During yesterday's announcement, one of the most controversial changes to Windows 11 from Windows 10 is the new requirement for a Trusted Platform Module - or TPM. Right now, Microsoft is saying that the "hard floor" for TPM requirements is 1.2, with a strong recommendation for 2.0. This has a lot of people rightly concerned about the ability for Windows 11 to run on older machines, and other than some Centrino laptops and enterprise workstations, they probably won't. In fact, a lot of systems being sold right now do not meet this requirement without BIOS changes. So why do this?
First we need to understand what a TPM is and how Windows uses it. A TPM is a sort of co-processor and small storage block used for secure access to private keys. The main uses for this are to keep BitLocker keys, Secure Boot keys and, crucially, authentication tokens, especially the Office 365 Primary Refresh Token. On systems with a TPM, this token is protected from malicious access, and that in combination with the device signing makes them basically impossible to extract and use on another device. Without a TPM, this token is stored in the Windows Credential Store and can be extracted by a sufficiently motivated attacker.
Microsoft is no longer an operating system company anymore. It recently hit a record $2 trillion dollar valuation driven mostly by Azure and Office 365 business consumption. When COVID hit and all businesses sent their workers home, Microsoft Teams experienced a gigantic uptick in usage, naturally. But a lot of these users were either on home computers without a TPM or on the cheapest laptops that could be sourced at a moment's notice. When the pandemic hit, I was doing cloud security architecture for a major financial services provider and we ran into significant issues enabling users to access cloud data while preserving security policies. We ended up having to just limit people coming in from a home computer from downloading any data whatsoever, regardless of policies we applied. From a security posture standpoint, there is a wide gulf between a fully updated and software-hardened Windows 10 Pro machine running on a cheap laptop versus a business laptop with a TPM and BitLocker enabled in hardware.
Right now, one of the biggest threats facing Azure AD-native organizations that run on commercial hardware is something called a Pass-the-PRT-attack. This allows someone with a machine logged into Azure AD to start authenticating against those services, even bypassing multi-factor authentication in a lot of common configurations. On a machine with no TPM, this token is stored on disk, and without BitLocker, it can be grabbed a bunch of different ways, online and offline. With BitLocker and a TPM, you are basically restricted to grabbing it from memory during an active session.
With Microsoft clearly launching Windows 11 as a cloud-first operating system, with deep Teams integration and being pushed as a platform for its Azure AD and Office 365 services the on-disk, PRT is simply too great a risk to allow to go forward, but it also can't start breaking Windows 10 on people. This might be the entire reason behind Windows 11, or a major driving factor at the very least.
With recent CPUs from Intel with its Platform Trust Technology (PTT), and AMD with its firmware TPM (fTPM) mostly supporting an on-chip TPM, even if they are usually disabled by default, most modern computers will support this - although not all. However, these have some issues compared to independent TPM chips, especially when you do a BIOS update. Because they are tied to the device's firmware and not separate. Updates to the BIOS can clear them and will disable them, requiring a re-initialization.
On the left AMD, on the right Intel
My opinion as a security professional is that this is a significant step forward in end-user security, especially in businesses, and that most people will appreciate what this enables Microsoft to turn on by default. The argument that it will restrict Windows 11 to new hardware is a valid one, and something that will both affect adoption and cause a lot of support problems when users are unable to install it and don't understand why. There are still people who go buy the latest version of Windows from a store like Best Buy and this is going to be an interesting conversation between their sales rep and their eager customers, especially since even the health check application is a little confused over the requirement.
This is likely going to be an ongoing debate for some time, as computers without TPM will be ticking around for a long time so there is a good chance Windows 10 is going to stick around like Windows XP and Windows 7 did before it. I think I am in favor of it, although I personally have computers I will be unable to upgrade because of this.
207 Comments - Add comment