News

Microsoft To Require TPM 2.0 and Secure Boot in New Windows Server Hardware Next Year

Some optional Windows Server security implementations will become mandatory for Microsoft's hardware partners to include in their products, starting in January, Microsoft indicated in a Thursday announcement.  

After Jan. 1, 2021, new Windows Server products will be required to have the Trusted Platform Module (TPM) 2.0 installed, and they'll also be required to have the Secure Boot security precaution turned on by default. In addition, the announcement implied that BitLocker encryption should be used on these servers as an additional protection against the actions of "rootkit" malware.

The announcement explained that x64 Windows Server products on the market today typically already include these capabilities, but they are considered to be options. In January, they'll be mandatory requirements for all Windows Server hardware sold.

"These requirements [coming in January] apply to servers where Windows Server will run, including bare metal, virtual machines (guests) running on Hyper-V or on third party hypervisors approved through the Server Virtualization Validation Program (SVVP)," Microsoft's announcement explained.

TPM 2.0 is a chip in machines that's used for "securely performing measurements for attestation and storing keys." It provides a reporting safeguard to assure that a system wasn't hijacked by malware at the boot-up stage. BitLocker can leverage the TPM to keep data protected, the announcement explained:

BitLocker is a native volume encryption solution for Windows Server and leverages the TPM2.0 to provide enhanced security. BitLocker leverages the TPM to ensure that volumes are only decrypted if the system booted as expected by the measurements captured in the TPM. Paired with Network Unlock, the TPM provides a scalable and secure management solution for BitLocker encryption ensuring that sensitive data is kept more secure.

At issue is the boot-up process of machines, where malware known as rootkits or "bootkits" could take action, going undetected by antivirus software. Secure Boot, a feature of Unified Extensible Firmware Interface-based machines, was a solution championed by Microsoft with the release of Windows 8 to protect against such malware.

While Microsoft will require Secure Boot for new Windows Server machines in January, it recently admitted that Secure Boot really isn't up to the task of protecting firmware, at least at the PC level. That detail arose when Microsoft explained its Secured Core PCs approach back in October. Secured Core PCs use a combination of TPM 2.0 and Windows Defender System Guard technologies to provide protections at the boot level.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.