View Other Properties

Contents

View Other Properties

How to List TPM Chips Across All Windows Devices

Using Kolide, you can easily view and query TPM Chips across your fleet.

Introduction

A TPM (Trusted Platform Module) is a computer chip that can securely store artifacts used to authenticate a Windows machine by using hardware-based cryptography.

Examples of such artifacts include passwords, certificates, and encryption keys. Once the TPM in enabled, it helps to provide full-disk encryption capabilities.

What TPM Chip Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect TPM Chips from Windows devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

TPM Chips Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

activated Boolean

true if the TPM is activated; otherwise, false

enabled Boolean

true if the TPM is enabled; otherwise, false

manufacturer_id Integer

The identifying information that uniquely names the TPM manufacturer in integer format.

Note: This integer value can be translated to a string value by interpreting each byte as an ASCII character. For example, an integer value of 1414548736 can be divided into these 4 bytes: 0x54, 0x50, 0x4D, and 0x00. Assuming the string is interpreted from left to right, this integer value translated to a string value of "TPM".

Special Values:

  • 0 - The manufacturers ID is not available
manufacturer_name Text

The identifying information that uniquely names the TPM manufacturer in text format

manufacturer_version Text

The version of the TPM, as specified by the manufacturer

Special Values:

  • Not Supported - Version data is not available
owned Boolean

true if the TPM chip has an owner; otherwise, false

physical_presence_version Text

The version of the Physical Presence Interface, a communication mechanism used to run device operations that require physical presence, that the computer supports.

Special Values:

  • Not Supported - Version data is not available
physical_presence_version_major Bigint

physical_presence_version's semver major version (ex: 4.2.1 would yield 4)

physical_presence_version_minor Bigint

physical_presence_version's semver minor version (ex: 4.2.1 would yield 2)

product_name Text

Product name of the TPM

spec_errata Float

The errata portion of the Trusted Computing Group (TCG) specification that the TPM supports.

spec_info Text

The Trusted Computing Group (TCG) specification that the TPM supports.

This value includes the major and minor TCG specification version, the specification revision level, and the errata revision level. All values are in hexadecimal. For example, a version information of 1.2, 2, 0 indicates that the device was implemented to TCG specification version 1.2, revision level 2, and with no errata.

Special Values:

  • Not Supported - Version data is not available
spec_revision Float

The revision portion of the Trusted Computing Group (TCG) specification that the TPM supports.

spec_version Float

The version portion of the Trusted Computing Group (TCG) specification that the TPM supports.

collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

What Can You Do With This Information?

Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:

List Windows Devices that do not have a TPM
Kolide SQL
SELECT 
  devices.name AS device_name,
  devices.id AS device_id,
  devices.hardware AS device_hardware
FROM 
  devices 
  LEFT JOIN device_tpms ON devices.id = device_tpms.device_id 
WHERE 
  devices.type = 'WindowsDevice' 
  AND device_tpms.id IS NULL 
  -- Only include devices that have checked in to Kolide since we've been collecting TPM data
  AND devices.last_seen_at > '2022-07-01';
Example Results
device_id device_name device_hardware
1 Dobby's Computer XPS 13 9310
2 KOLIDE-X1-CARBON-G3 ThinkPad X1 Extreme Gen 3
Locate Devices that are using an older and less secure TPM spec
Kolide SQL
-- Microsoft recommends TPM 2.0 or above
-- For more information see: https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-recommendations 
SELECT 
  spec_info, 
  devices.name,
  devices.id,
  devices.hardware,
  device_tpms.spec_info
FROM device_tpms
JOIN devices ON device_tpms.device_id = devices.id
WHERE device_tpms.spec_version < 2.0;
Example Results
id name hardware spec_info
1 Adam's PC Surface Book 1.2, 2, 3
2 DESKTOP-ABC123 ThinkPad X1 Yoga (1st Gen) 1.2, 2, 3
Find Devices with a TPM in an undesirable state
Kolide SQL
SELECT 
  device_name, 
  device_id, 
  enabled AS tpm_enabled, 
  activated AS tpm_activated, 
  owned AS tpm_owned 
FROM 
  device_tpms 
WHERE 
  enabled = false 
  OR activated = false 
  OR owned = false;
Example Results
device_id device_name tpm_owned tpm_enabled tpm_activated
1 Wolfgangs-HP false false false
2 Quinn-Test-PC false true true
3 lenovo-thinkpad false true true

Why Should I Collect TPM Chips?

IT & Security administrators may review information about the TPM for several reasons:

  • Verifying that the TPM is enabled.
  • Verifying that the TPM is activated.
  • Verifying TPM ownership.
  • Verifying TPM product and manufacturer information.
  • Verifying the PC meets the minimum requirements for Windows 11 and above.

For more information, please read https://www.kolide.com/blog/windows-11-security-and-tpm-2-0-what-you-need-to-know.

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

When you use Kolide to list TPM Chip data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed by employees through Slack or Google Workspace account.

Share this story:

Related Device Properties:

New
Mac SIP Settings
security, integrity, boot-security, operating-system, hardware
New
Windows Drivers
hardware, drivers
New
Mac Crashes
operating-system, hardware, stability
View full list of Kolide's Device Properties
Try Kolide Free
Try Kolide Free