Microsoft has updated hardware specifications for the upcoming Windows Server product. By this change, the Redmond software giant has made a couple of options, Secure Boot and TPM2.0 mandatory, moving them out of optional requirements.
While pervasive on x64 servers, these hardware capabilities are optional on servers that Microsoft ships today.
In the next major release, Microsoft will raise the security standard for Windows Server hardware certification to include these capabilities by default.
The new Windows Server certification will require TPM 2.0 installed and enabled by default. For systems that have the next major Windows Server preinstalled, Secure Boot will be enabled by default. These requirements apply to servers where Windows Server will run, including bare metal, virtual machines (guests) running on Hyper-V or on third party hypervisors approved through the Server Virtualization Validation Program (SVVP).
Trusted Platform Module is a special security standard which describes a hardware chip embedded in your PC's motherboard. When a Trusted Platform Module is present in a device, it allows to secure cryptographic operations like generation of cryptographic keys or secure device authentication. For example, BitLocker can utilize TPM to secure and protect keys used for drive encryption. The TPM can also be used as a replacement for smart cards. In Windows Server, the TPM is also used to protect credential data.
Secure boot is a security tool, implemented in UEFI firmware that protects the boot process by running only the code signed by trusted authorities. This way, secure boot mitigates the security risk of having malware that affects the early boot stage, and also provides a solid foundation for the security platform of the operating system. Secure boot is also known for making impossible to install an alternative operating system without having a digitally signed bootloader from Microsoft and its partners.
The enforcement of these requirements will be applied to new server platforms introduced to market after January 1, 2021. Existing server platforms will include Additional Qualification certification to help customers identify systems that meet these requirements, similar to the current Assurance AQ for Windows Server 2019 today.