Earlier this year, Microsoft announced that it will be raising the security standard for the next major release of Windows Server. Starting 1st January 2021, TPM 2.0 and Secure Boot will be required rather than optional for new server hardware. Existing hardware can be ‘Additional Qualification’ certified to show that it meets the new standards. Microsoft says that the change is to give customers increased confidence when deploying Windows Server, maximizing platform integrity without changing the Request for Proposal (RFP) process.
Microsoft will require that TPM 2.0 be installed and enabled by default. When new hardware is purchased with the next major release of Windows Server preinstalled, Secure Boot must be enabled by default. Regardless of whether the operating system is running on bare metal, Hyper-V virtual machine guests, or on third-party hypervisors approved in the Server Virtualization Validation Program (SVVP).
Requiring these technologies to be present and enabled by default will allow Microsoft to enhance and automate built-in Windows Server security features by default.
Secure Boot is part of the Unified Extensible Firmware Interface (UEFI) framework, but it isn’t always enabled by default. When Secure Boot is enabled, code loaded during the boot sequence, like the Windows Boot Manager and NT kernel, is checked against signatures in the firmware to ensure that it hasn’t been replaced or modified. Anti-malware software doesn’t run until later in the boot process, so Secure Boot protects against rootkits that modify code loaded before Windows starts. Early Launch Antimalware (ELAM) then protects Windows Server by starting malware protection before third-party drivers are initialized.
Microsoft says about Secure Boot in its announcement: “Since code running during the boot process has privileged access to system resources and performs many critical security initialization steps, malicious code that tries to hijack the boot process can have a very harmful impact. There have been a number of articles written in recent years that document the serious and detrimental outcomes that vulnerabilities like this can expose. By ensuring that only code signed by trusted authorities runs during the boot process, secure boot mitigates this security risk and also provides a solid foundation for the security platform of the operating system.”
Trusted Platform Module (TPM) 2.0 is a hardware component designed to securely perform measurements for health attestation and to store encryption keys. TPM 2.0 can be used to measure each step of the Secure Boot process. IT can then request the TPM to provide a report on whether a system booted securely.
TPM 2.0 can provide additional security to BitLocker. BitLocker is a software encryption technology in Windows that ensures disk volumes are only decrypted if a system boots securely. When TPM 2.0 is enabled, it can work with BitLocker to store encryption keys and inform BitLocker whether the system booted as expected using measurements recorded during the Secure Boot process. When used together with BitLocker Network Unlock, a feature that automatically unlocks disk volumes when devices are connected to a wired corporate network, TPM 2.0 provides a secure and scalable way for organizations to manage BitLocker.
Most x64 bit server hardware shipping today has TPM 2.0 and Secure Boot, but the features are often optional and turned off by default. Microsoft hopes that the changes to Windows Server hardware requirements in 2021 will provide a better base on which customers get an improved security baseline going forwards.