Microsoft Windows Server 2016

Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use

STIG ID: WN16-00-000100 | SRG: SRG-OS-000480-GPOS-00227 | Severity: Medium | CCI: CCI-000366 | Vulnerability ID: V-224827

Description

Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. A number of system requirements must be met for Credential Guard to be configured and enabled properly. Without a TPM enabled and ready for use, Credential Guard keys are stored in a less secure method using software.

Check

For standalone or nondomain-joined systems, this is NA.Verify the system has a TPM and it is ready for use.Run "tpm.msc".Review the sections in the center pane."Status" must indicate it has been configured with a message such as "The TPM is ready for use" or "The TPM is on and ownership has been taken".TPM Manufacturer Information - Specific Version = 2.0 or 1.2If a TPM is not found or is not ready for use, this is a finding.

Fix

Ensure domain-joined systems have a TPM that is configured for use. (Versions 2.0 or 1.2 support Credential Guard.)The TPM must be enabled in the firmware.Run "tpm.msc" for configuration options in Windows.