diff --git a/education/windows/index.md b/education/windows/index.md index 794b6706ac..98aaf94eef 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu -author: jdeckerMS +author: CelesteDG --- # Windows 10 for Education diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md index acf27319d7..277ad8c4ba 100644 --- a/windows/keep-secure/tpm-recommendations.md +++ b/windows/keep-secure/tpm-recommendations.md @@ -40,7 +40,8 @@ OEMs implement the TPM as a component in a trusted computing platform, such as a The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not. >**Note:** Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - + + ## TPM 1.2 vs. 2.0 comparison From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM. @@ -59,48 +60,31 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in - TPM 2.0 offers a more **consistent experience** across different implementations. - - TPM 1.2 implementations across both discrete and firmware vary in policy settings. This may result in support issues as lockout policies vary. - - TPM 2.0 standardized policy requirement helps establish a consistent lockout experience across devices, as such, Windows can offer a better user experience end to end. + - TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary. + - TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee. -- While TPM 1.2 parts were discrete silicon components typically soldered on the motherboard, TPM 2.0 is available both as a **discrete (dTPM)** silicon component and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on the system’s main SoC: +- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a sinple semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC. - - On Intel chips, it is the Intel Management Engine (ME) or Converged Security Engine (CSE). - - For AMD chips, it is the AMD Security Processor - - For ARM chips, it is a Trustzone Trusted Application (TA). - - In the case of firmware TPM for desktop Windows systems, the chip vendor provides the firmware TPM implementation along with the other chip firmware to OEMs. +## Discrete, Integrated or Firmware TPM? -## Discrete or firmware TPM? +There are three implementation options for TPMs: -Windows uses discrete and firmware TPM in the same way. Windows gains no functional advantage or disadvantage from either option. +- Discrete TPM chip as a separate component in its own semiconductor package +- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components +- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit -From a security standpoint, discrete and firmware share the same characteristics; - -- Both use hardware based secure execution. -- Both use firmware for portions of the TPM functionality. -- Both are equipped with tamper resistance capabilities. -- Both have unique security limitations/risks. - -For more info, see [fTPM: A Firmware-based TPM 2.0 Implementation](http://research.microsoft.com/apps/pubs/?id=258236). +Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions which should suit all needs. ## Is there any importance for TPM for consumer? -For end consumers, TPM is behind the scenes but still very relevant for Hello, Passport and in the future, many other key features in Windows 10. It offers the best Passport experience, helps encrypt passwords, and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage. +For end consumers, TPM is behind the scenes but is still very relevant. TPM is used for Windows Hello, Windows Hello for Business and in the future, will be a components of many other key security features in Windows. TPM secures the PIN, helps encrypt passwords, and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage. ## TPM 2.0 Compliance for Windows 10 ### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) -- As of July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) +- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) -## Two implementation options: - -- Discrete TPM chip as a separate discrete component -- Firmware TPM solution using Intel PTT (platform trust technology) or AMD - -### Windows 10 Mobile - -- All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM 2.0 enabled. - ### IoT Core - TPM is optional on IoT Core. @@ -226,7 +210,7 @@ The following table defines which Windows features require TPM support. Some fea ## Chipset options for TPM 2.0 -There are a variety of TPM manufacturers for both discrete and firmware. +There is a vibrant ecosystem of TPM manufacturers. ### Discrete TPM
Supplier | +Chipset | +
---|---|
Intel | +
|
+
Intel | -
|
-
Qualcomm |
**C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\Sequencer** -4. Run the following command: +5. Run the following command: - `Update-AppvPackageMsi -MsiPackage " **C:\Program Files (x86)\Windows Kits\10** + where the path is to the new directory (**C:\MyMsiTools\ for this example**). ## Error occurs during publishing refresh between App-V 5.0 SP3 Management Server and App-V Client on Windows 10 |