Virtual smart card mitigation plan for vulnerability in TPM

Applies to: Windows 10, version 1703Windows Server 2016 DatacenterWindows Server 2016 Essentials More

Summary


A security vulnerability exists in certain Trusted Platform Module (TPM) chipsets. The vulnerability weakens key strength.

To learn more about the vulnerability, go to ADV170012.

More Information


Important

Because Virtual Smart Card (VSC) keys are stored only in the TPM, any device that is using an affected TPM is vulnerable.

Follow these steps to mitigate the vulnerability in TPM for VSC, as discussed in Microsoft Security Advisory ADV170012, when a TPM firmware update is available from your OEM.  Microsoft will update this document as additional mitigations become available.

Retrieve any BitLocker or Device Encryption Keys before you install the TPM firmware update.

It is important that you retrieve the keys first. If a failure occurs during the TPM firmware update, the Recovery Key will be required to restart the system again if BitLocker is not suspended or if Device Encryption is active.

If the device has BitLocker or Device Encryption enabled, make sure that you retrieve the recovery key. The following is an example of how to display the BitLocker and Device Encryption Recovery Key for a single volume. If there are multiple hard disk partitions, there may be a separate Recovery Key for each partition. Make sure that you save the Recovery Key for the Operating System volume (usually C).  If your Operating System volume is installed on a different volume, change the parameter accordingly. 

Run the following script at a command prompt that has administrator rights:

C:\Windows\system32>manage-bde -protectors -get c:

BitLocker Drive Encryption: Configuration Tool version 10.0.15063

Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: []

All Key Protectors

TPM:

ID: {36B6DEE1-7B13-4A8F-876E-04735E8D3972}

PCR Validation Profile:

7, 11

(Uses Secure Boot for integrity validation)

Numerical Password:

ID: {6303FEBD-E4C0-4912-A331-4689B04E431A}

Password:

588214-228690-421003-079299-589270-595331-473407-0361


If BitLocker or Device Encryption is enabled for the OS volume, suspend it. The following is an example of how to suspend either BitLocker or Device Encryption.  (If your Operating System volume is installed on a different volume, change the parameter accordingly).

Run the following script at a command prompt that has administrator rights:

C:\Windows\system32>manage-bde -protectors c: -disable

BitLocker Drive Encryption: Configuration Tool version 10.0.15063

Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Key protectors are disabled for volume C:.


Note On Windows 8 and later versions, BitLocker and Device Encryption resume automatically after one restart. Therefore, make sure that BitLocker and Device Encryption are suspended immediately before you install the TPM firmware update. On Windows 7 and earlier systems, BitLocker has to be manually enabled again after you install the firmware update.

 

Install the applicable firmware update to update the affected TPM per the OEM instructions

This is the update that's released by your OEM to address the vulnerability in the TPM. Please see step 4: "Apply applicable firmware updates," in Microsoft Security Advisory ADV170012 for information about how to obtain the TPM update from your OEM.

Delete and re-enroll VSC

After the TPM firmware update is applied, the weak keys must be deleted. We recommend that you use management tools that are provided by the VSC partners (such as Intercede) to delete the existing VSC and re-enroll.