ROCA attack and TPM vulnerability impacts Windows Hello for Business

ROCA attack and TPM vulnerability

Microsoft has issued a security advisory for vulnerability CVE-2017-15361 that impacts certain Trusted Platform Module (TPM) chipsets and used for Windows Hello for Business. The company issued steps to detect and mitigate the issue.

According to Microsoft, an authenticated attacker could obtain Windows Hello for Business (WHfB) orphaned keys created on TPMs that were impacted by CVE-2017-15361.

“The attacker could then compute their WHfB private key from the orphaned public keys. The attacker could then impersonate the user by using the stolen private key to authenticate as the user within the domain using Public Key Cryptography for Initial Authentication (PKINIT),” Microsoft stated in the new advisory.

“This attack is possible even if firmware and software updates have been applied to TPMs that were affected by CVE-2017-15361 because the corresponding public keys might still exist in Active Directory.”

The ROCA attack

Back in October 2017, Microsoft warned that attackers could exploit the security feature bypass vulnerability, also known as “Return of Coppersmith’s Attack” (ROCA).

Microsoft further described the ROCA attack vulnerability and added mitigation steps in the advisory:

“The vulnerability weakens key strength. It is important to note that this is a firmware vulnerability, and not a vulnerability in the operating system or a specific application. After you have installed software and/or firmware updates, you will need to re-enroll in any security services you are running to remediate those services.”

Microsoft also stated organizations can contact the TPM manufacturer ( for more information.

In addition, Microsoft had provided a script to help determine whether your systems have vulnerable firmware that will need to be updated. Organizations can also review Recommended Actions, to include steps needed to mitigate the vulnerability through detailed steps.

Updated Windows Hello guidance to cleanup orphaned keys

Microsoft has provided multiple steps to help cleanup orphaned keys and mitigate ROCA and TPM vulnerability:

  1. Patch your TPMs impacted by CVE-2017-15361.
  2. Install the WHfBTools Windows PowerShell module.
  3. Search your environment for any orphaned WHfB keys and for any keys impacted by CVE-2017-15361.
  4. Run the appropriate PowerShell script provided by Microsoft to miitigate issue (such as deleting orphaned keys or keys impacted by CVE-2017-15361).

Check out the Microsoft advisory ADV190026 for more details on above steps.

December 7, 2019 update: this post was updated to include additional updates on the impact to Windows Hello for Business and additional guidance provided by Microsoft.