Determine hardware and firmware requirements for secure boot and encryption key functionality

Confirming whether or not your hardware and firmware support secure boot and encryption keys doesn’t really have anything to do with Windows Server 2016, these features must be supported at lower levels than the operating system. This post will address Microsoft’s 70-744 exam objective “Determine hardware and firmware requirements for secure boot and encryption key functionality”.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.


Secure Boot

Secure Boot is part of the UEFI (Unified Extensible Firmware Interface) 2.3.1 Errata C (or higher) specification and helps make sure that the server will only boot correctly using trusted firmware. With Secure Boot enabled, each piece of software including any optional ROMs and the operating system itself are checked against a database containing known-good signatures kept in the firmware. Assuming each is valid the firmware will run the software and the operating system as expected.

With secure boot in use and assuming that there is correct verification taking place in the steps afterwards, we can help prevent the execution of unsigned code. As Secure Boot is implemented in UEFI, whether or not you can make use of it on your machine will depend on your specific hardware, so take a look through the UEFI options of the system in question to find whether this is enabled or disabled, or otherwise check with your hardware vendor.

Trusted Platform Module

Likewise Windows Server 2016 supports use of the Trusted Platform Module (TPM) chip, and works with versions 2.0 and 1.2. It’s also worth noting that TPM 2.0 is not backwards compatible with version 1.2. In order to determine whether your server has TPM available you can check in device manager under security devices in Windows, or otherwise look through the UEFI options. Note that the TPM may be disabled in the UEFI settings, so it’s worth booting into this and checking, you may simply have TPM available but it’s been set to disabled.

TPM doesn’t necessarily need to be physically present as a chip on the hardware, it’s also possible to use a firmware based TPM solution. Windows should work with either discrete, integrated or firmware TPM options.

For further detailed information on Microsoft’s TPM recommendations see this post: https://technet.microsoft.com/en-au/itpro/windows/keep-secure/tpm-recommendations

Summary

We have shown you how to determine hardware and firmware requirements for secure boot and encryption key functionality with Microsoft’s BitLocker.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>