20.25 Ensure 'Domain-joined systems have a Trusted Platform Module (TPM) enabled and ready for use'

Information

This policy setting ensures that all domain-joined systems have a Trusted Platform Module (TPM) enabled and ready for use.

Note: This recommendation does not apply to stand-alone systems.

Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. A number of system requirements must be met in order for Credential Guard to be configured and enabled properly. Without a TPM enabled and ready for use, Credential Guard keys are stored in a less secure method using software.

Solution

Ensure that domain-joined systems have a TPM that is configured for use. (Versions 2.0 or 1.2 support Credential Guard.)

Execute

tpm.msc

for configuration options in the Windows Operating System.

Impact:

Systems without a Trusted Platform Module (TPM) enabled are not authorized.

See Also

https://workbench.cisecurity.org/benchmarks/15105

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: f194caf3466e7da87b34e5fde667eac911c6f03a2ce2069b6b9756473fac8974