UCF STIG Viewer Logo

Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.


Overview

Finding ID Version Rule ID IA Controls Severity
V-224827 WN16-00-000100 SV-224827r569186_rule Medium
Description
Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. A number of system requirements must be met in order for Credential Guard to be configured and enabled properly. Without a TPM enabled and ready for use, Credential Guard keys are stored in a less secure method using software.
STIG Date
Microsoft Windows Server 2016 Security Technical Implementation Guide 2022-03-01

Details

Check Text ( C-26518r465383_chk )
For standalone systems, this is NA.

Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine.

Verify the system has a TPM and it is ready for use.

Run "tpm.msc".

Review the sections in the center pane.

"Status" must indicate it has been configured with a message such as "The TPM is ready for use" or "The TPM is on and ownership has been taken".

TPM Manufacturer Information - Specific Version = 2.0 or 1.2

If a TPM is not found or is not ready for use, this is a finding.
Fix Text (F-26506r465384_fix)
Ensure domain-joined systems have a TPM that is configured for use. (Versions 2.0 or 1.2 support Credential Guard.)

The TPM must be enabled in the firmware.

Run "tpm.msc" for configuration options in Windows.