79.3 (L1) Ensure 'Require Security Device' is set to 'true'

Information

This policy controls whether a Trusted Platform Module (TPM) is required to provision Windows Hello for Business.

- If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business.
- If you disable or don't configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable.

The recommended state for this setting is: true

Windows Hello for Business utilizes key-based or certificate-based authentication and makes credential theft extremely difficult.

When backed with a TPM chip multiple physical security mechanisms are added in order to make it tamper resistant.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to true :

Windows Hello For Business\Require Security Device

Impact:

If the TPM chip unexpectedly fails the user would be unable to authenticate using their PIN but would still be able to sign-in with their EntraID account password.

See Also

https://workbench.cisecurity.org/benchmarks/16852

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2

Plugin: Windows

Control ID: 5a7cfb9b51e0db628361f740d42e4758eae7cd30da78217a34dafdb4d29b811c