Complete

An update to the component that runs Live Discover launching Fall 2022 will provide TPM data.

Using Live Discover to determine TPM enabled devices

Does anyone know of a SQL Query format in the Designer Mode in Live Discover that will allow me to query all Windows devices to determine which online systems have a TPM module?

Thanks.

-Andy

Parents
  • The following query may allow you to get information from the registry for this purpose, though I couldn’t find a specific location that will work across all systems. 

    SELECT * 
       FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MMC\SnapIns\FX:{7d3830aa-e69e-4e17-8bd1-1b87b97099da}\%' 
       AND name IN ('RuntimeVersion', 'Type')

    The built-in query "BitLocker info" may also work to get some information. 

    I couldn’t locate TPM information referenced in the osquery or Sophos Schema documents, so this may need to be added as a feature improvement. I will reach out to our team to verify.

  • Beginning with osquery version 5.0.1 there is a table "tpm_info" which will be added. Currently, the version of osquery that's built into Sophos is running version 4.9, once this is updated, the tpm information will be made available.

  • SophosOsquery.exe (with date 26.07.2022) on our clients says it's version 5.0.1. Can you help us with a query regarding tpm_info? 

Comment Children
No Data