The Trusted Platform Module (TPM) is a crucial technology for hardware-based security. This article provides a comprehensive overview of TPMs, explaining their functionality and how Windows leverages them for authentication and access control.
Understanding the Trusted Platform Module (TPM)
The Trusted Platform Module (TPM) is a specialized chip designed to perform cryptographic operations securely. It’s essentially a secure crypto-processor engineered with multiple physical security mechanisms that make it highly tamper-resistant. This robust design ensures that malicious software cannot compromise the TPM’s security functions. Key benefits of using TPM technology include:
- Secure Key Management: Generation, storage, and controlled usage of cryptographic keys.
- Device Authentication: Utilizing the TPM’s unique RSA key, permanently embedded in the chip, for reliable device authentication.
- Platform Integrity: Ensuring the integrity of the platform by capturing and storing security measurements during the boot process.
The primary functions of a TPM are system integrity measurement and secure key management. During system startup, the loaded boot code (including firmware and operating system components) is measured and recorded within the TPM. These integrity measurements serve as evidence of how the system initiated and verify that TPM-based keys are utilized only when the expected software is used to boot the system. This helps protect against boot-time attacks.
TPM-based keys offer flexible configuration options. For example, a TPM-based key can be made inaccessible outside the TPM, providing robust protection against phishing attacks by preventing unauthorized key copying and usage. Furthermore, TPM-based keys can be configured to require authorization for use. To prevent brute-force attacks, the TPM implements dictionary attack logic, blocking further authorization attempts after a certain number of incorrect guesses.
Different TPM versions are defined by the Trusted Computing Group (TCG) specifications. You can find more information on their TCG Web site.
Windows Edition and Licensing Support for TPM
The following Windows editions offer support for Trusted Platform Module (TPM):
| Windows Pro | Windows Enterprise | Windows Pro Education/SE | Windows Education |
|---|---|---|---|
| Yes | Yes | Yes | Yes |
Trusted Platform Module (TPM) license entitlements are provided through these licenses:
| Windows Pro/Pro Education/SE | Windows Enterprise E3 | Windows Enterprise E5 | Windows Education A3 | Windows Education A5 |
|---|---|---|---|---|
| Yes | Yes | Yes | Yes | Yes |
For further information on Windows licensing, refer to the Windows licensing overview.
Automatic TPM Initialization in Windows
Starting with Windows 10 and Windows 11, the operating system handles the automatic initialization and ownership of the TPM. Consequently, in most scenarios, manual configuration of the TPM via the TPM management console (TPM.msc) is discouraged. Exceptions arise primarily when resetting or performing a clean installation. More information can be found in the guide to Clear all the keys from the TPM.
It’s important to note that Microsoft is “no longer actively developing the TPM management console” beginning with Windows Server 2019 and Windows 10, version 1809.
In specific enterprise scenarios, limited to Windows 10 versions 1507 and 1511, Group Policy could be utilized to back up the TPM owner authorization value within Active Directory. Given that the TPM state persists across operating system installations, this TPM information is stored in Active Directory separately from computer objects.
Practical Applications of TPM Technology
TPMs enhance security in various practical applications:
- Certificate Management: Certificates can be installed or created on computers using the TPM. Once provisioned, the RSA private key for a certificate is bound to the TPM and rendered non-exportable, bolstering certificate security.
- Smart Card Replacement: The TPM can serve as a cost-effective alternative to smart cards, reducing the expenses associated with smart card deployment.
- Automated Provisioning: Automated TPM provisioning streamlines deployment within enterprises. New TPM management APIs can determine if provisioning actions necessitate physical presence of a service technician to approve TPM state change requests during the boot process.
- Anti-Malware: Anti-malware software can leverage boot measurements of the operating system’s start state to verify the integrity of a computer running Windows. This includes verifying the launch of Hyper-V to ensure that datacenters employing virtualization aren’t running untrusted hypervisors.
BitLocker Network Unlock allows IT administrators to push updates without the concern of computers awaiting PIN entry, enhancing manageability.
TPM offers various Group Policy settings useful in enterprise environments. For details, see TPM Group Policy Settings.
Device Health Attestation
Device health attestation empowers enterprises to establish trust based on hardware and software components of managed devices. By utilizing device health attestation, you can configure a Mobile Device Management (MDM) server to query a health attestation service, granting or denying a managed device access to secure resources.
Security checks that can be performed on devices include:
- Data Execution Prevention (DEP) support and enablement
- BitLocker Drive Encryption support and enablement
- Secure Boot support and enablement
Windows supports Device Health Attestation with TPM 2.0. TPM 2.0 requires UEFI firmware; devices with legacy BIOS and TPM 2.0 may not function as expected.
Supported Versions for Device Health Attestation
| TPM version | Windows 11 | Windows 10 | Windows Server 2022 | Windows Server 2019 | Windows Server 2016 |
|---|---|---|---|---|---|
| TPM 1.2 | >= ver 1607 | Yes | >= ver 1607 | ||
| TPM 2.0 | Yes | Yes | Yes | Yes | Yes |
Conclusion
The Trusted Platform Module (TPM) is an essential component for modern computer security, offering hardware-based protection for keys, authentication, and platform integrity. Understanding its capabilities and how it integrates with Windows is crucial for maintaining a secure computing environment. By leveraging TPM, organizations can significantly enhance their security posture and protect against a wide range of threats.
