#Requires -Version 3 | |
#requires -RunAsAdministrator | |
<# | |
.SYNOPSIS | |
TPM Infineon Riemann Check | |
.DESCRIPTION | |
Checks the status of TPM on the local machine and returns status as a PowerShell object. | |
Must be run at elevated permissions. | |
.OUTPUTS | |
PSCustomObject with several properties. | |
.EXAMPLE | |
C:\PS> .\Test-TPMReimann.ps1 | |
hasTPM : True | |
ManufacturerId : 0x53544d20 | |
ManufacturerVersion : 13.12 | |
FirmwareVersionAtLastProvision : | |
NeedsRemediation : False | |
Reason : This non-Infineon TPM is not affected by the Riemann issue. 0x53544d20 | |
.EXAMPLE | |
C:\PS> icm -scriptblock { iwr 'https://gist.githubusercontent.com/keithga/22aa4500de40bc174f2f4921052e3b87/raw/Test-TPMReimann.ps1' | iex } -RunAsAdministrator -ComputerName PC1,PC2 | |
Given the URL path to this script ( to get the script, click on the raw link above ), will run the command on the machines and collect the results locally. | |
.LINK | |
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012 | |
.LINK | |
#> | |
[cmdletbinding()] | |
param() | |
If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){ | |
Throw "Not Administrator" | |
} | |
$TPM = try { Get-Tpm } catch { $Null } | |
$FirmwareVersionAtLastProvision = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\TPM\WMI" -Name "FirmwareVersionAtLastProvision" -ErrorAction SilentlyContinue | % FirmwareVersionAtLastProvision | |
#region Infineon version test routines | |
function Test-RiemannVersion ( [string[]] $version ) { | |
# Returns True if not safe | |
switch ( $version ) { | |
4 { return $version[1] -le 33 -or ($version[1] -ge 40 -and $version[1] -le 42) } | |
5 { return $version[1] -le 61 } | |
6 { return $version[1] -le 42 } | |
7 { return $version[1] -le 61 } | |
133 { return $version[1] -le 32 } | |
default { return $False } | |
} | |
} | |
#endregion | |
#region Test Logic | |
if ( !$TPM ) { | |
$Reason = "No TPM found on this system, so the Riemann issue does not apply here." | |
$NeedsRemediation = $False | |
} | |
elseif ( $TPM.ManufacturerId -ne 0x49465800 ) { | |
$Reason = "This non-Infineon TPM is not affected by the Riemann issue. 0x$([convert]::ToString($TPM.ManufacturerId,16))" | |
$NeedsRemediation = $False | |
} | |
elseif ( $TPM.ManufacturerVersion.IndexOf('.') -eq -1 ) { | |
$Reason = "Could not get TPM firmware version from this TPM. $($TPM.ManufacturerVersion)" | |
$NeedsRemediation = $False | |
} | |
elseif ( Test-RiemannVersion ( $Tpm.ManufacturerVersion -split '\.' ) ) { | |
$reason = "This Infineon firmware version TPM is not safe. $($Tpm.ManufacturerVersion)" | |
$NeedsRemediation = $true | |
} | |
elseif (!$FirmwareVersionAtLastProvision) { | |
$Reason = "We cannot determine what the firmware version was when the TPM was last cleared. Please clear your TPM now that the firmware is safe." | |
$NeedsRemediation = $true | |
} | |
elseif ($FirmwareVersion -ne $FirmwareVersionAtLastProvision) { | |
$Reason = "The firmware version when the TPM was last cleared was different from the current firmware version. Please clear your TPM now that the firmware is safe." | |
$NeedsRemediation = $true | |
} else { | |
$reason = 'OK' | |
$NeedsRemediation = $False | |
} | |
#endregion | |
#region Output Object | |
[PSCustomObject] @{ | |
# Basic TPM Information | |
hasTPM = $TPM -ne $null | |
ManufacturerId = "0x" + [convert]::ToString($TPM.ManufacturerId,16) | |
ManufacturerVersion = $Tpm.ManufacturerVersion | |
FWVersionAtLastProv = $FirmwareVersionAtLastProvision | |
# Does the machine need Remediation for Riemann issue? | |
NeedsRemediation = $NeedsRemediation | |
# Reason String | |
Reason = $Reason | |
} | |
#endregion | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment