Applies ToWindows 10, version 1703, all editions Windows Server 2016 Windows Server 2016 Essentials Windows Server 2016 Standard Windows 10 Windows 10, version 1511, all editions Windows 10, version 1607, all editions Windows Server 2012 R2 Datacenter Windows Server 2012 R2 Standard Windows Server 2012 R2 Essentials Windows Server 2012 R2 Foundation Windows 8.1 Enterprise Windows 8.1 Pro Windows 8.1 Windows RT 8.1 Windows Server 2012 Datacenter Windows Server 2012 Standard Windows Server 2012 Essentials Windows Server 2012 Foundation Windows Server 2008 R2 Service Pack 1 Windows Server 2008 R2 Datacenter Windows Server 2008 R2 Enterprise Windows Server 2008 R2 Standard Windows Server 2008 R2 Web Edition Windows Server 2008 R2 Foundation Windows 7 Service Pack 1 Windows 7 Ultimate Windows 7 Enterprise Windows 7 Professional Windows 7 Home Premium Windows 7 Home Basic Windows 7 Starter Windows Vista Service Pack 2 Windows Vista Home Basic Windows Vista Home Premium Windows Vista Business Windows Vista Ultimate Windows Vista Enterprise Windows Vista Starter Windows Server 2008 Service Pack 2 Windows Server 2008 Foundation Windows Server 2008 Standard Windows Server 2008 for Itanium-Based Systems Windows Server 2008 Web Edition Windows Server 2008 Enterprise Windows Server 2008 Datacenter

Summary

This article helps identify and remedy problems in devices that are affected by the vulnerability that is described in Microsoft Security Advisory ADV170012.

This process focuses on the following Windows Hello for Business (WHFB) and Azure AD (AAD) usage scenarios offered by Microsoft:

  • Azure AD join

  • Hybrid Azure AD join

  • Azure AD registered

More Information

 Identify your AAD usage scenario 

  1. Open a Command Prompt window.

  2. Get the device state by running the following command:dsregcmd.exe /status

  3. In the command output, examine the values of the properties that are listed in the following table to determine your AAD usage scenario.

    Property

    Description

    AzureAdJoined

    Indicates whether the device is joined to Azure AD.

    EnterpriseJoined

    Indicates whether the device is joined to AD FS. This is part of an on-premises-only customer scenario where Windows Hello for Business is deployed and managed on-premises.

    DomainJoined

    Indicates whether the device is joined to a traditional Active Directory Domain.

    WorkplaceJoined

    Indicate whether the current user has added a work or school account to their current profile. This is known as Azure AD registered. This setting is ignored by the system if the device is AzureAdJoined.

Hybrid Azure AD joined

If DomainJoined and AzureAdJoined are yes, the device is Hybrid Azure AD joined. Therefore, the device is joined to an Azure Active Directory and a traditional Active Directory Domain.

Workflow

Deployments and implementations may vary across organizations. We designed the following workflow to provide the tools that you need to develop your own internal plan to mitigate any affected devices. The workflow has the following steps:

  1. Identify affected devices. Search your environment for affected trusted platform modules (TPMs), keys, and devices.

  2. Patch the affected devices. Remedy effects on identified devices by following the scenario-specific steps that are listed in this article.

Note on clearing TPMs

Because trusted platform modules are used to store secrets that are used by various services and applications, clearing the TPM can have unforeseen or negative business impacts. Before clearing any TPM, be sure to investigate and validate that all services and applications that use TPM-backed secrets have been properly identified and prepared for secret deletion and recreation.

How to identify affected devices

To identify affected TPMs, refer to Microsoft Security Advisory ADV170012.

How to patch affected devices

Use the following steps on the affected devices according to your AAD usage scenario.

  1. Make sure that a valid local admin account exists on the device or create a local admin account.

    Note: It is a recommended practice to verify that the account is working by signing in to the device by using the new local admin account and confirm correct permissions by opening an elevated command prompt.

     

  2. If you have signed in with a Microsoft account on the device, go to Settings > Accounts > Email & app accounts and remove the connected account.Remove connected account

  3. Install a firmware update for the device.

    Note: Follow your OEM’s guidance for applying the TPM firmware update. See step 4: "Apply applicable firmware updates," in Microsoft Security Advisory ADV170012 for information about how to obtain the TPM update from your OEM.

     

  4. Unjoin the device from Azure AD.

    Note: Make sure that your BitLocker key is securely backed up somewhere other than the local computer before you continue.

    1. Go to Settings > System > About, and then click Manage or disconnect from work or school.

    2. Click Connected to <AzureAD>and click Disconnect.

    3. Click Yes when you are prompted for acknowledgment.

    4. Click Disconnect when you are prompted to "Disconnect from the organization." Disconnect from the organization

    5. Enter the local admin account information for the device.

    6. Click Restart Later. Restart later after disconnecting from the organization

  5. Clear the TPM.

    Notes: 

    • Clearing the TPM will remove all keys and secrets that are stored on your device. Make sure that other services that are utilizing the TPM are suspended or validated prior to proceeding.

    • Windows 8 or later: BitLocker is automatically suspended if you use either of the two recommended methods for clearing your TPM, below.

    • Windows 7: Manual suspension of BitLocker is needed before proceeding. (See more information about suspending BitLocker.)  

    1. To clear the TPM, use one of the following methods:

      • Use the Microsoft Management Console.

        1. Press Win + R, type tpm.msc and click OK.

        2. Click Clear TPM.Clear TPM in MMC

      • Run the Clear-Tpm cmdlet.

    2. Click Restart.Restart after clearing TPMNote You may be prompted to clear the TPM at startup.

  6. After the device restarts, sign in to the device by using the local admin account.

  7. Rejoin the device to Azure AD. You may be prompted to set up a new PIN at the next sign-in.

  1. If you signed in by using a Microsoft account on your device, go to Settings > Accounts > Email & app accounts and remove the connected account.Remove connected account

  2. From an elevated command prompt, run the following command:dsregcmd.exe /leave /debug

    Note: Command output should indicate AzureADJoined: No.

     

  3. Install a firmware update for the device.

    Note:  Note Follow your OEM’s guidance for applying the TPM firmware update. See step 4: "Apply applicable firmware updates," in Microsoft Security Advisory ADV170012 for information about how to obtain the TPM update from your OEM.

  4. Clear the TPM.

    Notes: 

    • Clearing the TPM will remove all keys and secrets that are stored on your device. Make sure that other services that are utilizing the TPM are suspended or validated prior to proceeding.

    • Windows 8 or later: BitLocker is automatically suspended if you use either of the two recommended methods for clearing your TPM, below.

    • Windows 7: Manual suspension of BitLocker is needed before proceeding. (See more information about suspending BitLocker.)

     

    1. To clear the TPM, use one of the following methods:

      • Use the Microsoft Management Console.

        1. Press Win + R, type tpm.msc and click OK.

        2. Click Clear TPM.Clear TPM in MMC

      • Run the Clear-Tpm cmdlet.

    2. Click Restart.Note You may be prompted to clear the TPM at startup.

When the device starts, Windows generates new keys and automatically rejoins the device to Azure AD. During this time, you may continue to use the device. However, access to resources such as Microsoft Outlook, OneDrive, and other applications that require SSO or Conditional Access policies may be limited.

Note If you use a Microsoft account, you must know the password.

  1. Install a firmware update for the device.

    Note: Follow your OEM’s guidance for applying the TPM firmware update. See step 4: "Apply applicable firmware updates," in Microsoft Security Advisory ADV170012 for information about how to obtain the TPM update from your OEM.

     

  2. Remove the Azure AD work account.

    1. Go to Settings > Accounts > Access work or school, click your work or school account, and then click Disconnect.

    2. Click Yes in the prompt to confirm the disconnection.

  3. Clear the TPM.

    Notes: 

    • Clearing the TPM will remove all keys and secrets that are stored on your device. Make sure that other services that are utilizing the TPM are suspended or validated prior to proceeding.

    • Windows 8 or later: BitLocker is automatically suspended if you use either of the two recommended methods for clearing your TPM, below.

    • Windows 7: Manual suspension of BitLocker is needed before proceeding. (See more information about suspending BitLocker.)

     

    1. To clear the TPM, use one of the following methods:

      • Use the Microsoft Management Console.

        1. Press Win + R, type tpm.msc and click OK.

        2. Click Clear TPM.

      • Run the Clear-Tpm cmdlet.

    2. Click Restart.Note You may be prompted to clear your TPM at startup.

    3. If you used a Microsoft account that has a PIN, you have to sign in to the device by using the password.

    4. Add the work account back to the device.

      1. Go to Settings > Accounts > Access work or school and click Connect.Connect to work or school

      2. Enter your work account, and then click Next.Set up a work or school account

      3. Enter your work account and password, and then click Sign in.

      4. If your organization has configured Azure Multi-Factor Authentication for joining devices to Azure AD, provide the second factor before you continue.

      5. Validate that the information displayed is correct, and then click Join. You should see the following message:You’re all set! We’ve added your account successfully You now have access to your organizations apps and services.

 

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders