Windows 10: TPM 2.0 must be present and enabled by default for all new Win 10 PC`s

TPM 2.0 must be present and enabled by default for all new Windows 10 PCs on July 29, 2016





Source and Pdf download: http://sec.ch9.ms/slides/winHEC/03_WindowsSecurity.pdf

:)

 

Do I need enable TPM 2.0 for my Windows 10 to get the security protection for my hard drive?

Yes, 'coz since July 28, 2016, all new device models, lines or series must implement and enabled TPM by default.

 

Windows 10 Pro, more or less secure when TPM is enabled?

I'm not an IT professional, just a home user seeking knowledge.

I have two PC's, not networked nor on a domain. Both running Windows 10 Pro version 1703. Both are hardwired to the router. TPM 2.0 is enabled on the newer PC and the older PC does not have TPM, neither 1.2 or 2.0. Neither PC has BitLocker or Secure Boot
enabled.

Automatic enabling of TPM is touted by MS as a security feature in Windows 10 if you have the appropriate hardware. What is the older PC without TPM vulnerable to that the newer PC with TPM is invulnerable? What does the presence of TPM prevent from occurring?
What can happen to the non-TPM PC that cannot happen to the TPM PC?

I understand that antivirus software mitigates infection by a virus, malware etc. What does TPM mitigate? Does it prevent unauthorized remote access to my PC as a result of a download, an email or browsing an infected website?

I have talked with 7 people at MS and no one can give me a meaningful answer to these questions!

Or is it that TPM only enhances security when paired with Bitlocker and/or Secure Boot?

 

Are they serious, this is to be taken literally? Well that is a big deal. Most peoples desktops do not have a hardware installation of TPM or even have an option to install an add-on card. I have it on my current system, which isn't that old, but I had to buy a card to support it. This is more of their ill thought out strong arm tactics that screw their customers.

 

Well you have to read the exception - this does not apply to OEM systems. However, it means that for people like me, who build their own systems, that you have to have a motherboard that supports TPM or a TPM add-on discrete module (mine was the latter) or your SOL. Another attempt to make it inconvenient to build your own.

 

How do I get TPM 2.0? I don't know what it is or how I get it.

 

Here's some more information about TPM 2.0 and Windows 10. *Smile

TPM recommendations (Windows 10)

 

According to the article, you need to either have TPM 2,0 supported by your motherboard or get an add-on module if that is supported by your motherboard. This only applies if you have built your own computer. If you bought a computer, for example an HP or DELL, you do not need to worry.

If you built your own, consult your motherboard manual to see how and if TPM is supported.

Here is what a TPM header looks like:





and here is a module:

http://www.amazon.com/Asus-Accessory...1&keywords=tpm
.

 

I'm expecting a big rise in Ransomware attacks.

Agreed.

Yet another attempt by MS to claim that they actually own your PC(s).
It will (probably) make it harder to install a different OS.

 

From my reading of it. This applies to manufacturers who are selling components. To be Win 10 compliant a new motherboard must have a TPM 2.0 module.

There is nothing different for the end user who wishes to build their own computer and install Win 10 on older gear. If you want to install another operating system on one of the new motherboards and that operating system does not use the TPM, you can disable it in the BIOS.

 

- good to see them setting the standard firmly and squarely at the mobo
- it's a kind of firmware "line in the sand"

 

Completely agree. Way too much hand wringing going on with no basis.

 

Well looking at the slides again, it is required for certain features like device health, but they do say TPM 2.0 is a minimum requirement for anniversary addition, though it does sound like maybe this might be for new sku. The language is kind of contradictory.

Here is some more from last year - not new news I guess:

http://www.uefi.org/sites/default/fi...SecureBoot.pdf

and a little more clear - no need to worry. Looks like it is only required if firmware supports it or the device is 1 year past RTM.

 

If you don't read the exception carefully, you might think it says it doesn't apply to OEM's, but in fact it ONLY applies to OEM's. The exception is only for OEM's with specific requirements.

This is nothing more than a requirement to get the "Designed for Windows" logo for OEM's. If you build your own system, it doesn't apply to you.

This is not a case of the software not working on systems without TPM's, it's a case that MS won't allow you to have the logo if you don't have one.

 

Can I understand this then, it's just for some kind of seal then(Germans love those approval seals, on everything, by the way, right Frank?)
I like the idea, personally, that my next PC will be even more secure(and with this implemented hopefully the 3rd party software).