Created
October 21, 2017 10:54
-
-
Save p0w3rsh3ll/4615b9996558ed42f0ea867e1f9f4019 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Function Get-ConfigMgrTPMInventory { | |
| <# | |
| .SYNOPSIS | |
| Extract TPM hardware inventory from ConfigMgr | |
| .DESCRIPTION | |
| Looks for TPM versions and test if the manufacturer is Infineon if its version is vulnerable | |
| .PARAMETER ServerName | |
| Specify your ConfigMgr server name | |
| .PARAMETER SiteCode | |
| Specify your ConfigMgr site code | |
| .EXAMPLE | |
| Get-ConfigMgrTPMInventory -ServerName $myserver.fqdn -SiteCode $CMcode | |
| .EXAMPLE | |
| Get-ConfigMgrTPMInventory -ServerName $myserver.fqdn -SiteCode $CMcode | | |
| Group -Property ManufacturerName,Vulnerable -NoElement | |
| #> | |
| [CmdletBinding()] | |
| Param( | |
| [Parameter(Mandatory)] | |
| [string]$ServerName, | |
| [Parameter(Mandatory)] | |
| [String]$SiteCode | |
| ) | |
| Begin { | |
| Function Test-IsInfineonFirmwareVersionAffected { | |
| [CmdletBinding()] | |
| Param( | |
| [Parameter(Mandatory)] | |
| [Version]$Version | |
| ) | |
| Begin {} | |
| Process { | |
| Switch ($Version) { | |
| { $_.Major -eq 4 } { | |
| return ($_.Minor -le 33 -or $_.Minor -in @(40..42)) | |
| } | |
| { $_.Major -eq 5 } { | |
| return ($_.Minor -le 61) | |
| } | |
| { $_.Major -eq 6 } { | |
| return ($_.Minor -le 42) | |
| } | |
| { $_.Major -eq 7 } { | |
| return ($_.Minor -le 61) | |
| } | |
| { $_.Major -eq 133} { | |
| return ($_.Minor -le 32) | |
| } | |
| default {$false} | |
| } | |
| } | |
| End {} | |
| } | |
| } | |
| Process { | |
| try { | |
| $swbemLocator = New-Object -com WbemScripting.SWbemLocator | |
| $swbemServices = $swbemLocator.ConnectServer("$($ServerName)","root\sms\site_$($SiteCode)") | |
| } catch { | |
| Write-Warning -Message "Failed to connect because $($_.Exception.Message)" | |
| } | |
| if ($swbemServices) { | |
| $swbemServices.ExecQuery( | |
| 'select SMS_R_System.Name, SMS_G_System_TPM.* from SMS_R_System | |
| inner join SMS_G_System_TPM on SMS_G_System_TPM.ResourceID = SMS_R_System.ResourceId | |
| inner join SMS_G_System_SYSTEM_ENCLOSURE on SMS_G_System_SYSTEM_ENCLOSURE.ResourceId = SMS_R_System.ResourceId | |
| where SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes in ("8", "9", "10", "14")' | |
| ) | | |
| ForEach-Object { | |
| [PSCustomObject]@{ | |
| ComputerName = $_.Properties_.Item('SMS_R_System').Value.Properties_.Item('Name').Value ; | |
| TPMManufacturer = $_.Properties_.Item('SMS_G_System_TPM').Value.Properties_.Item('ManufacturerID').Value | |
| TPMVersion = $_.Properties_.Item('SMS_G_System_TPM').Value.Properties_.Item('ManufacturerVersion').Value | |
| } | |
| } | | |
| Select-Object -Property *,@{l='Vulnerable';e={ | |
| if ($_.TPMManufacturer -ne 0x49465800) { # 0x49465800 = 1229346816 | |
| $false | |
| } else { | |
| try { | |
| # "TPM Manufacturer infineon" | |
| # it may throw an exception if the version parsed doesn't work? | |
| Test-IsInfineonFirmwareVersionAffected -Version $_.TPMVersion | |
| } catch { | |
| $false | |
| } | |
| } | |
| }},@{l='ManufacturerName';e={ | |
| -join ( | |
| ('{0:X0}' -f $_.TPMManufacturer) -split "(?<=\G.{2})",4 | | |
| ForEach-Object { | |
| [char][int]"0x$($_)" | |
| } | |
| ) | |
| }} | |
| } | |
| } | |
| End {} | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment