Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Function Get-ConfigMgrTPMInventory {
<#
.SYNOPSIS
Extract TPM hardware inventory from ConfigMgr
.DESCRIPTION
Looks for TPM versions and test if the manufacturer is Infineon if its version is vulnerable
.PARAMETER ServerName
Specify your ConfigMgr server name
.PARAMETER SiteCode
Specify your ConfigMgr site code
.EXAMPLE
Get-ConfigMgrTPMInventory -ServerName $myserver.fqdn -SiteCode $CMcode
.EXAMPLE
Get-ConfigMgrTPMInventory -ServerName $myserver.fqdn -SiteCode $CMcode |
Group -Property ManufacturerName,Vulnerable -NoElement
#>
[CmdletBinding()]
Param(
[Parameter(Mandatory)]
[string]$ServerName,
[Parameter(Mandatory)]
[String]$SiteCode
)
Begin {
Function Test-IsInfineonFirmwareVersionAffected {
[CmdletBinding()]
Param(
[Parameter(Mandatory)]
[Version]$Version
)
Begin {}
Process {
Switch ($Version) {
{ $_.Major -eq 4 } {
return ($_.Minor -le 33 -or $_.Minor -in @(40..42))
}
{ $_.Major -eq 5 } {
return ($_.Minor -le 61)
}
{ $_.Major -eq 6 } {
return ($_.Minor -le 42)
}
{ $_.Major -eq 7 } {
return ($_.Minor -le 61)
}
{ $_.Major -eq 133} {
return ($_.Minor -le 32)
}
default {$false}
}
}
End {}
}
}
Process {
try {
$swbemLocator = New-Object -com WbemScripting.SWbemLocator
$swbemServices = $swbemLocator.ConnectServer("$($ServerName)","root\sms\site_$($SiteCode)")
} catch {
Write-Warning -Message "Failed to connect because $($_.Exception.Message)"
}
if ($swbemServices) {
$swbemServices.ExecQuery(
'select SMS_R_System.Name, SMS_G_System_TPM.* from SMS_R_System
inner join SMS_G_System_TPM on SMS_G_System_TPM.ResourceID = SMS_R_System.ResourceId
inner join SMS_G_System_SYSTEM_ENCLOSURE on SMS_G_System_SYSTEM_ENCLOSURE.ResourceId = SMS_R_System.ResourceId
where SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes in ("8", "9", "10", "14")'
) |
ForEach-Object {
[PSCustomObject]@{
ComputerName = $_.Properties_.Item('SMS_R_System').Value.Properties_.Item('Name').Value ;
TPMManufacturer = $_.Properties_.Item('SMS_G_System_TPM').Value.Properties_.Item('ManufacturerID').Value
TPMVersion = $_.Properties_.Item('SMS_G_System_TPM').Value.Properties_.Item('ManufacturerVersion').Value
}
} |
Select-Object -Property *,@{l='Vulnerable';e={
if ($_.TPMManufacturer -ne 0x49465800) { # 0x49465800 = 1229346816
$false
} else {
try {
# "TPM Manufacturer infineon"
# it may throw an exception if the version parsed doesn't work?
Test-IsInfineonFirmwareVersionAffected -Version $_.TPMVersion
} catch {
$false
}
}
}},@{l='ManufacturerName';e={
-join (
('{0:X0}' -f $_.TPMManufacturer) -split "(?<=\G.{2})",4 |
ForEach-Object {
[char][int]"0x$($_)"
}
)
}}
}
}
End {}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment