In this post, I will show you how you can use CMPivot query to find TPM status and gather TPM details from remote computers. Using CMPivot query, checking the TPM status is easy.
You are aware that Microsoft introduced Windows 11 with TPM 2.0 as a prerequisite. TPM 2.0 is required to run Windows 11, as an important building block for security-related features.
A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys.
Before you upgrade to Windows 11, you must ensure the TPM 2.0 is enabled and activated on the computer. This will ensure smooth upgrade to Windows 11.
The CMPivot feature is a very useful feature in Configuration Manager. CMPivot allows you to quickly assess the state of devices in your environment and take suitable action.
The good news is CMPivot feature is available for Configuration Manager version 1806 and later. Microsoft keeps adding new features and improvements to CMPivot feature.
When you enter a query, CMPivot will run a query in real time on all currently connected devices in the selected collection. You can learn about it from Microsoft CMPivot documentation.
The CMPivot query in SCCM can be used to find the TPM status and details such as TPM version, Manufacturer ID etc. on computers running Windows 10 or Windows 11.
There are multiple methods that you can use to check the TPM status on a computer. For example, you can check the TPM status using command line.
Another easy way to find TPM status on a computer is by using SCCM Task Sequence. The Check Readiness step in the task sequence includes checks for TPM 2.0 or later.
Read: How to Enable TPM 2.0 Check in SCCM Task Sequence
If you don’t want to use a task sequence to check TPM status, you can use the CMPivot query. Refer to CMPivot Standalone App deployment guide to deploy CMPivot as a standalone app on your computers.
CMPivot Query to Find TPM Status
Let’s see how to check the TPM status on your Windows computers using CMPivot query. First launch the CMPivot query using the following steps.
- Launch the Configuration Manager console.
- Navigate to Assets and Compliance > Overview > Device Collections.
- Right-click a device collection and select Start CMPivot.
The CMPivot tool should launch in few seconds. In the query window, type TPMStatus and click Run Query. The TPMStatus command returns the status of TPM for all the devices part of SCCM device collection.
The TPMStatus results in CMPivot query includes the following information:
- Device
- Information
- IsApplicable
- IsReady
Find TPM Enabled and Activated Status using CMPivot query
If you want to find out if the TPM is activated and enabled on your computers, you can use the following CMPivot query.
TPM | where IsEnabled_InitialValue == true and IsActivated_InitialValue == true
- IsActivated_InitialValue – Indicates whether the TPM is activated.
- IsEnabled_InitialValue – Indicates whether the TPM is enabled.
Find TPM Details using CMPivot Query
In addition to finding the TPM status, using the CMPivot query, you can also find TPM details.
The CMPivot query “TPM” command shows the following details about the TPM.
- Device
- IsActivated_InitialValue
- IsEnabled_InitialValue
- IsOwned_InitialValue
- ManufacturerId
- ManufacturerVersion
- ManufacturerVersionInfo
- PhysicalPresenceVersionInfo
- SpecVersion
Based on my findings, the query will attempt to run on all devices but only returns the computers that have the TPM enabled.
In other words, if you have Windows 10 computers with TPM not enabled and activated, those computers will not be shown in the results.
In the below example, both the VM’s are running Windows 11 OS and have the TPM 2.0 enabled on each Virtual Machine.
Check TPM version using CMPivot Query
You can use the following CMPivot query to check the TPM version (Manufacturer version) on your computers.
TPM | where ManufacturerVersion contains '2.1'
If you are not sure about the TPM version, you can also tweak the query and instead of contains you can use like or starts with operator.
The CMPivot query TPM | where ManufacturerVersion contains '2.1' returns all the computers that have TPM enabled with version 2.1.
When I export it maxes out at 25000 which is a good enough sample size. Thanks
Hello Mr. Desai,
I want to thank you for your blog. I’ve referenced it many times over the years and have appreciated your insight on SCCM/MECM greatly.
I work in a production environment with ~25k MECM endpoints. We are currently running v2107. Is it possible to run CMPivot on larger collections, say up to 500 objects? It is my understanding that CMPivot had a limitation of 100 objects, but I was unable to locate information directly from Microsoft.
I’d appreciate any information you can provide. Thanks in advance.
Yes, there is no documentation about the limitation or exact count of devices. I will check with Microsoft support and get back with an answer.
I would also like to know I’m on 2303 with 100k+