How to query Infineon firmware TPM (Microsoft Advisory ADV170012) in ConfigMgr

If you don’t know what is this about, you must read this https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012

Additional, in this article https://support.microsoft.com/en-us/help/4046783/bitlocker-mitigation-plan-for-vulnerability-in-tpm, it said 

When TPM-based protector is used to protect the operating system volume, the security of the BitLocker protection is affected only if the TPM firmware version is 1.2.

But the script what Microsoft provided doesn’t include detection if TPM firmware version is 1.2 or not.

I found two excellent posts how to get those information out using PowerShell and ConfigMgr compliance settings
https://p0w3rsh3ll.wordpress.com/2017/10/13/about-microsoft-advisory-adv170012/
https://www.imab.dk/detect-vulnerability-in-tpm-adv170012-using-configmgr-compliance-settings/

If you have Windows 7, and didn’t update Windows Management Framework 5.0 or 5.1 yet, you can’t use Get-TPM, but you can use this instead.

Get-WMIObject –class Win32_Tpm –Namespace root\cimv2\Security\MicrosoftTpm

Anyway, my co-worker Bamberg Antti figured we can use SQL query those information from ConfigMgr, and of course you should have hardware inventory enable for Win32_TPM. 

Antti and me modified the SQL and WQL query so that I can put them in this post, please modify as your own needs.

For SQL reporting (this will give results for safe and not safe Infineon firmware TPM):

(as note for myself, this a nice website that can make query format looks better http://poorsql.com/  🙂 )

You should get a results like this, or let’s hope you don’t get any results (means everything is fine)

 

WQL query for ConfigMgr Monitor (this only give results for not safe Infineon firmware TPM):

 

WQL Query for ConfigMgr collection (this only give results for not safe Infineon firmware TPM):

 

3 thoughts on “How to query Infineon firmware TPM (Microsoft Advisory ADV170012) in ConfigMgr

  1. Gerry

    Not sure that DisplayName0 (Line 79) is correct, at least it throws an error when i run it.

    Reply
    1. MS

      Just change that from DisplayName0 to Name0 and runs perfectly.

      Reply
    2. Antti Bamberg

      Well actually, it depends on What is chosen to discovery in Active directory user discovery, if there is not discovered displayname, then of course it can’t be found in report too.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: