined nonvolatile storage area as created by the TPM_NV_DefineSpace command.
TPM_NV_WriteValueAuth 206 (0xCE)	Writes a specified value to a defined nonvolatile storage area, given the required authorization for that area.
TPM_OIAP 10 (0xA)	Generates an authorization session handle for the Object-Independent Authorization Protocol (OIAP) used to securely pass authorization data to the TPM and the information the TPM needs to track this authorization session handle.
TPM_OSAP 11 (0xB)	Generates an authorization session handle for the Object-Specific Authorization Protocol (OSAP) used to securely pass authorization data to the TPM and the information the TPM needs to track this authorization session handle.
TPM_OwnerClear 91 (0x5B)	Allows the TPM owner to clear the TPM. This means that the only key remaining on the TPM is the endorsement key.
TPM_OwnerReadInternalPub 129 (0x81)	Allows the TPM owner to return the public portion of the TPM endorsement key or storage root key.
TPM_OwnerReadPubek 125 (0x7D)	Superseded by the TPM_OwnerReadInternalPub command. This value is blocked by default.
TPM_OwnerSetDisable 110 (0x6E)	Allows the TPM owner to enable or disable the TPM. For more information, see the descriptions for the TPM_PhysicalEnable and TPM_PhysicalDisable commands.
TPM_PCR_Reset 200 (0xC8)	Resets the specified platform configuration registers (PCRs) to their default state.
TPM_PcrRead 21 (0x15)	Returns the contents of a specified PCR.
TPM_PhysicalDisable 112 (0x70)	Disables the TPM. This command requires physical presence at the computer and cannot be run by the operating system. Turning off the TPM involves disabling or deactivating the TPM by using the TPM_PhysicalSetDeactivated command.
TPM_PhysicalEnable 111 (0x6F)	Enables the TPM. This command requires physical presence at the computer and cannot be run by the operating system. Turning on the TPM involves enabling or activating the TPM by using the TPM_PhysicalSetDeactivated command.
TPM_PhysicalSetDeactivated 114 (0x72)	Activates or deactivates the TPM. This command requires physical presence at the computer and cannot be run by the operating system. We recommend that you do not block this command.
TPM_Quote 22 (0x16)	Returns a signed digest that is a combination of the contents of a specified PCR and some specified external data. The digest is signed with a loaded key. This command is blocked by default.
TPM_Quote2 62 (0x3E)	Similar to the TPM_Quote command but it includes locality information to provide a more complete view of the current computer configuration. This command is blocked by default.
TPM_ReadCounter 222 (0xDE)	Returns the value of the specified monotonic counter.
TPM_ReadManuMaintPub 48 (0x30)	Returns the digest of the computer manufacturer's public maintenance key (loaded by using the TPM_LoadManuMaintPub command).
TPM_ReadPubek 124 (0x7C)	Returns the public portion of the TPM endorsement key. This command is disabled when ownership of the TPM is taken by using the TPM_TakeOwnership command.
TPM_ReleaseCounter 223 (0xDF)	Allows the owner of the counter to release the specified counter. This command stops all subsequent reads or increments of the counter.
TPM_ReleaseCounterOwner 224 (0xE0)	Allows the TPM owner to release the specified counter. This command stops all subsequent reads or increments of the counter.
TPM_ReleaseTransportSigned 232 (0xE8)	Completes the transport session. If logging is turned on, this command returns a hash of all operations performed during the session along with the digital signature of the hash.
TPM_Reset 90 (0x5A)	Releases all resources associated with existing authorization sessions. This command is not upgraded for version 1.2 of the TPM. This value is blocked by default.
TPM_ResetLockValue 64 (0x40)	Resets the mechanisms used to protect against attacks on TPM authorization values.
TPM_RevokeTrust 128 (0x80)	Clears a revocable TPM endorsement key (generated by using the TPM_CreateRevocableEK command) and, if it finds the correct authorization value for this reset, resets the TPM. This command requires physical presence at the computer and cannot be executed by the operating system.
TPM_SaveAuthContext 182 (0xB6)	Superseded by the TPM_SaveContext command. This value is blocked by default.
TPM_SaveContext 184 (0xB8)	Saves a loaded resource outside the TPM. After successfully running this command, the TPM automatically releases the internal memory for sessions but leaves keys in place.
TPM_SaveKeyContext 180 (0xB4)	Superseded by the TPM_SaveContext command. This value is blocked by default.
TPM_SaveState 152 (0x98)	Warns the TPM to save state information before entering the sleep state. This value is blocked by default.
TPM_Seal 23 (0x17)	Allows the TPM to protect secrets until integrity, computer configuration, and authorization checks succeed.
TPM_Sealx 61 (0x3D)	Allows the TPM to protect secrets so that they are released only if a specified computer configuration is validated. The secret must be encrypted.
TPM_SelfTestFull 80 (0x50)	Tests all of the TPM's internal functions. Any failure causes the TPM to enter into failure mode.
TPM_SetCapability 63 (0x3F)	Allows the TPM owner to set values in the TPM.
TPM_SetOperatorAuth 116 (0x74)	Defines the operator authorization value. This command requires physical presence at the computer and cannot be run by the operating system.
TPM_SetOrdinalAuditStatus 141 (0x8D)	Allows the TPM owner to set the audit flag for a given command number. When this flag is turned on, the command returns an audit to the audit digest and the command is added to the list of currently audited commands.
TPM_SetOwnerInstall 113 (0x71)	Allows or disallows the ability to set an owner. This command requires physical presence at the computer and cannot be run by the operating system.
TPM_SetOwnerPointer 117 (0x75)	Sets the reference to the owner authorization that the TPM uses when executing an OIAP or OSAP session. This command should only be used to provide owner delegation functionality for legacy code that does not support DSAP.
TPM_SetRedirection 154 (0x9A)	Allows the TPM to directly communicate with a connected security processor by redirecting output.
TPM_SetTempDeactivated 115 (0x73)	Allows the operator of the platform to deactivate the TPM until the next computer reboot sequence. The operator must either have physical presence at the computer or present the operator authorization value defined by using the TPM_SetOperatorAuth command.
TPM_SHA1Complete 162 (0xA2)	Completes a pending SHA-1 digest process and returns the resulting SHA-1 hash output.
TPM_SHA1CompleteExtend 163 (0xA3)	Completes a pending SHA-1 digest process, returns the resulting SHA-1 hash output, and incorporates this hash into a platform configuration register (PCR).
TPM_SHA1Start 160 (0xA0)	Starts the process of calculating a SHA-1 digest. This command must be followed by running the TPM_SHA1Update command, or the SHA-1 process is invalidated.
TPM_SHA1Update 161 (0xA1)	Inputs complete blocks of data into a pending SHA-1 digest (started by using the TPM_SHA1Start command).
TPM_Sign 60 (0x3C)	Signs data with a loaded signing key and returns the resulting digital signature.
TPM_Startup 153 (0x99)	Command that must follow the TPM_Init command to transmit additional computer information to the TPM about the type of reset that is occurring at the time of the call.
TPM_StirRandom 71 (0x47)	Adds entropy to the TPM random number generator state.
TPM_TakeOwnership 13 (0xD)	Takes ownership of the TPM with a new owner authorization value, derived from the owner password. Among other conditions that must be met before this command can execute, the TPM must be enabled and activated.
TPM_Terminate_Handle 150 (0x96)	Superseded by the TPM_FlushSpecific command. This value is blocked by default.
TPM_TickStampBlob 242 (0xF2)	Signs a specified digest with the TPM's current tick count using a loaded signature key.
TPM_UnBind 30 (0x1E)	Decrypts data previously encrypted with the public portion of a TPM-bound key.
TPM_Unseal 24 (0x18)	Releases secrets previously sealed by the TPM if integrity, computer configuration, and authorization checks succeed.
TSC_PhysicalPresence 1073741834 (0x4000000A)	Asserts physical presence at the computer. This command cannot be run by the operating system.
TSC_ResetEstablishmentBit 1073741835 (0x4000000B)	Not used in the current version of BitLocker.

 

Return value

Type: uint32

All TPM errors as well as errors specific to TPM Base Services can be returned.

Common return codes are listed below.

Security Considerations

Changes to the default list of blocked commands can expose your computer to security and privacy risks.

Remarks

Group Policy can override the effect of the AddBlockedCommand method. An administrator can configure Group Policy to ignore the local list of blocked commands.

If a value indicated by CommandOrdinal already appears on the local list of blocked commands, zero is returned.

Managed Object Format (MOF) files contain the definitions for Windows Management Instrumentation (WMI) classes. MOF files are not installed as part of the Windows SDK. They are installed on the server when you add the associated role by using the Server Manager. For more information about MOF files, see Managed Object Format (MOF).

Requirements

See also

Win32_Tpm

IsCommandBlocked

RemoveBlockedCommand