mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-22 05:43:41 +00:00
clean/linted tpm recs
This commit is contained in:
martyav
@ -20,8 +20,9 @@ ms.date: 11/29/2018
|
|||||||
# TPM recommendations
|
# TPM recommendations
|
||||||
|
|
||||||
**Applies to**
|
**Applies to**
|
||||||
- Windows 10
|
|
||||||
- Windows Server 2016
|
- Windows 10
|
||||||
|
- Windows Server 2016
|
||||||
|
|
||||||
This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10.
|
This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10.
|
||||||
|
|
||||||
@ -47,27 +48,27 @@ From an industry standard, Microsoft has been an industry leader in moving and s
|
|||||||
|
|
||||||
TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
|
TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
|
||||||
|
|
||||||
- The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
|
- The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
|
||||||
|
|
||||||
- For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
|
- For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
|
||||||
|
|
||||||
- TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms.
|
- TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms.
|
||||||
|
|
||||||
- TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs do not support all algorithms.
|
- TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs do not support all algorithms.
|
||||||
|
|
||||||
- For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx).
|
- For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx).
|
||||||
|
|
||||||
- TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](https://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)).
|
- TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](https://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)).
|
||||||
|
|
||||||
- Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
|
- Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
|
||||||
|
|
||||||
- TPM 2.0 offers a more **consistent experience** across different implementations.
|
- TPM 2.0 offers a more **consistent experience** across different implementations.
|
||||||
|
|
||||||
- TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
|
- TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
|
||||||
|
|
||||||
- TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
|
- TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
|
||||||
|
|
||||||
- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
|
- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
|
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
|
||||||
@ -78,11 +79,11 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
|
|||||||
|
|
||||||
There are three implementation options for TPMs:
|
There are three implementation options for TPMs:
|
||||||
|
|
||||||
- Discrete TPM chip as a separate component in its own semiconductor package
|
- Discrete TPM chip as a separate component in its own semiconductor package
|
||||||
|
|
||||||
- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components
|
- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components
|
||||||
|
|
||||||
- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit
|
- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit
|
||||||
|
|
||||||
Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions which should suit all needs.
|
Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions which should suit all needs.
|
||||||
|
|
||||||
@ -94,39 +95,37 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u
|
|||||||
|
|
||||||
### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
|
### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
|
||||||
|
|
||||||
- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
|
- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
|
||||||
|
|
||||||
### IoT Core
|
### IoT Core
|
||||||
|
|
||||||
- TPM is optional on IoT Core.
|
- TPM is optional on IoT Core.
|
||||||
|
|
||||||
### Windows Server 2016
|
### Windows Server 2016
|
||||||
|
|
||||||
- TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.
|
- TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.
|
||||||
|
|
||||||
## TPM and Windows Features
|
## TPM and Windows Features
|
||||||
|
|
||||||
The following table defines which Windows features require TPM support.
|
The following table defines which Windows features require TPM support.
|
||||||
|
|
||||||
| Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
|
Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
|
||||||
|-------------------------|--------------|--------------------|--------------------|----------|
|
-|-|-|-|-
|
||||||
| Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot |
|
Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot
|
||||||
| BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required, but [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support |
|
BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required, but [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support
|
||||||
| Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. |
|
Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
|
||||||
| Windows Defender Application Control (Device Guard) | No | Yes | Yes | |
|
Windows Defender Application Control (Device Guard) | No | Yes | Yes
|
||||||
| Windows Defender Exploit Guard | No | N/A | N/A | |
|
Windows Defender System Guard | Yes | No | Yes
|
||||||
| Windows Defender System Guard | Yes | No | Yes | |
|
Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported.
|
||||||
| Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. |
|
Device Health Attestation| Yes | Yes | Yes
|
||||||
| Device Health Attestation| Yes | Yes | Yes | |
|
Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support.
|
||||||
| Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. |
|
UEFI Secure Boot | No | Yes | Yes
|
||||||
| UEFI Secure Boot | No | Yes | Yes | |
|
TPM Platform Crypto Provider Key Storage Provider| Yes | Yes | Yes
|
||||||
| TPM Platform Crypto Provider Key Storage Provider| Yes | Yes| Yes | |
|
Virtual Smart Card | Yes | Yes | Yes
|
||||||
| Virtual Smart Card | Yes | Yes | Yes | |
|
Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM.
|
||||||
| Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM. |
|
Autopilot | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
|
||||||
| Autopilot | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
|
SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
|
||||||
| SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
|
DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
|
||||||
| DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
|
|
||||||
|
|
||||||
|
|
||||||
## OEM Status on TPM 2.0 system availability and certified parts
|
## OEM Status on TPM 2.0 system availability and certified parts
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user