Microsoft Wants Windows 10 Redstone Devices to Be Super Secure
TPM 2.0 will be required on all devices running this version
Read more: http://news.softpedia.com/news/micro...medium=twitterOne of the reasons Microsoft pushes everyone to adopt Windows 10 is because of the security improvements that the company implemented into this OS version, and it turns out that work in this regard has not yet been completed.
The upcoming Anniversary Update (also known by Microsoft enthusiasts as Redstone) will require all devices to come with Trusted Platform Module (TPM) 2.0 enabled by default.
TPM version 1.0 is already being supported in Windows 10, but by advancing the minimum requirement to 2.0, Microsoft hopes to achieve improved security that would help devices running the latest version of the OS to stay protected against the latest type of threats.
"Many Windows 10 features relying on TPM"
TPM is essentially a security system implemented at the hardware level that uses a specifically designed chip for cryptographic features. The microprocessorís main role is to work with cryptographic keys that are stored onto devices. Version 2.0 comes with significant updates and supports several new authentication modes, new algorithms, including SHA-1, SHA-256, RSA and Elliptic curve cryptography P256, as well as multiple root keys.
I'm confused by this thead. I have a home built 2012 desktop PC using a Gigabyte GA-77X-UD5H motherboard. It has a TPM header but I don't have the module and doubt if I can buy one now.
I'm running Windows 8.1 Pro and I'm considering upgrading to Widows 10 before the deadline. Do I need TPM support to be able to install and support Windows 10 on this motherboard?
Also, I'm currently running Windows 10 on my Dell Inspiron 7537 laptop which doesn't have TPM support. What will happen when this laptop is updated at the end of July?
Last edited by Steve C; 29 May 2016 at 01:41.
FUTURE(yet to be made/built) NEW OEM computers that want to have the Windows 10 certified (a sticker).
TPM recommendations (Windows 10)TPM 2.0 Compliance for Windows 10
Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
- As of July 28, 2016, all new device models, lines or seriesor if you are updating the hardware configuration of a existing model, line or serieswith a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/w...(v=vs.85).aspx)
Why TPM 2.0?
TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
- The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
- For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
- TPM 2.0 enables greater crypto agility by being more flexible with respect to cryptographic algorithms.
- TPM 2.0 supports SHA-256 as well as ECC, the latter being critical to drive signing and key generation performance.
- TPM 2.0 achieved ISO standardization (ISO/IEC 11889:2015).
- Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
- TPM 2.0 offers a more consistent experience across different implementations.
- TPM 1.2 implementations across both discrete and firmware vary in policy settings. This may result in support issues as lockout policies vary.
- TPM 2.0 standardized policy requirement helps establish a consistent lockout experience across devices, as such, Windows can offer a better user experience end to end.
- While TPM 1.2 parts were discrete silicon components typically soldered on the motherboard, TPM 2.0 is available both as a discrete (dTPM) silicon component and as a firmware (fTPM) based component running in a trusted execution environment (TEE) on the systemís main SoC:
- On Intel chips, it is the Intel Management Engine (ME) or Converged Security Engine (CSE).
- For AMD chips, it is the AMD Security Processor
- For ARM chips, it is a Trustzone Trusted Application (TA).
- In the case of firmware TPM for desktop Windows systems, the chip vendor provides the firmware TPM implementation along with the other chip firmware to OEMs.
Minimum hardware requirements - Windows 10 hardware dev3.7 Trusted Platform Module (TPM)
As of July 28, 2016, all new device models, lines or series must implement and be in compliance with the International Standard ISO/IEC 11889:2015 or the Trusted Computing Group TPM 2.0 Library and a component which implements the TPM 2.0 must be present and enabled by default from this effective date.
The following requirements must be met:
- All TPM configurations must comply with local laws and regulations.
- Firmware-based components that implement TPM capabilities must implement version 2.0 of the TPM specification.
- An EK certificate must either be pre-provisioned to the TPM by the hardware vendor or be capable of being retrieved by the device during the first boot experience.
- It must ship with SHA-256 PCR banks and implement PCRs 0 through 23 for SHA-256. Note that it is acceptable to ship TPMs with a single switchable PCR bank that can be utilized for SHA-256 measurements.
- It must support TPM2_HMAC command.
A UEFI firmware option to turn off the TPM is not required. OEM systems for special purpose commercial systems, custom order, and customer systems with a custom image are not required to ship with a TPM support enabled.
For detailed TPM information, see Trusted Platform Module topic on TechNet and for TPM 1.2 and 2.0 version comparisons, please reference this article here.
2.8 Trusted Platform Module (TPM)
Devices that run Windows 10 Mobile must include a Trusted Platform Module (TPM) that implements version 2.0 of the TPM specification. The TPM can be a firmware-based solution integrated into the SoC or included as a discrete component in the device. The TPM 2.0 must meet the following requirements:
- An EK certificate must be either pre-provisioned to the TPM by the hardware vendor or be capable of being retrieved by the device during the first boot experience.
- It must ship with SHA-256 PCR banks and implement PCRs 0 through 23 for SHA-256. Note it is acceptable to ship TPMs with a single switchable PCR bank that can be used for both SHA-1 and SHA-256 measurements.
- It must support TPM2_HMAC command.
For detailed TPM information, see Trusted Platform Module topic on TechNet.
Thanks Cliff, couldn't be more clearer tbh
I prefer to go to the source, follow any links at that source, after reading something in a blog post, written by a writer, that doesn't know the difference between his "BASH and a hole in the ground."