We have two GPO’s one for TPM 1.2 and one for TPM 2.0, the reason being is TPM 1.2 is not compataible with 256 encryption.
Here’s a handy table Dell have produced:
https://www.dell.com/support/article/us/en/04/sln312590/tpm-12-vs-20-features?lang=en
| Algorithm Type | Algorithm Name | TPM 1.2 | TPM 2.0 |
| Asymmetric | RSA 1024 | Yes | Optional |
| RSA 2048 | Yes | Yes | |
| ECC P256 | No | Yes | |
| ECC BN256 | No | Yes | |
| Symmetric | AES 128 | Optional | Yes |
| AES 256 | Optional | Optional | |
| Hash | SHA-1 | Yes | Yes |
| SHA-2 256 | No | Yes | |
| HMAC | SHA-1 | Yes | Yes |
| SHA-2 256 | No | Yes |
We then use WMI filtering to distinguish TPM 1.2 from 2.0.
The TPM 1.2 WMI filter:
Namespace:
root\cimv2\security\microsofttpm
Query:
Select * from win32_tpm WHERE SpecVersion like "%1.2%"
The TPM 2.0 WMI filter:
Namespace:
root\cimv2\security\microsofttpm
Query:
Select * from win32_tpm WHERE SpecVersion like "%2.0%"
