Title

Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. (Cat II impact)

Discussion

Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. A number of system requirements must be met for Credential Guard to be configured and enabled properly. Without a TPM enabled and ready for use, Credential Guard keys are stored in a less secure method using software.

Check Content

For standalone or nondomain-joined systems, this is NA. Verify the system has a TPM and it is ready for use. Run "tpm.msc". Review the sections in the center pane. "Status" must indicate it has been configured with a message such as "The TPM is ready for use" or "The TPM is on and ownership has been taken". TPM Manufacturer Information - Specific Version = 2.0 or 1.2 If a TPM is not found or is not ready for use, this is a finding.

Fix Text

Ensure domain-joined systems have a TPM that is configured for use. (Versions 2.0 or 1.2 support Credential Guard.) The TPM must be enabled in the firmware. Run "tpm.msc" for configuration options in Windows.

Additional Identifiers

Rule ID: SV-224827r902425_rule

Vulnerability ID: V-224827

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.