Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Windows Hello for Business mitigation plan for vulnerability in TPM


View products that this article applies to.

Summary

This article helps identify and remedy problems in devices that are affected by the vulnerability that is described in Microsoft Security Advisory ADV170012.

This process focuses on the following Windows Hello for Business (WHFB) and Azure AD (AAD) usage scenarios offered by Microsoft:

  • Azure AD join
  • Hybrid Azure AD join
  • Azure AD registered

↑ Back to the top


More Information

 Identify your AAD usage scenario 

  1. Open a Command Prompt window.
  2. Get the device state by running the following command:

    dsregcmd.exe /status
  3. In the command output, examine the values of the properties that are listed in the following table to determine your AAD usage scenario.
     

    Property

    Description

    AzureAdJoined

    Indicates whether the device is joined to Azure AD.

    EnterpriseJoined

    Indicates whether the device is joined to AD FS. This is part of an on-premises-only customer scenario where Windows Hello for Business is deployed and managed on-premises.

    DomainJoined

    Indicates whether the device is joined to a traditional Active Directory Domain.

    WorkplaceJoined Indicate whether the current user has added a work or school account to their current profile. This is known as Azure AD registered. This setting is ignored by the system if the device is AzureAdJoined.

Hybrid Azure AD joined

If DomainJoined and AzureAdJoined are yes, the device is Hybrid Azure AD joined. Therefore, the device is joined to an Azure Active Directory and a traditional Active Directory Domain.

↑ Back to the top


Workflow

Deployments and implementations may vary across organizations. We designed the following workflow to provide the tools that you need to develop your own internal plan to mitigate any affected devices. The workflow has the following steps:

  1. Identify affected devices. Search your environment for affected trusted platform modules (TPMs), keys, and devices.
  2. Patch the affected devices. Remedy effects on identified devices by following the scenario-specific steps that are listed in this article.

How to identify affected devices

To identify affected TPMs, refer to Microsoft Security Advisory ADV170012.

How to patch affected devices

Use the following steps on the affected devices according to your AAD usage scenario.

Azure AD join
  1. Make sure that a valid local admin account exists on the device or create a local admin account.

     

  2. If you have signed in with a Microsoft account on the device, go to Settings > Accounts > Email & app accounts and remove the connected account.
    Remove connected account
  3. Install a firmware update for the device.

     

  4. Unjoin the device from Azure AD.
    1. Go to Settings > System > About, and then click Manage or disconnect from work or school.
    2. Click Connected to <AzureAD> and click Disconnect.
    3. Click Yes when you are prompted for acknowledgment.
    4. Click Disconnect when you are prompted to "Disconnect from the organization."
      Disconnect from the organization
    5. Enter the local admin account information for the device.
    6. Click Restart Later.
      Restart later after disconnecting from the organization
  5. Clear the TPM.
    1. To clear the TPM, use one of the following methods:
      • Use the Microsoft Management Console.
         
        1. Press Win + R, type tpm.msc and click OK.
        2. Click Clear TPM.
          Clear TPM in MMC
      • Run the Clear-Tpm cmdlet.
    2. Click Restart.
      Restart after clearing TPM


      Note You may be prompted to clear the TPM at startup.
  6. After the device restarts, sign in to the device by using the local admin account.
  7. Rejoin the device to Azure AD. You may be prompted to set up a new PIN at the next sign-in.
Hybrid Azure AD join
  1. If you signed in by using a Microsoft account on your device, go to Settings > Accounts > Email & app accounts and remove the connected account.
    Remove connected account
  2. From an elevated command prompt, run the following command:

    dsregcmd.exe /leave /debug
     

     

  3. Install a firmware update for the device.
  4. Clear the TPM.

     

    1. To clear the TPM, use one of the following methods:
      • Use the Microsoft Management Console.
         
        1. Press Win + R, type tpm.msc and click OK.
        2. Click Clear TPM.
          Clear TPM in MMC
      • Run the Clear-Tpm cmdlet.
    2. Click Restart.
      Note You may be prompted to clear the TPM at startup.
       

When the device starts, Windows generates new keys and automatically rejoins the device to Azure AD. During this time, you may continue to use the device. However, access to resources such as Microsoft Outlook, OneDrive, and other applications that require SSO or Conditional Access policies may be limited.

Azure AD registered

Note If you use a Microsoft account, you must know the password.

  1. Install a firmware update for the device.

     

  2. Remove the Azure AD work account.
     
    1. Go to Settings > Accounts > Access work or school, click your work or school account, and then click Disconnect.
    2. Click Yes in the prompt to confirm the disconnection.
  3. Clear the TPM.

     

    1. To clear the TPM, use one of the following methods:
      • Use the Microsoft Management Console.
         
        1. Press Win + R, type tpm.msc and click OK.
        2. Click Clear TPM.
      • Run the Clear-Tpm cmdlet.
    2. Click Restart.


      Note You may be prompted to clear your TPM at startup.
    3. If you used a Microsoft account that has a PIN, you have to sign in to the device by using the password.
    4. Add the work account back to the device.
       
      1. Go to Settings > Accounts > Access work or school and click Connect.
        Connect to work or school
      2. Enter your work account, and then click Next.
        Set up a work or school account
      3. Enter your work account and password, and then click Sign in.
      4. If your organization has configured Azure Multi-Factor Authentication for joining devices to Azure AD, provide the second factor before you continue.
      5. Validate that the information displayed is correct, and then click Join. You should see the following message:

        You’re all set! We’ve added your account successfully You now have access to your organizations apps and services.

 

↑ Back to the top


Keywords: kb, atdownload, kbbug, kbexpertiseinter, kbfix, kblangall, kbmustloc, kbsecbulletin, kbsecreview, kbsecurity, kbsecvulnerability, kbsurveynew

↑ Back to the top

Article Info
Article ID : 4046168
Revision : 32
Created on : 10/12/2017
Published on : 10/12/2017
Exists online : False
Views : 34