Test-TPMReimann.ps1

#Requires -Version 3
#requires -RunAsAdministrator

<#
.SYNOPSIS

TPM Infineon Riemann Check

.DESCRIPTION

Checks the status of TPM on the local machine and returns status as a PowerShell object.

Must be run at elevated permissions.

.OUTPUTS

PSCustomObject with several properties.

.EXAMPLE
C:\PS> .\Test-TPMReimann.ps1 

hasTPM                         : True
ManufacturerId                 : 0x53544d20
ManufacturerVersion            : 13.12
FirmwareVersionAtLastProvision :
NeedsRemediation               : False
Reason                         : This non-Infineon TPM is not affected by the Riemann issue.  0x53544d20

.EXAMPLE

C:\PS> icm -scriptblock { iwr 'https://gist.githubusercontent.com/keithga/22aa4500de40bc174f2f4921052e3b87/raw/Test-TPMReimann.ps1' | iex } -RunAsAdministrator -ComputerName PC1,PC2

Given the URL path to this script ( to get the script, click on the raw link above ), will run the command on the machines and collect the results locally.

.LINK

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012

.LINK

#>

[cmdletbinding()]
param()

If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){
    Throw "Not Administrator"
}

$TPM = try { Get-Tpm } catch { $Null }

$FirmwareVersionAtLastProvision = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\TPM\WMI" -Name "FirmwareVersionAtLastProvision" -ErrorAction SilentlyContinue | % FirmwareVersionAtLastProvision

#region Infineon version test routines

function Test-RiemannVersion ( [string[]] $version ) {
    # Returns True if not safe

    switch ( $version ) {

        4 { return $version[1] -le 33 -or ($version[1] -ge 40 -and $version[1] -le 42) }
        5 { return $version[1] -le 61 }
        6 { return $version[1] -le 42 }
        7 { return $version[1] -le 61 }
        133 { return $version[1] -le 32 }
        default { return $False }

    }

}

#endregion 

#region Test Logic 

if ( !$TPM ) {

    $Reason = "No TPM found on this system, so the Riemann issue does not apply here."
    $NeedsRemediation = $False

}
elseif ( $TPM.ManufacturerId -ne 0x49465800 ) {

    $Reason = "This non-Infineon TPM is not affected by the Riemann issue.  0x$([convert]::ToString($TPM.ManufacturerId,16))"
    $NeedsRemediation = $False

}

elseif ( $TPM.ManufacturerVersion.IndexOf('.') -eq -1 ) {

    $Reason = "Could not get TPM firmware version from this TPM. $($TPM.ManufacturerVersion)"
    $NeedsRemediation = $False

}
elseif ( Test-RiemannVersion ( $Tpm.ManufacturerVersion -split '\.' ) ) {

    $reason = "This Infineon firmware version TPM is not safe. $($Tpm.ManufacturerVersion)" 
    $NeedsRemediation = $true

}
elseif (!$FirmwareVersionAtLastProvision) {

    $Reason = "We cannot determine what the firmware version was when the TPM was last cleared. Please clear your TPM now that the firmware is safe."
    $NeedsRemediation = $true

}
elseif ($FirmwareVersion -ne $FirmwareVersionAtLastProvision) {

    $Reason = "The firmware version when the TPM was last cleared was different from the current firmware version. Please clear your TPM now that the firmware is safe."
    $NeedsRemediation = $true

} else {

    $reason = 'OK'
    $NeedsRemediation = $False
    
}

#endregion

#region Output Object 

[PSCustomObject] @{  

    # Basic TPM Information
    hasTPM = $TPM -ne $null
    ManufacturerId = "0x" + [convert]::ToString($TPM.ManufacturerId,16)
    ManufacturerVersion = $Tpm.ManufacturerVersion
    FWVersionAtLastProv = $FirmwareVersionAtLastProvision

    # Does the machine need Remediation for Riemann issue?
    NeedsRemediation = $NeedsRemediation

    # Reason String
    Reason = $Reason

} 

#endregion