Windows Hello for Business mitigation plan for vulnerability in TPM

Applies to: Windows 10, version 1703Windows Server 2016 DatacenterWindows Server 2016 Essentials


This article helps identify and remedy problems in devices that are affected by the vulnerability that is described in Microsoft Security Advisory ADV170012.

This process focuses on the following Windows Hello for Business (WHFB) and Azure AD (AAD) usage scenarios offered by Microsoft:

  • Azure AD join
  • Hybrid Azure AD join
  • Azure AD registered

More Information

 Identify your AAD usage scenario 

    1. Open a Command Prompt window.
    2. Get the device state by running the following command:

      dsregcmd.exe /status
    3. In the command output, examine the values of the properties that are listed in the following table to determine your AAD usage scenario.




      Indicates whether the device is joined to Azure AD.


      Indicates whether the device is joined to AD FS. This is part of an on-premises-only customer scenario where Windows Hello for Business is deployed and managed on-premises.


      Indicates whether the device is joined to a traditional Active Directory Domain.

      WorkplaceJoined Indicate whether the current user has added a work or school account to their current profile. This is known as Azure AD registered. This setting is ignored by the system if the device is AzureAdJoined.

    Hybrid Azure AD joined

    If DomainJoined and AzureAdJoined are yes, the device is Hybrid Azure AD joined. Therefore, the device is joined to an Azure Active Directory and a traditional Active Directory Domain.


    Deployments and implementations may vary across organizations. We designed the following workflow to provide the tools that you need to develop your own internal plan to mitigate any affected devices. The workflow has the following steps:

    1. Identify affected devices. Search your environment for affected trusted platform modules (TPMs), keys, and devices.
    2. Patch the affected devices. Remedy effects on identified devices by following the scenario-specific steps that are listed in this article.

    How to identify affected devices

    To identify affected TPMs, refer to Microsoft Security Advisory ADV170012.

    How to patch affected devices

    Use the following steps on the affected devices according to your AAD usage scenario.