Microsoft published guidance on how to mitigate the security risks stemming from orphaned*Windows Hello for Business (WHfB) public keys generated with the help of vulnerable Trusted Platform Module (TPM) chips.
The company says that it is aware of an issue in WHfB public keys persisting after a device is removed from Active Directory if the AD exists.
WHfB*keys are tied to a user and a device added to Azure AD, and are stored in the msDS-KeyCredentialLink attribute of the user object*in on-premises Active Directory and Azure AD*following the WHfB setup.
Once the paired device is no longer present, the keys will not be automatically removed and they become orphaned keys. Such keys will not be deleted even after the device used to create them is completely removed.
The danger behind orphaned*WHfB keys

While authentication attempts to Azure AD using orphaned*WHfB*public keys are*automatically rejected, the keys can lead to some security issues*security issue in Active Directory 2016 or 2019 according to Microsoft.
"An authenticated attacker could obtain orphaned keys created on TPMs that were affected by CVE-2017-15361 (ROCA), discussed in Microsoft Security Advisory ADV170012 to compute their WHfB private key from the orphaned public keys," the security advisory reads.
"The attacker could then impersonate the user by using the stolen private key to authenticate as the user within the domain using Public Key Cryptography for Initial Authentication (PKINIT)."
Attacks abusing this security issue are possible against*hybrid or on-premises environments, and they can be launched even when*firmware and software updates have already been applied to TPMs vulnerable to*CVE-2017-15361 seeing that orphaned keys generated before the patch might still exist in Active Directory.
Affected configurations and mitigation measures

The orphaned public keys*security issue can affect environments where WHfB was set up using the following specific configurations:
WHfB is deployed on Active Directory 2016 or 2019, either in hybrid mode or on-premises only.
Currently have or have had in the past, WHfB keys generated on TPMs that were affected by CVE-2017-15361.
Hybrid Active Directory 2016 or 2019 environment, with synchronization to Azure AD with or without Active Directory Federation Services (AD FS), as well as*on-premises only Active Directory 2016 or 2019 environments, with AD FS, can both be impacted by the security risks stemming from orphaned WHfB keys.
Microsoft provides the following steps to mitigate the security issues behind orphaned WHfB keys generated with an unpatched TPM on hybrid or on-premises only environments:
1. Ensure your TPMs affected by CVE-2017-15361 are patched. See Microsoft Security Advisory ADV170012 for details.
2. Install the WHfBTools Windows PowerShell module. See WfHBTools.
3. Use the WHfBTools PowerShell scripts to identify and remove keys, which will differ depending on whether your environment is a hybrid environment or an on-premises only environment. See Using WHFBTools PowerShell module for cleaning up orphaned Windows Hello for Business Keys for instructions for complete instructions.
4. Query your environment for orphaned WHfB keys and for keys affected by CVE-2017-15361 (ROCA).
5. You can then do one of the following, using the appropriate PowerShell script:
* * Delete orphaned WHfB keys.
* * Delete keys affected by CVE-2017-15361. Important Be aware that if you delete ROCA vulnerable WHfB keys that are not orphaned yet, it will cause disruption to your users. You should ensure that these keys are orphaned before removing them from the directory.
* * Delete both orphaned keys and keys affected by CVE-2017-15361.
Depending on what type of environment you are dealing with hybrid or on-premises only you will have to use a different*WHfBTools PowerShell script for identifying and removing the orphaned keys.
Microsoft says that no attempts of exploiting this issue to attack customers have been discovered before its public disclosure.
Also, while environments where TPMs vulnerable to*CVE-2017-15361 abuse are not impacted by the orphaned keys issue, Microsoft still recommends searching for and removing any such keys with the help of the mitigations listed above*as a security hygiene measure.
Redmond also adds that*Azure AD*and AD FS*are not affected by this issue but strongly advises applying firmware updates supplied by your TPM OEM "to avoid any exposure."