New Device Inventory: TPM Chips
We are excited to introduce a new Device Property to Kolide’s data collection capabilities, TPM Chips.
What is a TPM?
A TPM (or Trusted Platform Module) is a piece of hardware embedded into modern consumer and enterprise PCs shipped in the last few years. The TPM is used to power many of the advanced security features of the host operating system.
For example, if a TPM is available on Windows, it can be used to encrypt the disk of a Windows PC securely. Other Windows features enabled by a modern TPM include Credential Guard, Device Health Attestations, Windows Hello Passwordless Access, Virtual Smart Cards, and more.
Why Did Kolide Add TPM Visibility?
A modern TPM is a core requirement for upgrading to Windows 11. Knowing this, understanding the state of your device’s TPMs is essential. For example, you may want to find devices without a TPM or an older TPM that may not be as secure.
Unlike Apple’s Secure Enclave, which is essentially entirely abstracted from the end user’s experience, users can configure TPMs directly. This means administrative users can clear, deactivate, or even change the ownership of the built-in TPM chip using convenient UI-based tools built right into Windows. Kolide can enumerate the state of the TPM and help you locate TPMs that have been tampered with.
How Does TPM Visibility Work?
Kolide’s agent takes advantage of osquery’s tpm_info
table, which enumerates
TPM information using the WMI class Win32_Tpm
. Kolide parses this information to make it easier to query and stores it in
Inventory and our Reporting DB feature.
spec_info
and breaks it into number-based fields to make it easier to compare versions.Privacy Center and Data Collection
Like all of our device properties, we have included relevant information about TPMs in the Privacy Center. This includes:
- The purpose of the collection
- Privacy information
- A representative data set of what information the device will return
We collect TPM info by default. If you don’t want to collect this data from your fleet, you can also take advantage of our new data collection opt-out feature.
We hope you enjoy this new addition to Inventory. As always, we encourage you to reach out to us for more suggestions, questions, and feedback. If there is something Kolide should be enumerating, we want to know about it!