Windows Server

TPM 2.0 and Secure Boot Become Mandatory for Windows Server Hardware in 2021

Earlier this year, Microsoft announced that it will be raising the security standard for the next major release of Windows Server. Starting 1st January 2021, TPM 2.0 and Secure Boot will be required rather than optional for new server hardware. Existing hardware can be ‘Additional Qualification’ certified to show that it meets the new standards. Microsoft says that the change is to give customers increased confidence when deploying Windows Server, maximizing platform integrity without changing the Request for Proposal (RFP) process.

Microsoft will require that TPM 2.0 be installed and enabled by default. When new hardware is purchased with the next major release of Windows Server preinstalled, Secure Boot must be enabled by default. Regardless of whether the operating system is running on bare metal, Hyper-V virtual machine guests, or on third-party hypervisors approved in the Server Virtualization Validation Program (SVVP).

Requiring these technologies to be present and enabled by default will allow Microsoft to enhance and automate built-in Windows Server security features by default.

Secure Boot is part of the UEFI framework, but it isn’t always enabled by default

Secure Boot is part of the Unified Extensible Firmware Interface (UEFI) framework, but it isn’t always enabled by default. When Secure Boot is enabled, code loaded during the boot sequence, like the Windows Boot Manager and NT kernel, is checked against signatures in the firmware to ensure that it hasn’t been replaced or modified. Anti-malware software doesn’t run until later in the boot process, so Secure Boot protects against rootkits that modify code loaded before Windows starts. Early Launch Antimalware (ELAM) then protects Windows Server by starting malware protection before third-party drivers are initialized.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

Microsoft says about Secure Boot in its announcement: “Since code running during the boot process has privileged access to system resources and performs many critical security initialization steps, malicious code that tries to hijack the boot process can have a very harmful impact. There have been a number of articles written in recent years that document the serious and detrimental outcomes that vulnerabilities like this can expose. By ensuring that only code signed by trusted authorities runs during the boot process, secure boot mitigates this security risk and also provides a solid foundation for the security platform of the operating system.”

TPM 2.0 can be used to measure each step of the Secure Boot process

Trusted Platform Module (TPM) 2.0 is a hardware component designed to securely perform measurements for health attestation and to store encryption keys. TPM 2.0 can be used to measure each step of the Secure Boot process. IT can then request the TPM to provide a report on whether a system booted securely.

TPM 2.0 can provide additional security to BitLocker. BitLocker is a software encryption technology in Windows that ensures disk volumes are only decrypted if a system boots securely. When TPM 2.0 is enabled, it can work with BitLocker to store encryption keys and inform BitLocker whether the system booted as expected using measurements recorded during the Secure Boot process. When used together with BitLocker Network Unlock, a feature that automatically unlocks disk volumes when devices are connected to a wired corporate network, TPM 2.0 provides a secure and scalable way for organizations to manage BitLocker.

Most x64 bit server hardware shipping today has TPM 2.0 and Secure Boot, but the features are often optional and turned off by default. Microsoft hopes that the changes to Windows Server hardware requirements in 2021 will provide a better base on which customers get an improved security baseline going forwards.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.