How to Detect TPM versions using Saner CVEM

TPM Overview:

The Trusted Platform Module (TPM) is a hardware-based security chip embedded in modern computing devices. It is designed to provide robust security features by securely storing cryptographic keys, passwords, and certificates. TPM plays a vital role in protecting device integrity and enabling secure boot processes, credential protection, and disk encryption technologies such as BitLocker.

Key Functions of TPM

• Secure storage of cryptographic keys and credentials

• Platform integrity verification during system startup

• Enables Secure Boot and Trusted Attestation

• Supports full-disk encryption solutions like BitLocker

• Enhances credential security (e.g., Windows Hello, Credential Guard)

Steps to Detect TPM Version Using Saner CVEM

To check the TPM version (e.g., TPM 2.0) across devices, follow these steps using the Posture Anomaly module in Saner CVEM:

Step-by-Step Instructions

1. Open the PA Module

• Log in to the Saner CVEM console.

• Navigate to the PA (Posture Anomaly) module.

2. Create a Custom Detection Rule

• Go to the Custom Rules section.

• Click on the Detection tab to begin creating a new detection rule.

3. Add a WMI-Based Detection Query

• In the Detection section, search for "WMI".

• Drag and drop the WMI block into the Query Builder pane.

4. Configure the WMI Query

Fill in the following values:

• WMI Namespace → root\CIMV2\Security\MicrosoftTpm

• Windows Query Language (WQL) →SELECT SpecVersion FROM Win32_Tpm

• WMI Result Regex → ^.*$
  (This ensures that any returned value is captured.)
  
  

5. Select Target Devices

• Choose the target devices from which you want to collect TPM version data.

• Click Deploy to proceed.

6. Configure Package Details

• Provide a relevant package name, e.g., “TPM Version Detection”.

• Specify how frequently the query should run on the target devices.

• Click Update Package to save the configuration.
  

7. Submit the Query

• Click Submit or Send Query to Agents to deploy the detection rule.
  
  

8. Fetch and View Results

• After the query runs, click Fetch to retrieve the results.
  
  
  

• The Results Pane will show devices along with their detected TPM version (e.g., 2.0 or 1.2).

Conclusion:

By following the above steps, you can effectively detect the TPM version on devices in your environment using Saner CVEM. This is especially useful for ensuring compliance with modern security standards such as those required by Windows 11.

If you need further assistance or help building other queries, feel free to contact our support team.