- Microsoft creates a new tool that will help users make the most of their TPM security chips.
- Windows 11 will ship with this optional software, tailored specifically for one of the OS's most criticized requirements.
- Administrators can use TpmDiagnostics.exe to thoroughly query the information stored on the TPM chips.
- This article contains a full list of commands that you can use with this new software, on Windows 11.
You may like to know that Windows 11 will come with a new optional feature which is called TPM Diagnostics, tool that will allow administrators to browse the TPM security processor of a certain device.
An obvious move, considering that Microsoft keeps insisting on these TPM 2.0 security processors as a requirement, necessary for powering some of its security features.
The new OS will have a default TPM Diagnostics tool
As you probably know already, from the endless discussions that this Windows 11 requirement has sparked, a TPM chip is actually a hardware security processor.
Its main purpose is to protect encryption keys, user credentials, as well as other sensitive data from malware attaccks and other forms of hacking or data extraction.
Microsoft keeps insisting on this requirement and keeps stressing the paramount importance that this little piece of hardware actually has, in a new blog post.
PCs of the future need this modern hardware root-of-trust to help protect from both common and sophisticated attacks like ransomware and more sophisticated attacks from nation-states. Requiring the TPM 2.0 elevates the standard for hardware security by requiring that built-in root-of-trust.
So, this brand new Windows 11 command-line tool called TPM Diagnostics will now give all administrators the ability to query the TPM chip for stored information.
After installing the software, you will find a new tpmdiagnostics.exe executable located in the C:\Windows\System32 folder.
TPM 2.0 is a critical building block for providing security with Windows Hello and BitLocker to help customers better protect their identities and data. In addition, for many enterprise customers, TPMs help facilitate Zero Trust security by providing a secure element for attesting to the health of devices.
What commands can I use with this new tool?
Its important to know that, unless you totally understand what data is being stored in your TPM chip, its not recommended messing with it too much.
Any mistake you make could accidentally remove the keys necessary for the operation of your device.
Know that the Microsoft Trusted Platform documentation, along with the new TpmDiagnostics.exe tool can provide a plethora of information about the underlying security mechanics of Windows 11.
This is the full list of commands which you can use on your new Windows 11 TPM tool:
tpmdiagnostics : A tool for Windows 10 build 22000 Copyright (c) Microsoft Corporation. All rights reserved. Flags: PrintHelp ( /h -h ) PromptOnExit ( -x /x ) UseECC ( -ecc /ecc ) UseAes256 ( -aes256 /aes256 ) QuietPrint ( -q /q ) PrintVerbosely ( -v /v ) Use the 'help' command to get more information about a command. Commands: TpmInfo: GetLockoutInfo IsOwned PlatformType CheckFIPS ReadClock GetDeviceInformation IfxRsaKeygenVulnerability GatherLogs [full directory path] PssPadding IsReadyInformation TpmTask: MaintenanceTaskStatus ShowTaskStatus IsEULAAccepted ProvisionTpm [force clear] [allow PPI prompt] TpmProvisioning: PrepareTPM CanUseLockoutPolicyClear CanClearByPolicy AutoProvisioning: IsAutoProvisioningEnabled EnableAutoProvisioning DisableAutoProvisioning [-o] EK: EkInfo ekchain EkCertStoreRegistry GetEkCertFromWeb [-ecc] [cert file] GetEkCertFromNVR [-ecc] [cert file] GetEkCertFromReg [-ecc] [ output file ] GetEk [-ecc] [key file] CheckEkCertState InstallEkCertFromWeb InstallEkCertFromNVR InstallEkCertThroughCoreProv EKCertificateURL WindowsAIK: InstallWindowsAIK [-skipCert] WinAikPersistedInTpm UninstallWindowsAIKCert GetWindowsAIKCert [cert file] IsWindowsAIKInstalledInNCrypt EnrollWindowsAIKCert GetWindowsAIKPlatformClaim ["fresh"] [output file] OtherKeys: PrintPublicInfo [ srk / aik / ek / handle ] [-asBcryptBlob / -RsaKeyBitsOnly / -RsaSymKeyBitsOnly] [-ecc] TestParms [ SYMCIPHER | RSA ] [ algorithm specific arguments ] EnumerateKeys NVStorage: EnumNVIndexes DefineIndex [index] [size] [attribute flags] UndefineIndex [index] ReadNVIndexPublic [index] WriteNVIndex [index] [data in hex format | -file filename] ReadNVIndex [index] NVSummary NVBootCounter: CheckBootCounter ReadBootCounter [/f] PCRs: PrintPcrs PhysicalPresence: GetPPTransition GetPPVersionInfo GetPPResponse GetPPRequest TPMCommandsAndResponses: CommandCode [hex command code] ResponseCode [hex response code] Tracing: EnableDriverTracing DisableDriverTracing FormatTrace [etl file] [output json file] DRTM: DescribeMle [MLE Binary File] Misc: Help [command name] DecodeBase64File [file to decode from base 64] EncodeToBase64File [file to encode] ReadFileAsHex [file to read] ConvertBinToHex [file to read] [file to write to] ConvertHexToBin [file to read] [file to write to] Hash [hex bytes or raw value to hash] GetCapabilities