Information
This policy setting allows you to configure how Domain Controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the 'Return of Coppersmith's attack' (ROCA) vulnerability.
If this policy setting is enabled the following options are supported:
Ignore : During authentication the Domain Controller will not probe any WHfB keys for the ROCA vulnerability.
Audit : During authentication the Domain Controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed).
Block : During authentication the Domain Controller will block the use of WHfB keys that are subject to the ROCA vulnerability (vulnerable authentications will fail).
The recommended state for this setting is: Enabled: Audit Configuring this setting to Enabled: Block also conforms to the benchmark.
Note: This setting only takes effect on Domain Controllers running on Server 2022 (or newer).
Note #2: A reboot is not required for changes to this setting to take effect.
The 'Return of Coppersmith's attack' or ROCA vulnerability is a cryptographic weakness in a widely used cryptographic library. An attacker can reveal secret keys (offline with no physical access to the affected device) on certified devices using this library.
For more information on this vulnerability, visit
ADV170012 - Security Update Guide - Microsoft - Vulnerability in TPM could allow Security Feature Bypass
.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled: Audit (configuring to Enabled: Block also conforms to the benchmark):
Computer Configuration\Policies\Administrative Templates\System\Security Account Manager\Configure validation of ROCA-vulnerable WHfB keys during authentication
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sam.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer).
Impact:
This setting may affect vulnerable Trusted Platform Module (TPMs). To avoid issues, this setting should not be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs.