News
        
        Microsoft Adds Windows Server Security Requirements for Hardware Partners
        
        
        
			- By Kurt Mackie
- June 11, 2020
Microsoft's hardware partners will get new security requirements for Windows Server products, starting in January, Microsoft announced on Thursday. 
After Jan. 1, 2021, new Windows Server products will be  required to have the Trusted  Platform Module (TPM) 2.0 installed, and they'll also be required to have  the Secure  Boot security precaution turned on by default. In addition, the  announcement implied that BitLocker encryption should be used on these servers  as an additional protection against the actions of "rootkit" malware.
The announcement explained that x64 Windows Server  products on the market today typically already include these capabilities, but  they are considered to be options. In January, they'll be mandatory  requirements for all Windows Server hardware sold.
"These requirements [coming in January] apply to  servers where Windows Server will run, including bare metal, virtual machines  (guests) running on Hyper-V or on third party hypervisors approved through the  Server Virtualization Validation Program (SVVP)," Microsoft's announcement  explained.
TPM 2.0 is a chip in machines that's used for  "securely performing measurements for attestation and storing keys." It  provides a reporting safeguard to assure that a system wasn't hijacked by  malware at the boot-up stage. BitLocker can leverage the TPM to keep data  protected, the announcement explained:
  BitLocker is a native volume encryption solution for Windows Server and  leverages the TPM2.0 to provide enhanced security. BitLocker leverages the TPM  to ensure that volumes are only decrypted if the system booted as expected by  the measurements captured in the TPM. Paired with Network Unlock, the TPM  provides a scalable and secure management solution for BitLocker encryption  ensuring that sensitive data is kept more secure.
At issue is the boot-up process of machines, where  malware known as rootkits or "bootkits" could take action, going  undetected by antivirus software. Secure Boot, a feature of Unified Extensible  Firmware Interface-based machines, was a solution championed by Microsoft with the  release of Windows 8 to protect against such malware. 
While Microsoft will require Secure Boot for new Windows  Server machines in January, it recently admitted that Secure Boot really isn't  up to the task of protecting firmware, at least at the PC level. That detail  arose when Microsoft explained its Secured Core PCs approach back  in October. Secured Core PCs use a combination of TPM 2.0 and Windows  Defender System Guard technologies to provide protections at the boot level. 
        
        
        
        
        
        
        
        
        
        
        
        
            
        
        
                
                    About the Author
                    
                
                    
                    Kurt Mackie is senior news producer for 1105 Media's Converge360 group.