TPM WMI Query Fails To Debug

mjohnson2469 · March 3, 2016, 7:32pm

I am trying to detect the activation of the TPM by querying WMI. I stared with wanting to see what values resulted from querying the string with:

string values of selects "IsActivated_InitialValue from Win32_Tpm" of wmi as string

but it errors out with An error occurred while communicating with the client.

I have tried both the local client evaluation and local debugger and the result is the same.

I then moved to trying another statement of

if (exists wmi "root\CIMV2\Security\MicrosoftTpm") then ((if (exists (select objects "IsActivated_InitialValue from Win32_Tpm" of wmi "root\CIMV2\Security\MicrosoftTpm") whose ((string value of property "IsActivated_InitialValue" of it = "True") )) then "Activated" ELSE "Not Activated") as string) else "Undetected"

Which failed in the same way.

What is going wrong here?

Any assistance is appreciated.

mjohnson2469 · March 3, 2016, 8:29pm

I found that this code doesn’t work in the Debugger, but works fine when entered in the console.

zpt8mjs · March 3, 2016, 10:30pm

What version of the debugger are you using? I was able to run this successfully in the 9.2.5.130 Fixlet debugger.

What error are you getting?

TheTick · March 3, 2016, 10:35pm

Tried it in 9.2.6.94 and it works fine.

The first one does fail with:
The expression could not be evaluated: Windows Error 0x80041010: Invalid class

But if I change it to:
string values of selects “IsActivated_InitialValue from Win32_Tpm” of wmi “root\CIMV2\Security\MicrosoftTpm” as string

It works correctly.

jgstew · March 4, 2016, 7:50am

I have come across this as well with WMI, particularly with Windows 10. This is because the relevance through the console is evaluated with SYSTEM privileges, while the Fixlet Debugger is run as Admin.

You must execute the Fixlet Debugger as SYSTEM using PSExec to put it at similar permission level, and even then the results may not always match.

Related: Determine TPM Presence With Relevance