Microsoft announcement about security features of the next Windows Server release
In the next major release, Microsoft will raise the security standard for Windows Server hardware certification to include secure boot and TPM 2.0 by default. This change will give customers increased confidence they are deploying Windows Server on platforms that maximize platform integrity without having to modify their RFP process.
The new Windows Server certification will require TPM 2.0 installed and enabled by default. For systems that have the next major Windows Server preinstalled, Secure Boot will be enabled by default. These requirements apply to servers where Windows Server will run, including bare metal, virtual machines (guests) running on Hyper-V or on third party hypervisors approved through the Server Virtualization Validation Program (SVVP).
These changes will enhance and automate built-in security on the next major Windows Server release.
About secure boot
Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system.
The OEM can use instructions from the firmware manufacturer to create Secure boot keys and to store them in the PC firmware. When you add UEFI drivers, you’ll also need to make sure these are signed and included in the Secure Boot database.
For information on how the secure boot process works included Trusted Boot and Measured Boot, see Secure the Windows 10 boot process.
About TMP 2.0
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. Many TPMs include multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM.
Traditionally, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow you as the original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, you must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs provide security and privacy benefits for system hardware, platform owners, and users.
Before it can be used for advanced scenarios, however, a TPM must be provisioned. Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. That means that IT professionals should not have to configure or monitor the system.
For more information about the specific requirements that must be met, see System.Fundamentals.TPM20.
IT Professionals: To understand how TPM works in your enterprise, see Trusted Platform Module.