How to access TPM Diagnostics tool to query security data on Windows 11

0
380
Windows 11

At the launch of Windows 11, Microsoft announced that the operating system would only support computers with the TPM 2.0 security chip. According to Microsoft, TMP 2.0 is a key component to providing security with Windows Hello and BitLoker. This helps Windows 11 better protect users’ identities and data.

To help users and administrators easily control the data stored on TPM, Microsoft has added a tool called TPM Diagnostics. This is an additional tool so to use it you need to install it first.

TPM Diagnostics tool

To install and use TPM Diagnostics on Windows 11 follow these instructions:

Step 1: Press Windows + I to open Settings then access Apps in the left sidebar

Step 2: Click Optional features

How to access TPM Diagnostics tool to query security data on Windows 11

Step 3: Click View features at Add an optional feature

How to access TPM Diagnostics tool to query security data on Windows 11-2

Step 4: Enter tpm in the search box then click next to the TPM Diagnostics tool shown below and then click Next > Install to confirm the installation

How to access TPM Diagnostics tool to query security data on Windows 11-3

Step 5: After waiting for the system to install, you can use TPM Diagnostics through the Windows Terminal (Admin) command window (the new name of Command Prompt)

Step 6: You press Windows + X to open the Power User menu then select Windows Terminal (Admin)

Here you can enter TPM Diagnostics control commands. For example, the command TpmDiagnostics.exe GetCapabilities will list the capabilities and settings of the TPM chip on your machine as shown below:

How to access TPM Diagnostics tool to query security data on Windows 11-4

In addition to querying stored security keys and other information, you can also use TPM Diagnostics to encrypt/decrypt Base64, Hexadecimal and Binary files.

With TPM Diagnostics, you can learn a lot of information about Windows 11’s basic security mechanisms. However, we recommend that you do not “play around” too much on this TPM Diagnostics tool if you do not understand. clear about it. If misconfigured you may lose the keys needed for operations on your machine.

Here is a list of all the commands available in the TPM Diagnostics tool:

Flags:
	PrintHelp ( /h -h )
	PromptOnExit ( -x /x )
	UseECC ( -ecc /ecc )
	UseAes256 ( -aes256 /aes256 )
	QuietPrint ( -q /q )
	PrintVerbosely ( -v /v )

Use the 'help' command to get more information about a command.
Commands:

TpmInfo:
	GetLockoutInfo
	IsOwned
	PlatformType
	CheckFIPS
	ReadClock
	GetDeviceInformation
	IfxRsaKeygenVulnerability
	GatherLogs [full directory path]
	PssPadding
	IsReadyInformation

TpmTask:
	MaintenanceTaskStatus
	ShowTaskStatus
	IsEULAAccepted
	ProvisionTpm [force clear] [allow PPI prompt]

TpmProvisioning:
	PrepareTPM
	CanUseLockoutPolicyClear
	CanClearByPolicy

AutoProvisioning:
	IsAutoProvisioningEnabled
	EnableAutoProvisioning
	DisableAutoProvisioning [-o]

EK:
	EkInfo
	ekchain
	EkCertStoreRegistry
	GetEkCertFromWeb [-ecc] [cert file]
	GetEkCertFromNVR [-ecc] [cert file]
	GetEkCertFromReg [-ecc] [ output file ]
	GetEk [-ecc] [key file]
	CheckEkCertState
	InstallEkCertFromWeb
	InstallEkCertFromNVR
	InstallEkCertThroughCoreProv
	EKCertificateURL

WindowsAIK:
	InstallWindowsAIK [-skipCert]
	WinAikPersistedInTpm
	UninstallWindowsAIKCert
	GetWindowsAIKCert [cert file]
	IsWindowsAIKInstalledInNCrypt
	EnrollWindowsAIKCert
	GetWindowsAIKPlatformClaim ["fresh"] [output file]

OtherKeys:
	PrintPublicInfo [ srk / aik / ek / handle ] [-asBcryptBlob / -RsaKeyBitsOnly / -RsaSymKeyBitsOnly] [-ecc]
	TestParms [ SYMCIPHER | RSA ] [ algorithm specific arguments ]
	EnumerateKeys

NVStorage:
	EnumNVIndexes
	DefineIndex [index] [size] [attribute flags]
	UndefineIndex [index]
	ReadNVIndexPublic [index]
	WriteNVIndex [index] [data in hex format | -file filename]
	ReadNVIndex [index]
	NVSummary

NVBootCounter:
	CheckBootCounter
	ReadBootCounter [/f]

PCRs:
	PrintPcrs

PhysicalPresence:
	GetPPTransition
	GetPPVersionInfo
	GetPPResponse
	GetPPRequest

TPMCommandsAndResponses:
	CommandCode [hex command code]
	ResponseCode [hex response code]

Tracing:
	EnableDriverTracing
	DisableDriverTracing
	FormatTrace [etl file] [output json file]

DRTM:
	DescribeMle [MLE Binary File]

Misc:
	Help [command name]
	DecodeBase64File [file to decode from base 64]
	EncodeToBase64File [file to encode]
	ReadFileAsHex [file to read]
	ConvertBinToHex [file to read] [file to write to]
	ConvertHexToBin [file to read] [file to write to]
	Hash [hex bytes or raw value to hash]
	GetCapabilities

Features that make Windows 11 the most secure version of Windows ever

David Weston, Microsoft’s Director of Enterprise and Operating System Security, said that the fundamental security standard raised by Windows 11 is guaranteed to be secure right from the design stage. Despite many objections, especially from old computer users, Microsoft believes that it is necessary for Windows 11 to require TPM 2.0 support.

Windows 11

TPM is a key component that provides security through Windows Hello and BitLocker. In addition, Windows 11 also follows the Zero Trust security model that Microsoft developed for a long time.

Regarding CPUs, Microsoft says Windows 11 will only support relatively new CPUs with security features including virtualization-based security (VBS), code integrity protection with hypervisor technology (HVCI). ) and Secure Boot. Besides, based on certain hardware, Windows 11 can also protect the execution stack by hardware with the support of the Microsoft Pluton security chip, which Microsoft is always proud of.

With Windows 11, Microsoft once again wants users to completely remove passwords. IT administrators can enable Windows Hello for Business feature in their company or organization. Meanwhile, consumers can enjoy a password-free experience as soon as they install Windows 11 or purchase a machine with Windows 11 pre-installed.

Microsoft shared that all of the hardware-level security measures on Windows 11 will work in tandem without affecting performance. At the same time, Microsoft claims that computers with protected processor cores will have better security because they are more resistant to attacks on firmware.

Finally, Windows 11 has built-in support for Azure-based Microsoft Azure Attestation (MAA).