At the launch of Windows 11, Microsoft announced that the operating system would only support computers with the TPM 2.0 security chip. According to Microsoft, TMP 2.0 is a key component to providing security with Windows Hello and BitLoker. This helps Windows 11 better protect users’ identities and data.
To help users and administrators easily control the data stored on TPM, Microsoft has added a tool called TPM Diagnostics. This is an additional tool so to use it you need to install it first.
TPM Diagnostics tool
To install and use TPM Diagnostics on Windows 11 follow these instructions:
Step 1: Press Windows + I to open Settings then access Apps in the left sidebar
Step 2: Click Optional features
Step 3: Click View features at Add an optional feature
Step 4: Enter tpm in the search box then click next to the TPM Diagnostics tool shown below and then click Next > Install to confirm the installation
Step 5: After waiting for the system to install, you can use TPM Diagnostics through the Windows Terminal (Admin) command window (the new name of Command Prompt)
Step 6: You press Windows + X to open the Power User menu then select Windows Terminal (Admin)
Here you can enter TPM Diagnostics control commands. For example, the command TpmDiagnostics.exe GetCapabilities will list the capabilities and settings of the TPM chip on your machine as shown below:
In addition to querying stored security keys and other information, you can also use TPM Diagnostics to encrypt/decrypt Base64, Hexadecimal and Binary files.
With TPM Diagnostics, you can learn a lot of information about Windows 11’s basic security mechanisms. However, we recommend that you do not “play around” too much on this TPM Diagnostics tool if you do not understand. clear about it. If misconfigured you may lose the keys needed for operations on your machine.
Here is a list of all the commands available in the TPM Diagnostics tool:
Flags:
PrintHelp ( /h -h )
PromptOnExit ( -x /x )
UseECC ( -ecc /ecc )
UseAes256 ( -aes256 /aes256 )
QuietPrint ( -q /q )
PrintVerbosely ( -v /v )
Use the 'help' command to get more information about a command.
Commands:
TpmInfo:
GetLockoutInfo
IsOwned
PlatformType
CheckFIPS
ReadClock
GetDeviceInformation
IfxRsaKeygenVulnerability
GatherLogs [full directory path]
PssPadding
IsReadyInformation
TpmTask:
MaintenanceTaskStatus
ShowTaskStatus
IsEULAAccepted
ProvisionTpm [force clear] [allow PPI prompt]
TpmProvisioning:
PrepareTPM
CanUseLockoutPolicyClear
CanClearByPolicy
AutoProvisioning:
IsAutoProvisioningEnabled
EnableAutoProvisioning
DisableAutoProvisioning [-o]
EK:
EkInfo
ekchain
EkCertStoreRegistry
GetEkCertFromWeb [-ecc] [cert file]
GetEkCertFromNVR [-ecc] [cert file]
GetEkCertFromReg [-ecc] [ output file ]
GetEk [-ecc] [key file]
CheckEkCertState
InstallEkCertFromWeb
InstallEkCertFromNVR
InstallEkCertThroughCoreProv
EKCertificateURL
WindowsAIK:
InstallWindowsAIK [-skipCert]
WinAikPersistedInTpm
UninstallWindowsAIKCert
GetWindowsAIKCert [cert file]
IsWindowsAIKInstalledInNCrypt
EnrollWindowsAIKCert
GetWindowsAIKPlatformClaim ["fresh"] [output file]
OtherKeys:
PrintPublicInfo [ srk / aik / ek / handle ] [-asBcryptBlob / -RsaKeyBitsOnly / -RsaSymKeyBitsOnly] [-ecc]
TestParms [ SYMCIPHER | RSA ] [ algorithm specific arguments ]
EnumerateKeys
NVStorage:
EnumNVIndexes
DefineIndex [index] [size] [attribute flags]
UndefineIndex [index]
ReadNVIndexPublic [index]
WriteNVIndex [index] [data in hex format | -file filename]
ReadNVIndex [index]
NVSummary
NVBootCounter:
CheckBootCounter
ReadBootCounter [/f]
PCRs:
PrintPcrs
PhysicalPresence:
GetPPTransition
GetPPVersionInfo
GetPPResponse
GetPPRequest
TPMCommandsAndResponses:
CommandCode [hex command code]
ResponseCode [hex response code]
Tracing:
EnableDriverTracing
DisableDriverTracing
FormatTrace [etl file] [output json file]
DRTM:
DescribeMle [MLE Binary File]
Misc:
Help [command name]
DecodeBase64File [file to decode from base 64]
EncodeToBase64File [file to encode]
ReadFileAsHex [file to read]
ConvertBinToHex [file to read] [file to write to]
ConvertHexToBin [file to read] [file to write to]
Hash [hex bytes or raw value to hash]
GetCapabilitiesFeatures that make Windows 11 the most secure version of Windows ever
David Weston, Microsoft’s Director of Enterprise and Operating System Security, said that the fundamental security standard raised by Windows 11 is guaranteed to be secure right from the design stage. Despite many objections, especially from old computer users, Microsoft believes that it is necessary for Windows 11 to require TPM 2.0 support.
TPM is a key component that provides security through Windows Hello and BitLocker. In addition, Windows 11 also follows the Zero Trust security model that Microsoft developed for a long time.
Regarding CPUs, Microsoft says Windows 11 will only support relatively new CPUs with security features including virtualization-based security (VBS), code integrity protection with hypervisor technology (HVCI). ) and Secure Boot. Besides, based on certain hardware, Windows 11 can also protect the execution stack by hardware with the support of the Microsoft Pluton security chip, which Microsoft is always proud of.
With Windows 11, Microsoft once again wants users to completely remove passwords. IT administrators can enable Windows Hello for Business feature in their company or organization. Meanwhile, consumers can enjoy a password-free experience as soon as they install Windows 11 or purchase a machine with Windows 11 pre-installed.
Microsoft shared that all of the hardware-level security measures on Windows 11 will work in tandem without affecting performance. At the same time, Microsoft claims that computers with protected processor cores will have better security because they are more resistant to attacks on firmware.
Finally, Windows 11 has built-in support for Azure-based Microsoft Azure Attestation (MAA).
