You plan to enable Credential Guard on four servers. Credential Guard secrets will be bound to the TPM.
The servers run Windows Server 2016 and are configured as shown in the following table
Which of the above server you could enable Credential Guard?
A.
Server1
B.
Server2
C.
Server3
D.
Server4
Explanation:
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-requirements
Hardware and software requirements
To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM
and Kerberos derived credentials, Windows
Defender Credential Guard uses:
-Support for Virtualization-based security (required)
-Secure boot (required)
-TPM 2.0 either discrete or firmware (preferred – provides binding to hardware)-UEFI lock (preferred – prevents attacker from disabling with a simple registry key change)Background: UEFI 2.3.1 is older that UEFI 2.3.1c
http://www.uefi.org/specificationsWhen applying these above requirements to Server1, Server2 and Server3,
Server2 is eliminated due to UEFI version is lower than the required 2.3.1c.
Server3 is eliminated due to Hyper-V role is not installed.
Use the following to verify if Server4 virtual machine is eligible for running Credential Guard
Server4Server4 looks good and could enable Credential Guard.
So, we have to made a choice between Server1 (A) and Server4-virtual machine (D).
Server4 is a better choice while it uses a newer TPM version 2.0, so D is correct answer for this question as
Server4 has no uncertainties.
There are documented uncertainties of Server1 using TPM 1.2, there are possibilities and reasonable doubt
that Server1 could not bound Credential Guard secrets
to TPM1.2, see below:-
https://docs.microsoft.com/en-us/windows/device-security/tpm/tpm-recommendationsVia lab test, we are unable to bound Credential Guard credentials on an old computer with TPM 1.2 purchased
near 8 years ago. So, Server1 (A) is wrong.
