From 1616ceba791d261134dc0a6455d2bc5283611403 Mon Sep 17 00:00:00 2001 From: Artem Pronichkin Date: Mon, 16 May 2022 20:07:58 -0700 Subject: [PATCH 1/2] + Windows Server 2022; clarification on TPM event * Added support for Windows Server 2022 * Clarification on where to look for Event ID 51 to check for TPM usage --- .../credential-guard/credential-guard-manage.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index f5c9ad4cbf..9e30541c4e 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -26,6 +26,7 @@ ms.custom: - Windows 11 - Windows Server 2016 - Windows Server 2019 +- Windows Server 2022 ## Enable Windows Defender Credential Guard @@ -204,9 +205,13 @@ DG_Readiness_Tool_v3.6.ps1 -Ready - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] - You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0. + - You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs → Microsoft → Windows → Kernel-Boot* event log. The full event text will read like this: - - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**. + ``` + VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0. + ``` + + If you are running with a TPM, the TPM PCR mask value will be something other than 0. - You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command: From 77ed0df0d6ebd203dc9482e1a2ee1538ccce7a17 Mon Sep 17 00:00:00 2001 From: Artem Pronichkin Date: Fri, 20 May 2022 09:00:18 -0700 Subject: [PATCH 2/2] Update credential-guard-manage.md Update event log formatting per suggestons --- .../credential-guard/credential-guard-manage.md | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 9e30541c4e..a5041cd575 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -205,13 +205,7 @@ DG_Readiness_Tool_v3.6.ps1 -Ready - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] - - You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs → Microsoft → Windows → Kernel-Boot* event log. The full event text will read like this: - - ``` - VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0. - ``` - - If you are running with a TPM, the TPM PCR mask value will be something other than 0. + - You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs → Microsoft → Windows → Kernel-Boot* event log. The full event text will read like this: `VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.` If you are running with a TPM, the TPM PCR mask value will be something other than 0. - You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command: