Guest User!

You are not Sophos Staff.

Browse Live Discover and Response Queries by Category
Complete

An update to the component that runs Live Discover launching Fall 2022 will provide TPM data.

Using Live Discover to determine TPM enabled devices

Does anyone know of a SQL Query format in the Designer Mode in Live Discover that will allow me to query all Windows devices to determine which online systems have a TPM module?

Thanks.

-Andy

Tenchima
Parents

  • The following query may allow you to get information from the registry for this purpose, though I couldn’t find a specific location that will work across all systems. 

    SELECT * 
   FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MMC\SnapIns\FX:{7d3830aa-e69e-4e17-8bd1-1b87b97099da}\%' 
   AND name IN ('RuntimeVersion', 'Type')

    The built-in query "BitLocker info" may also work to get some information. 

    I couldn’t locate TPM information referenced in the osquery or Sophos Schema documents, so this may need to be added as a feature improvement. I will reach out to our team to verify.

  • in reply to Qoosh

    Beginning with osquery version 5.0.1 there is a table "tpm_info" which will be added. Currently, the version of osquery that's built into Sophos is running version 4.9, once this is updated, the tpm information will be made available.

Comment
  • in reply to Qoosh

    Beginning with osquery version 5.0.1 there is a table "tpm_info" which will be added. Currently, the version of osquery that's built into Sophos is running version 4.9, once this is updated, the tpm information will be made available.

Children
Unfiltered HTML