As of June 2021, Microsoft has confirmed TPM 2.0 support will be required to install Windows 11. So what does this mean for the enterprise users?
What is a TPM?
A TPM or “Trusted Platform Module” is a dedicated piece of hardware with the capability to generate and store encryption keys; as well as perform cryptographic functions in a tamper-resistant manner. TPM’s have been common on major mobile devices for the past few years. Apple’s Secure Enclave and Google’s Titan M chip are both proprietary variants of a TPM.
How does a TPM work?
A TPM generates and stores cryptographic keys as a separate hardware entity on a device outside of the main disk/storage. This prevents an attacker from gaining access to private keys and other sensitive data even if the device’s operating system is compromised. TPM’s also safeguard data if an attacker attempts to bypass encryption to access the disk contents even if they were to remove the TPM chip or try to access the disk on another device. The TPM is manufactured with a key pair (private/public) built into the hardware, called the endorsement key (EK). The EK is unique to a particular TPM and is signed by a trusted Certification Authority (CA). This manufacturing practice further prevents tampering and can also be used to establish trust as well as be used as a form of non-repudiation.
While a TPM has been required for OEM’s to achieve Windows Certification, this is the first time a compatible TPM has been required for Windows to be installed. Microsoft claims that a combination of their latest security features: Windows Hello, Device Encryption, virtualization-based security, hypervisor-protected code integrity (HVCI) and Secure Boot “have been shown to reduce malware by 60 percent.” With the current rise of Ransomware and user credential abuse, Microsoft believes the utilization of a TPM will significantly damper this threat.
How to Check a Device for Windows 11 Compatibility
One method of checking the state of a Windows device TPM:
Open a run prompt
Type “tpm.msc” and click Ok
You will then be presented with the TPM status of the device
The new security requirements for Microsoft’s newest operating system seems to be a big push to raise the security posture of the modern enterprise. Microsoft Windows is the de facto operating system for billions of corporate assets all over the world. Applying more stringent hardware-based security for Windows seems to be the method Microsoft has chosen to combat credential harvesting and ransomware attacks that have been on the rise.
A UEFI BIOS (firmware) will be required to utilize TPM 2.0 and all legacy options such as “CSM” must be disabled.
Among the TPM 2.0 requirement of Windows 11 is also the validation of new hardware. Only Intel 8th-gen and newer, as well as Zen 2 AMD architecture are officially supported. Since support relies on in house validation done at Microsoft; it is possible older hardware will be added to the support list.
TPM functionality has been baked into most major hardware vendors at the firmware level since 2015. Thus, it is unlikely a TPM will have to be added to most enterprise machines.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.