Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-73237 | WN16-00-000100 | SV-87889r1_rule | Low |
| Description |
|---|
| Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. A number of system requirements must be met in order for Credential Guard to be configured and enabled properly. Without a TPM enabled and ready for use, Credential Guard keys are stored in a less secure method using software. |
| STIG | Date |
|---|---|
| Windows Server 2016 Security Technical Implementation Guide | 2018-03-07 |
Details
| Check Text ( C-73341r1_chk ) |
|---|
| For standalone systems, this is NA. Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. Verify the system has a TPM and it is ready for use. Run "tpm.msc". Review the sections in the center pane. "Status" must indicate it has been configured with a message such as "The TPM is ready for use" or "The TPM is on and ownership has been taken". TPM Manufacturer Information - Specific Version = 2.0 or 1.2 If a TPM is not found or is not ready for use, this is a finding. |
| Fix Text (F-79681r1_fix) |
|---|
| Ensure domain-joined systems have a TPM that is configured for use. (Versions 2.0 or 1.2 support Credential Guard.) The TPM must be enabled in the firmware. Run "tpm.msc" for configuration options in Windows. |