From 47a7a19fefb524d60e0d241414d725fa8b920dbd Mon Sep 17 00:00:00 2001 From: Michiko Short Date: Mon, 28 Aug 2017 16:01:58 -0700 Subject: [PATCH] clearing TPM issues CG --- .../credential-guard/credential-guard-considerations.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/access-protection/credential-guard/credential-guard-considerations.md b/windows/access-protection/credential-guard/credential-guard-considerations.md index 42cf816bdc..a5c36084f6 100644 --- a/windows/access-protection/credential-guard/credential-guard-considerations.md +++ b/windows/access-protection/credential-guard/credential-guard-considerations.md @@ -42,7 +42,7 @@ Starting with Windows 10, version 1511, domain credentials that are stored with - Applications that extract Windows credentials fail. - When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials cannot be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you cannot restore those credentials. -## CLearing TPM Considerations +## Clearing TPM Considerations Virtualization-based Security (VBS) uses the TPM to protect its key. So when the TPM is cleared then the TPM protected key used to encrypt VBS secrets is lost. >[!WARNING] @@ -78,8 +78,8 @@ Domain user sign-in on a domain-joined device after clearing a TPM for as long a |Credential Type | Windows 10 version | Behavior |---|---|---| | Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI does not work at all. | -| Password | Windows 10 v1709 or later | If the user signed-in with a certificate or password prior to TPM reset, then they can sign-in with password and user DPAPI is unaffected. -| Password | Windows 10 v1703 | If the user signed-in with a password prior to TPM reset, then they can sign-in with that password and are unaffected. +| Password | Windows 10 v1709 or later | If the user signed-in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected. +| Password | Windows 10 v1703 | If the user signed-in with a password prior to clearing the TPM, then they can sign-in with that password and are unaffected. | Password | Windows 10 v1607 or earlier | Existing user DPAPI protected data is unusable. User DPAPI is able to protect new data. Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted.