You are here:   Research
  |  Login

Welcome to my blog, quickest way to find articles is usually to search for them.

Minimize
Search in All Title Contents
 
     

Windows 10 and TPM 2.0

Jun 29 2018

Starting with Windows 10 v1607, OEMs like Dell, HP, Lenovo etc. are required to support TPM 2.0 for new machines certified for Windows 10. Exceptions apply for special purpose commercial systems, as well as custom orders, or machines delivered with a custom image from the customer, but anyway.

But does that mean Windows 10 won't run on machines that only have TPM 1.2, or won’t run on machines that haven't been updated/configured to use TPM 2.0?
- Nope, Windows 10 will run just fine. The machines are just less secure, and you can't use all security features in Windows 10, or at least not as secure as they can be.

 

Why TPM 2.0?

TPM 2.0 has actually been around since 2013, so it’s not exactly new. But why should you bother upgrading?

Security, of course - TPM 2.0 is simply much more secure. TPM 1.2 was originally built around RSA and SHA-1 algorithms, which are not the most secure ones to say the least (read unsecure). Once you start to read up on TPM 2.0 you'll learn that there are a ton of added security features compared to TPM 1.2. In fact there is a free 375 page eBook on from Apress on the topic: A Practical Guide to TPM 2.0.

Microsoft also have a good, and much shorter, read here: TPM recommendations.

 

Windows 10 features that requires TPM 2.0

Since TPM 2.0 was released back in 2013, Windows 7 obviously won’t work with it (Windows 7 was released in 2009), but what Windows 10 features requires TPM 2.0?

Here is the list:

  • Device Encryption (not regular BitLocker which works with 1.2, but for modern standby / connected standby devices)
  • The very first version of Windows 10, v1507, only supported TPM 2.0 for the credential guard feature. But all current versions supports both TPM 1.2 and TPM 2.0

 

Windows 10 features that are more secure with TPM 2.0

All of them, but especially BitLocker, Windows Hello, Credential Guard, EUFI Secure boot etc..

Converting/Upgrading TPM 1.2 to TPM 2.0

If you have machines running Windows 7, and you want to upgrade/reuse them for Windows 10, you should convert/upgrade TPM 1.2 to TPM 2.0 on system that supports it. Preferably in the deployment task sequence. All major vendor provides tools that allow you to configure that in an automated fashion.

Anton Romanyuk (@admiraltolwyn) has good post about automating the process in a task sequence here:

TPM Upgrade Process on Dell & HP Systems Using MDT
https://www.vacuumbreather.com/index.php/blog/item/44-tpm-upgrade-process-on-dell-hp-systems-using-mdt

 

Note: Most currently used hardware models requires physical presence during the upgrade of TPM 1.2 to TPM 2.0. 

/ Johan








Happy deployment, and thanks for reading!


What our lawyers makes us say:

This information is provided "AS IS" with no warranties, confers no rights and is not supported by the authors or Deployment Artist.

Copyright © 2017 by Deployment Artist (the company behind deployment research). All rights reserved. No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

Shorthand: Don't pass off our work as yours, it's not nice.

Blog Archive

Minimize