This article helps identify and remedy problems in devices that are affected by the vulnerability that is described in Microsoft Security Advisory ADV170012.
This process focuses on the following Windows Hello for Business (WHFB) and Azure AD (AAD) usage scenarios offered by Microsoft:
- Azure AD join
- Hybrid Azure AD join
- Azure AD registered
Identify your AAD usage scenario
- Open a Command Prompt window.
- Get the device state by running the following command:
- In the command output, examine the values of the properties that are listed in the following table to determine your AAD usage scenario.
Indicates whether the device is joined to Azure AD.
Indicates whether the device is joined to AD FS. This is part of an on-premises-only customer scenario where Windows Hello for Business is deployed and managed on-premises.
Indicates whether the device is joined to a traditional Active Directory Domain.
WorkplaceJoined Indicate whether the current user has added a work or school account to their current profile. This is known as Azure AD registered. This setting is ignored by the system if the device is AzureAdJoined.
Hybrid Azure AD joined
If DomainJoined and AzureAdJoined are yes, the device is Hybrid Azure AD joined. Therefore, the device is joined to an Azure Active Directory and a traditional Active Directory Domain.
Deployments and implementations may vary across organizations. We designed the following workflow to provide the tools that you need to develop your own internal plan to mitigate any affected devices. The workflow has the following steps:
- Identify affected devices. Search your environment for affected trusted platform modules (TPMs), keys, and devices.
- Patch the affected devices. Remedy effects on identified devices by following the scenario-specific steps that are listed in this article.
Note on clearing TPMs
Because trusted platform modules are used to store secrets that are used by various services and applications, clearing the TPM can have unforeseen or negative business impacts. Before clearing any TPM, be sure to investigate and validate that all services and applications that use TPM-backed secrets have been properly identified and prepared for secret deletion and recreation.
How to identify affected devices
To identify affected TPMs, refer to Microsoft Security Advisory ADV170012.
How to patch affected devices
Use the following steps on the affected devices according to your AAD usage scenario.