Windows Server 2025 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-277993 | WN25-00-000090 | SV-277993r1182250_rule | CCI-004910 | medium |
| Description | ||||
| Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. A number of system requirements must be met for Credential Guard to be configured and enabled properly. Without a TPM enabled and ready for use, Credential Guard keys are stored in a less secure method using software. | ||||
| STIG | Date | |||
| Microsoft Windows Server 2025 Security Technical Implementation Guide | 2026-02-20 | |||
Details
Check Text (C-277993r1182250_chk)
For stand-alone or nondomain-joined systems, this is not applicable.
Verify the system has a TPM and it is ready for use.
Run "tpm.msc".
Review the sections in the center pane.
"Status" must indicate it has been configured with a message such as "The TPM is ready for use" or "The TPM is on and ownership has been taken".
TPM Manufacturer Information - Specific Version = 2.0 or 1.2
If a TPM is not found or is not ready for use, this is a finding.
Fix Text (F-82428r1180684_fix)
Ensure domain-joined systems have a TPM that is configured for use. (Versions 2.0 or 1.2 support Credential Guard.)
The TPM must be enabled in the firmware.
Run "tpm.msc" for configuration options in Windows.