Windows 11 domain-joined systems must have a Trusted Platform Module (TPM) enabled.

An XCCDF Rule

Description

Credential Guard uses virtualization-based security to protect information that could be used in credential theft attacks if compromised. There are a number of system requirements that must be met in order for Credential Guard to be configured and enabled properly. Without a TPM enabled and ready for use, Credential Guard keys are stored in a less secure method using software.

ID: SV-253255r971547_rule
Version: WN11-00-000010
Severity: Medium
References: CCI-002421
Updated: about 2 months ago

Remediation Templates

For standalone systems, this is NA.

Virtualization-based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop.

For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is NA.
Ensure domain-joined systems must have a TPM that is configured for use. (Versions 2.0 support Credential Guard.)

The TPM must be enabled in the firmware.
Run "tpm.msc" for configuration options in Windows.

Windows 11 domain-joined systems must have a Trusted Platform Module (TPM) enabled.

Description

Remediation Templates

A Manual Procedure