Microsoft published yesterday a security advisory (ADV170012 -Vulnerability in TPM could allow Security Feature Bypass), that shows a key generation weakness in Infineon’s TPM chip firmware.
To solve the issue we first have to update the firmware of all vulnerable machines, so we have to identify them. As always, ‘Configuration Manager – Hardware Inventory’ can collect the required information.
Ensure you are collecting TPM and BIOS information.
Based on the available data we can create a query that lists all vulnerable machines by the ManufacturerID and vulnerable TPM firmware version:
select SMS_R_System.Name, SMS_G_System_TPM.ManufacturerId, SMS_G_System_TPM.ManufacturerVersion, SMS_G_System_COMPUTER_SYSTEM.Manufacturer, SMS_G_System_COMPUTER_SYSTEM.Model, SMS_G_System_PC_BIOS.SMBIOSBIOSVersion from SMS_R_System inner join SMS_G_System_TPM on SMS_G_System_TPM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_PC_BIOS on SMS_G_System_PC_BIOS.ResourceId = SMS_R_System.ResourceId where SMS_G_System_TPM.ManufacturerId = 1229346816 and (SMS_G_System_TPM.ManufacturerVersion like "4.%" and (SMS_G_System_TPM.ManufacturerVersion <= "4.33" or SMS_G_System_TPM.ManufacturerVersion >= "40" and SMS_G_System_TPM.ManufacturerVersion <= "42") or SMS_G_System_TPM.ManufacturerVersion like "5.%" and SMS_G_System_TPM.ManufacturerVersion <= "5.61" or SMS_G_System_TPM.ManufacturerVersion like "6.%" and SMS_G_System_TPM.ManufacturerVersion <= "6.42" or SMS_G_System_TPM.ManufacturerVersion like "7.%" and SMS_G_System_TPM.ManufacturerVersion <= "7.61" or SMS_G_System_TPM.ManufacturerVersion like "133.%" and SMS_G_System_TPM.ManufacturerVersion <= "133.32")
After updating the firmware, do not forget to decide if and how to remediate services already configured based on weak keys e.g. BitLocker.