Windows 11 domain-joined systems must have a Trusted Platform Module (TPM) enabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-253255 | WN11-00-000010 | SV-253255r971547_rule | CCI-002421 | medium |
| Description | ||||
| Credential Guard uses virtualization-based security to protect information that could be used in credential theft attacks if compromised. There are a number of system requirements that must be met in order for Credential Guard to be configured and enabled properly. Without a TPM enabled and ready for use, Credential Guard keys are stored in a less secure method using software. | ||||
| STIG | Date | |||
| Microsoft Windows 11 Security Technical Implementation Guide | 2025-05-15 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
SC-8(1)
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.13.8
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-002421
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-253255r971547_chk)
Verify domain-joined systems have a TPM enabled and ready for use.
For standalone systems, this is NA.
Virtualization-based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop.
For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is NA.
Verify the system has a TPM and is ready for use.
Run "tpm.msc".
Review the sections in the center pane.
"Status" must indicate it has been configured with a message such as "The TPM is ready for use" or "The TPM is on and ownership has been taken".
TPM Manufacturer Information - Specific Version = 2.0
If a TPM is not found or is not ready for use, this is a finding.
Fix Text (F-56658r828848_fix)
For standalone systems, this is NA.
Virtualization-based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop.
For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is NA.
Ensure domain-joined systems must have a TPM that is configured for use. (Versions 2.0 support Credential Guard.)
The TPM must be enabled in the firmware.
Run "tpm.msc" for configuration options in Windows.