| #Requires -Version 3 | |
| #requires -RunAsAdministrator | |
| <# | |
| .SYNOPSIS | |
| TPM Infineon Riemann Check | |
| .DESCRIPTION | |
| Checks the status of TPM on the local machine and returns status as a PowerShell object. | |
| Must be run at elevated permissions. | |
| .OUTPUTS | |
| PSCustomObject with several properties. | |
| .EXAMPLE | |
| C:\PS> .\Test-TPMReimann.ps1 | |
| hasTPM : True | |
| ManufacturerId : 0x53544d20 | |
| ManufacturerVersion : 13.12 | |
| FirmwareVersionAtLastProvision : | |
| NeedsRemediation : False | |
| Reason : This non-Infineon TPM is not affected by the Riemann issue. 0x53544d20 | |
| .EXAMPLE | |
| C:\PS> icm -scriptblock { iwr 'https://gist.githubusercontent.com/keithga/22aa4500de40bc174f2f4921052e3b87/raw/Test-TPMReimann.ps1' | iex } -RunAsAdministrator -ComputerName PC1,PC2 | |
| Given the URL path to this script ( to get the script, click on the raw link above ), will run the command on the machines and collect the results locally. | |
| .LINK | |
| https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012 | |
| .LINK | |
| #> | |
| [cmdletbinding()] | |
| param() | |
| If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){ | |
| Throw "Not Administrator" | |
| } | |
| $TPM = try { Get-Tpm } catch { $Null } | |
| $FirmwareVersionAtLastProvision = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\TPM\WMI" -Name "FirmwareVersionAtLastProvision" -ErrorAction SilentlyContinue | % FirmwareVersionAtLastProvision | |
| #region Infineon version test routines | |
| function Test-RiemannVersion ( [string[]] $version ) { | |
| # Returns True if not safe | |
| switch ( $version ) { | |
| 4 { return $version[1] -le 33 -or ($version[1] -ge 40 -and $version[1] -le 42) } | |
| 5 { return $version[1] -le 61 } | |
| 6 { return $version[1] -le 42 } | |
| 7 { return $version[1] -le 61 } | |
| 133 { return $version[1] -le 32 } | |
| default { return $False } | |
| } | |
| } | |
| #endregion | |
| #region Test Logic | |
| if ( !$TPM ) { | |
| $Reason = "No TPM found on this system, so the Riemann issue does not apply here." | |
| $NeedsRemediation = $False | |
| } | |
| elseif ( $TPM.ManufacturerId -ne 0x49465800 ) { | |
| $Reason = "This non-Infineon TPM is not affected by the Riemann issue. 0x$([convert]::ToString($TPM.ManufacturerId,16))" | |
| $NeedsRemediation = $False | |
| } | |
| elseif ( $TPM.ManufacturerVersion.IndexOf('.') -eq -1 ) { | |
| $Reason = "Could not get TPM firmware version from this TPM. $($TPM.ManufacturerVersion)" | |
| $NeedsRemediation = $False | |
| } | |
| elseif ( Test-RiemannVersion ( $Tpm.ManufacturerVersion -split '\.' ) ) { | |
| $reason = "This Infineon firmware version TPM is not safe. $($Tpm.ManufacturerVersion)" | |
| $NeedsRemediation = $true | |
| } | |
| elseif (!$FirmwareVersionAtLastProvision) { | |
| $Reason = "We cannot determine what the firmware version was when the TPM was last cleared. Please clear your TPM now that the firmware is safe." | |
| $NeedsRemediation = $true | |
| } | |
| elseif ($FirmwareVersion -ne $FirmwareVersionAtLastProvision) { | |
| $Reason = "The firmware version when the TPM was last cleared was different from the current firmware version. Please clear your TPM now that the firmware is safe." | |
| $NeedsRemediation = $true | |
| } else { | |
| $reason = 'OK' | |
| $NeedsRemediation = $False | |
| } | |
| #endregion | |
| #region Output Object | |
| [PSCustomObject] @{ | |
| # Basic TPM Information | |
| hasTPM = $TPM -ne $null | |
| ManufacturerId = "0x" + [convert]::ToString($TPM.ManufacturerId,16) | |
| ManufacturerVersion = $Tpm.ManufacturerVersion | |
| FWVersionAtLastProv = $FirmwareVersionAtLastProvision | |
| # Does the machine need Remediation for Riemann issue? | |
| NeedsRemediation = $NeedsRemediation | |
| # Reason String | |
| Reason = $Reason | |
| } | |
| #endregion | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment