keithga/Test-TPMReimann.ps1

## Test-TPMReimann.ps1

#Requires -Version 3
#requires -RunAsAdministrator

<#
.SYNOPSIS

TPM Infineon Riemann Check

.DESCRIPTION

Checks the status of TPM on the local machine and returns status as a PowerShell object.

Must be run at elevated permissions.

.OUTPUTS

PSCustomObject with several properties.

.EXAMPLE
C:\PS> .\Test-TPMReimann.ps1

hasTPM                         : True
ManufacturerId                 : 0x53544d20
ManufacturerVersion            : 13.12
FirmwareVersionAtLastProvision :
NeedsRemediation               : False
Reason                         : This non-Infineon TPM is not affected by the Riemann issue.  0x53544d20

.EXAMPLE

C:\PS> icm -scriptblock { iwr 'https://gist.githubusercontent.com/keithga/22aa4500de40bc174f2f4921052e3b87/raw/Test-TPMReimann.ps1' | iex } -RunAsAdministrator -ComputerName PC1,PC2

Given the URL path to this script ( to get the script, click on the raw link above ), will run the command on the machines and collect the results locally.

.LINK

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012

.LINK

#>

[cmdletbinding()]
param()

If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){
    Throw "Not Administrator"
}

$TPM = try { Get-Tpm } catch { $Null }

$FirmwareVersionAtLastProvision = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\TPM\WMI" -Name "FirmwareVersionAtLastProvision" -ErrorAction SilentlyContinue | % FirmwareVersionAtLastProvision

#region Infineon version test routines

function Test-RiemannVersion ( [string[]] $version ) {
    # Returns True if not safe

    switch ( $version ) {

        4 { return $version[1] -le 33 -or ($version[1] -ge 40 -and $version[1] -le 42) }
        5 { return $version[1] -le 61 }
        6 { return $version[1] -le 42 }
        7 { return $version[1] -le 61 }
        133 { return $version[1] -le 32 }
        default { return $False }

    }

}

#endregion

#region Test Logic

if ( !$TPM ) {

    $Reason = "No TPM found on this system, so the Riemann issue does not apply here."
    $NeedsRemediation = $False

}
elseif ( $TPM.ManufacturerId -ne 0x49465800 ) {

    $Reason = "This non-Infineon TPM is not affected by the Riemann issue.  0x$([convert]::ToString($TPM.ManufacturerId,16))"
    $NeedsRemediation = $False

}

elseif ( $TPM.ManufacturerVersion.IndexOf('.') -eq -1 ) {

    $Reason = "Could not get TPM firmware version from this TPM. $($TPM.ManufacturerVersion)"
    $NeedsRemediation = $False

}
elseif ( Test-RiemannVersion ( $Tpm.ManufacturerVersion -split '\.' ) ) {

    $reason = "This Infineon firmware version TPM is not safe. $($Tpm.ManufacturerVersion)"
    $NeedsRemediation = $true

}
elseif (!$FirmwareVersionAtLastProvision) {

    $Reason = "We cannot determine what the firmware version was when the TPM was last cleared. Please clear your TPM now that the firmware is safe."
    $NeedsRemediation = $true

}
elseif ($FirmwareVersion -ne $FirmwareVersionAtLastProvision) {

    $Reason = "The firmware version when the TPM was last cleared was different from the current firmware version. Please clear your TPM now that the firmware is safe."
    $NeedsRemediation = $true

} else {

    $reason = 'OK'
    $NeedsRemediation = $False

}

#endregion

#region Output Object

[PSCustomObject] @{

    # Basic TPM Information
    hasTPM = $TPM -ne $null
    ManufacturerId = "0x" + [convert]::ToString($TPM.ManufacturerId,16)
    ManufacturerVersion = $Tpm.ManufacturerVersion
    FWVersionAtLastProv = $FirmwareVersionAtLastProvision

    # Does the machine need Remediation for Riemann issue?
    NeedsRemediation = $NeedsRemediation

    # Reason String
    Reason = $Reason

}

#endregion

	#Requires -Version 3
	#requires -RunAsAdministrator

	<#
	.SYNOPSIS

	TPM Infineon Riemann Check

	.DESCRIPTION

	Checks the status of TPM on the local machine and returns status as a PowerShell object.

	Must be run at elevated permissions.

	.OUTPUTS

	PSCustomObject with several properties.

	.EXAMPLE
	C:\PS> .\Test-TPMReimann.ps1

	hasTPM : True
	ManufacturerId : 0x53544d20
	ManufacturerVersion : 13.12
	FirmwareVersionAtLastProvision :
	NeedsRemediation : False
	Reason : This non-Infineon TPM is not affected by the Riemann issue. 0x53544d20

	.EXAMPLE

	C:\PS> icm -scriptblock { iwr 'https://gist.githubusercontent.com/keithga/22aa4500de40bc174f2f4921052e3b87/raw/Test-TPMReimann.ps1' \| iex } -RunAsAdministrator -ComputerName PC1,PC2

	Given the URL path to this script ( to get the script, click on the raw link above ), will run the command on the machines and collect the results locally.

	.LINK

	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012

	.LINK

	#>

	[cmdletbinding()]
	param()

	If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){
	Throw "Not Administrator"
	}

	$TPM = try { Get-Tpm } catch { $Null }

	$FirmwareVersionAtLastProvision = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\TPM\WMI" -Name "FirmwareVersionAtLastProvision" -ErrorAction SilentlyContinue \| % FirmwareVersionAtLastProvision

	#region Infineon version test routines

	function Test-RiemannVersion ( [string[]] $version ) {
	# Returns True if not safe

	switch ( $version ) {

	4 { return $version[1] -le 33 -or ($version[1] -ge 40 -and $version[1] -le 42) }
	5 { return $version[1] -le 61 }
	6 { return $version[1] -le 42 }
	7 { return $version[1] -le 61 }
	133 { return $version[1] -le 32 }
	default { return $False }

	}

	}

	#endregion

	#region Test Logic

	if ( !$TPM ) {

	$Reason = "No TPM found on this system, so the Riemann issue does not apply here."
	$NeedsRemediation = $False

	}
	elseif ( $TPM.ManufacturerId -ne 0x49465800 ) {

	$Reason = "This non-Infineon TPM is not affected by the Riemann issue. 0x$([convert]::ToString($TPM.ManufacturerId,16))"
	$NeedsRemediation = $False

	}

	elseif ( $TPM.ManufacturerVersion.IndexOf('.') -eq -1 ) {

	$Reason = "Could not get TPM firmware version from this TPM. $($TPM.ManufacturerVersion)"
	$NeedsRemediation = $False

	}
	elseif ( Test-RiemannVersion ( $Tpm.ManufacturerVersion -split '\.' ) ) {

	$reason = "This Infineon firmware version TPM is not safe. $($Tpm.ManufacturerVersion)"
	$NeedsRemediation = $true

	}
	elseif (!$FirmwareVersionAtLastProvision) {

	$Reason = "We cannot determine what the firmware version was when the TPM was last cleared. Please clear your TPM now that the firmware is safe."
	$NeedsRemediation = $true

	}
	elseif ($FirmwareVersion -ne $FirmwareVersionAtLastProvision) {

	$Reason = "The firmware version when the TPM was last cleared was different from the current firmware version. Please clear your TPM now that the firmware is safe."
	$NeedsRemediation = $true

	} else {

	$reason = 'OK'
	$NeedsRemediation = $False

	}

	#endregion

	#region Output Object

	[PSCustomObject] @{

	# Basic TPM Information
	hasTPM = $TPM -ne $null
	ManufacturerId = "0x" + [convert]::ToString($TPM.ManufacturerId,16)
	ManufacturerVersion = $Tpm.ManufacturerVersion
	FWVersionAtLastProv = $FirmwareVersionAtLastProvision

	# Does the machine need Remediation for Riemann issue?
	NeedsRemediation = $NeedsRemediation

	# Reason String
	Reason = $Reason

	}

	#endregion