Merged PR 2403: Add new policy: Security/ClearTPMIfNotReady

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/12/2017
+ms.date: 07/26/2017
 ---
 
 # What's new in MDM enrollment and management
@@ -979,6 +979,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>Defender/EnableNetworkProtection</li>
 <li>Defender/GuardedFoldersAllowedApplications</li>
 <li>Defender/GuardedFoldersList</li>
+<li>Security/ClearTPMIfNotReady</li>
 <li>Update/ScheduledInstallEveryWeek</li>
 <li>Update/ScheduledInstallFirstWeek</li>
 <li>Update/ScheduledInstallFourthWeek</li>
@@ -1299,6 +1300,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <td style="vertical-align:top">
 <p>Added the following new policies for Windows 10, version 1709:</p>
 <ul>
+<li>Security/ClearTPMIfNotReady</li>
 <li>WindowsDefenderSecurityCenter/CompanyName</li>
 <li>WindowsDefenderSecurityCenter/DisableAppBrowserUI</li>
 <li>WindowsDefenderSecurityCenter/DisableEnhancedNotifications</li>

windows/client-management/mdm/policy-configuration-service-provider.md

@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/07/2017
+ms.date: 07/26/2017
 ---
 
 # Policy CSP
@@ -2295,6 +2295,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-security.md#security-antitheftmode" id="security-antitheftmode">Security/AntiTheftMode</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-security.md#security-cleartpmifnotready" id="security-cleartpmifnotready">Security/ClearTPMIfNotReady</a>
+  </dd>
   <dd>
     <a href="./policy-csp-security.md#security-preventautomaticdeviceencryptionforazureadjoineddevices" id="security-preventautomaticdeviceencryptionforazureadjoineddevices">Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices</a>
   </dd>

windows/client-management/mdm/policy-csp-security.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 07/26/2017
 ---
 
 # Policy CSP - Security
@@ -258,6 +258,45 @@ ms.date: 07/14/2017
 -   0 (default) – Encryption enabled.
 -   1 – Encryption disabled.
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="security-cleartpmifnotready"></a>**Security/ClearTPMIfNotReady**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+Added in Windows 10, version 1709. Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.
+
+The following list shows the supported values:
+
+-   0 (default) – Will not force recovery from a non-ready TPM state.
+-   1 – Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear.
+
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->