Summary
To help customers identify orphaned Windows Hello for Business (WHfB) keys affected by a TPM vulnerability, Microsoft has published a PowerShell module that can be run by administrators. This article explains how to address the issue described in ADV190026 | “Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs and used for Windows Hello for Business.”
Important Note Before using WHfBTools to remove orphaned keys, the guidance in ADV170012 should be followed to update the firmware of any vulnerable TPMs. If this guidance is not followed, any new WHfB keys generated on a device with firmware that has not been updated will still be affected by CVE-2017-15361 (ROCA).
How to install the WHfBTools PowerShell Module
Install the module by running the following commands:
Installing WHfBTools PowerShell module |
Install via PowerShell
Or Install using a download from PowerShell Gallery
Start PowerShell, copy and run the following commands:
|
Install dependencies for using the module:
Installing dependencies for using the WHfBTools module |
If you are querying Azure Active Directory for orphaned keys, install the MSAL.PS PowerShell module Install via PowerShell
Or install using a download from PowerShell Gallery
Start PowerShell, copy and run the following commands:
If you are querying Active Directory for orphaned keys, install the Remote Server Administrator Tools (RSAT): Active Directory Domain Services and Lightweight Directory Services Tools Install via Settings (Windows 10, version 1809 or later)
Or Install via PowerShell
Or install via download
|
Run the WHfBTools PowerShell Module
If your environment has Azure Active Directory joined or hybrid Azure Active Directory joined devices, follow the Azure Active Directory steps to identify and remove keys. The key removals in Azure will sync to Active Directory through Azure AD Connect.
If your environment is on-premises only, follow the Active Directory steps to identify and remove keys.
Querying for orphaned keys and keys affected by CVE-2017-15361 (ROCA) |
Query for keys in Azure Active Directory using the following command:
This command will query the “ The Csv output,
Note There may be stale devices in your Azure AD tenant with Windows Hello for Business keys associated with them. These keys will not be reported as orphaned even though those devices are not being actively used. We recommend following How To: Manage stale devices in Azure AD to clean up stale devices before querying for orphaned keys.
Query for keys in Active Directory using the following command:
This command will query the “ The Csv output,
Note: If you have a hybrid environment with Azure AD joined devices and run “Get-ADWHfBKeys” in your on-premises domain, the number of orphaned keys may not be accurate. This is because Azure AD joined devices are not present in Active Directory and keys associated with Azure AD joined devices may show up as orphaned. |
Remove orphaned, ROCA vulnerable keys from the directory |
Remove keys in Azure Active Directory using the following steps:
This command imports the list of orphaned, ROCA vulnerable keys and removes them from the Note If you delete ROCA vulnerable WHfB keys that are not orphaned yet, it will cause disruption to your users. You should ensure that these keys are orphaned before removing them from the directory.
Remove keys in Active Directory using the following steps: Note Removing orphaned keys from Active Directory in hybrid environments will result in the keys being recreated as part of the Azure AD Connect sync process. If you are in a hybrid environment, remove keys only from Azure AD
This command imports the list of orphaned, ROCA vulnerable keys and removes them from your domain. Note If you delete ROCA vulnerable WHfB keys that are not orphaned yet, it will cause disruption to your users. You should ensure that these keys are orphaned before removing them from the directory. |