Microsoft will require TPM 2.0 and Secure Boot in new Windows Server hardware next year

News

Microsoft will require TPM 2.0 and Secure Boot in new Windows Server hardware next year

Some optional Windows Server security implementations will become mandatory for Microsoft hardware partners to include in their products, starting in January, Microsoft said in an announcement Thursday.

After January 1, 2021, new Windows Server products will need to have the Trusted Platform Module (TPM) 2.0 installed, and they will also need to have the Secure Boot security precaution enabled by default. Additionally, the announcement implied that BitLocker encryption was to be used on these servers as additional protection against the actions of “rootkit” malware.

The announcement explained that Windows Server x64 products on the market today typically already include these features, but they are considered options. In January, these will be mandatory requirements for all Windows Server hardware sold.

“These requirements [coming in January] apply to servers on which Windows Server will run, including bare metal, virtual machines (guests) running on Hyper-V or third-party hypervisors approved by the Server Virtualization Validation Program (SVVP ),” Microsoft’s announcement explained.

TPM 2.0 is a chip in machines that is used to “securely perform measurements for attestation and key storage”. It provides a backup report to ensure that a system has not been hacked by malware at the boot stage. BitLocker can leverage the TPM to protect data, the announcement explains:

BitLocker is a native volume encryption solution for Windows Server and leverages TPM2.0 to provide enhanced security. BitLocker leverages the TPM to ensure that volumes are only decrypted if the system has booted as expected by the metrics captured in the TPM. Together with Network Unlock, the TPM provides a scalable and secure management solution for BitLocker encryption ensuring that sensitive data is more secure.

The problem is the machines boot process, where malware known as rootkits or “bootkits” could operate undetected by antivirus software. Secure Boot, a feature of machines based on the Unified Extensible Firmware Interface, was a solution championed by Microsoft with the release of Windows 8 to protect against such malware.

While Microsoft will require Secure Boot for new Windows Server machines in January, it recently admitted that Secure Boot really isn’t up to the task of protecting firmware, at least at the PC level. This detail emerged when Microsoft explained its Secured Core PCs approach in October. Secure Core PCs use a combination of TPM 2.0 and Windows Defender System Guard technologies to provide boot-level protections.