Configure validation of ROCA-vulnerable WHfB keys during authentication

This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the "Return of Coppersmith's attack" (ROCA) vulnerability.

For more information on the ROCA vulnerability, please see:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361

https://en.wikipedia.org/wiki/ROCA_vulnerability

If you enable this policy setting the following options are supported:

Ignore: during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability.

Audit: during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed).

Block: during authentication the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail).

This setting only takes effect on domain controllers.

If not configured, domain controllers will default to using their local configuration. The default local configuration is Audit.

A reboot is not required for changes to this setting to take effect.

Note: to avoid unexpected disruptions this setting should not be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs.

More information is available at https://go.microsoft.com/fwlink/?linkid=2116430.

Supported on: At least Windows Vista

Options for handling ROCA-vulnerable WHfB keys:


  1. Ignore ROCA-vulnerable WHfB keys
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\SAM
    Value NameSamNGCKeyROCAValidation
    Value TypeREG_DWORD
    Value0
  2. Audit ROCA-vulnerable WHfB keys on use
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\SAM
    Value NameSamNGCKeyROCAValidation
    Value TypeREG_DWORD
    Value1
  3. Block ROCA-vulnerable WHfB keys on use
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\SAM
    Value NameSamNGCKeyROCAValidation
    Value TypeREG_DWORD
    Value2


sam.admx

Administrative Templates (Computers)

Administrative Templates (Users)