Windows 11 comes with an optional TPM Diagnostics tool

Alexandru Poloboc
by Alexandru Poloboc
News Editor
With an overpowering desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter, anchor, as well as TV and radio... Read more
Affiliate Disclosure
  • Microsoft creates a new tool that will help users make the most of their TPM security chips.
  • Windows 11 will ship with this optional software, tailored specifically for one of the OS's most criticized requirements.
  • Administrators can use TpmDiagnostics.exe to thoroughly query the information stored on the TPM chips.
  • This article contains a full list of commands that you can use with this new software, on Windows 11.
Windows 11 TPM tool

You may like to know that ​Windows 11 will come with a new optional feature which is called TPM Diagnostics, tool that will allow administrators to browse the TPM security processor of a certain device.

An obvious move, considering that Microsoft keeps insisting on these TPM 2.0 security processors as a requirement, necessary for powering some of its security features.

The new OS will have a default TPM Diagnostics tool

As you probably know already, from the endless discussions that this Windows 11 requirement has sparked, a TPM chip is actually a hardware security processor.

Its main purpose is to protect encryption keys, user credentials, as well as other sensitive data from malware attaccks and other forms of hacking or data extraction.

Microsoft keeps insisting on this requirement and keeps stressing the paramount importance that this little piece of hardware actually has, in a new blog post.

PCs of the future need this modern hardware root-of-trust to help protect from both common and sophisticated attacks like ransomware and more sophisticated attacks from nation-states. Requiring the TPM 2.0 elevates the standard for hardware security by requiring that built-in root-of-trust.

So, this brand new Windows 11 command-line tool called TPM Diagnostics will now give all administrators the ability to query the TPM chip for stored information.

After installing the software, you will find a new tpmdiagnostics.exe executable located in the C:\Windows\System32 folder.

TPM 2.0 is a critical building block for providing security with Windows Hello and BitLocker to help customers better protect their identities and data. In addition, for many enterprise customers, TPMs help facilitate Zero Trust security by providing a secure element for attesting to the health of devices.

What commands can I use with this new tool?

Its important to know that, unless you totally understand what data is being stored in your TPM chip, its not recommended messing with it too much.

Any mistake you make could accidentally remove the keys necessary for the operation of your device.

Know that the Microsoft Trusted Platform documentation, along with the new TpmDiagnostics.exe tool can provide a plethora of information about the underlying security mechanics of Windows 11.

This is the full list of commands which you can use on your new Windows 11 TPM tool:

tpmdiagnostics : A tool for Windows 10 build 22000
Copyright (c) Microsoft Corporation. All rights reserved.

Flags:
	PrintHelp ( /h -h )
	PromptOnExit ( -x /x )
	UseECC ( -ecc /ecc )
	UseAes256 ( -aes256 /aes256 )
	QuietPrint ( -q /q )
	PrintVerbosely ( -v /v )

Use the 'help' command to get more information about a command.
Commands:

TpmInfo:
	GetLockoutInfo
	IsOwned
	PlatformType
	CheckFIPS
	ReadClock
	GetDeviceInformation
	IfxRsaKeygenVulnerability
	GatherLogs [full directory path]
	PssPadding
	IsReadyInformation

TpmTask:
	MaintenanceTaskStatus
	ShowTaskStatus
	IsEULAAccepted
	ProvisionTpm [force clear] [allow PPI prompt]

TpmProvisioning:
	PrepareTPM
	CanUseLockoutPolicyClear
	CanClearByPolicy

AutoProvisioning:
	IsAutoProvisioningEnabled
	EnableAutoProvisioning
	DisableAutoProvisioning [-o]

EK:
	EkInfo
	ekchain
	EkCertStoreRegistry
	GetEkCertFromWeb [-ecc] [cert file]
	GetEkCertFromNVR [-ecc] [cert file]
	GetEkCertFromReg [-ecc] [ output file ]
	GetEk [-ecc] [key file]
	CheckEkCertState
	InstallEkCertFromWeb
	InstallEkCertFromNVR
	InstallEkCertThroughCoreProv
	EKCertificateURL

WindowsAIK:
	InstallWindowsAIK [-skipCert]
	WinAikPersistedInTpm
	UninstallWindowsAIKCert
	GetWindowsAIKCert [cert file]
	IsWindowsAIKInstalledInNCrypt
	EnrollWindowsAIKCert
	GetWindowsAIKPlatformClaim ["fresh"] [output file]

OtherKeys:
	PrintPublicInfo [ srk / aik / ek / handle ] [-asBcryptBlob / -RsaKeyBitsOnly / -RsaSymKeyBitsOnly] [-ecc]
	TestParms [ SYMCIPHER | RSA ] [ algorithm specific arguments ]
	EnumerateKeys

NVStorage:
	EnumNVIndexes
	DefineIndex [index] [size] [attribute flags]
	UndefineIndex [index]
	ReadNVIndexPublic [index]
	WriteNVIndex [index] [data in hex format | -file filename]
	ReadNVIndex [index]
	NVSummary

NVBootCounter:
	CheckBootCounter
	ReadBootCounter [/f]

PCRs:
	PrintPcrs

PhysicalPresence:
	GetPPTransition
	GetPPVersionInfo
	GetPPResponse
	GetPPRequest

TPMCommandsAndResponses:
	CommandCode [hex command code]
	ResponseCode [hex response code]

Tracing:
	EnableDriverTracing
	DisableDriverTracing
	FormatTrace [etl file] [output json file]

DRTM:
	DescribeMle [MLE Binary File]

Misc:
	Help [command name]
	DecodeBase64File [file to decode from base 64]
	EncodeToBase64File [file to encode]
	ReadFileAsHex [file to read]
	ConvertBinToHex [file to read] [file to write to]
	ConvertHexToBin [file to read] [file to write to]
	Hash [hex bytes or raw value to hash]
	GetCapabilities

This article covers:Topics: