UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.


Overview

Finding ID Version Rule ID IA Controls Severity
V-63323 WN10-00-000010 SV-77813r1_rule Medium
Description
Credential Guard uses virtualization based security to protect secrets that could be used in credential theft attacks if compromised. There are a number of system requirements that must be met in order for Credential Guard to be configured and enabled properly. Without a TPM enabled and ready for use, Credential Guard keys are stored in a less secure method using software.
STIG Date
Windows 10 Security Technical Implementation Guide 2015-11-30

Details

Check Text ( C-64057r2_chk )
Verify domain-joined systems have a TPM enabled and ready for use.
For standalone systems, this is NA. For virtual desktop implementations (VDI) that are dynamically generated at user log on and deleted at log off, and cannot meet the supporting requirements, this is NA. Supporting requirements include TPM, UEFI with Secure Boot and Hyper-V.

Verify the system has a TPM and is ready for use.
Run "tpm.msc".
Review the sections in the center pane.
"Status" must indicate it has been configured with a message such as "The TPM is ready for use" or "The TPM is on and ownership has been taken".
TPM Manufacturer Information - Specific Version = 2.0 or 1.2

If a TPM is not found or is not ready for use, this is a finding.
Fix Text (F-69241r2_fix)
For standalone systems, this is NA. For virtual desktop implementations (VDI) that are dynamically generated at user log on and deleted at log off, and cannot meet the supporting requirements, this is NA. Supporting requirements include TPM, UEFI with Secure Boot and Hyper-V.

Ensure domain-joined systems must have a Trusted Platform Module (TPM) that is configured for use. (The initial release of Windows 10 requires version 2.0, a later release of Windows 10 will add support for version 1.2.)

The TPM must be enabled in the firmware.
Run "tpm.msc" for configuration options in Windows.