Americas

  • United States

The TPM chip controversy for Windows 11 is a non-issue for Windows Server

News Analysis
Jul 08, 20214 mins
MicrosoftWindows Server

In announcing the next version of Windows Server, Microsoft set the stage for TPM, so hardware makers know what’s coming.

By now you’ve heard about the kerfuffle surrounding Windows 11 and its requirement for a Trusted Platform Module (TPM) chip, which is not standard on the majority of PCs and threatens to leave many newer Windows 10 PCs blocked from being upgraded.

Normally the issues around a new version of Windows are system requirements, but here, the issue is the TPM chip. TPM is a specially designed chip that assists with security surrounding credentials. It ensures that boot code that’s loaded, such as firmware and OS components, haven’t been tampered with. It can also encrypt the drive contents to protect against theft. Microsoft is mandating that systems have TPM based on 2.0 specifications but few PCs do. Those that do ship with it have it turned off by default but it is easily activated.

It’s an issue because Windows client and Windows Server share a whole lot of code. That’s why Patch Tuesday fixes almost always apply to the Windows 10 client (Windows 7 is no longer supported) along with Server 2019 and 2016. The main difference between client and server is the services wrapped around the core operating system. So what happens to one usually happens to the other. But not in this case.

Microsoft server details

Computerworld has been covering this story from the client side, so we will focus on the server side. And as it turns out, Microsoft handled the server software a lot better than it did the client.

Jim Gaynor, lead analyst with Directions on Microsoft, says the TPM module is a “non-issue” because on June 11, 2020, Microsoft announced that Windows Server hardware certification would require UEFI and TPM 2.0 hardware for new server platforms introduced to market after January 1, 2021. If you missed that news, join the club. I think we were all a little distracted back then.

Servers that shipped with what was then being called “the next major Windows Server release” (which is now knows as Windows Server 2022) preinstalled would have to have Secure Boot enabled by default.

“As a result, the portion of the industry focused on Windows Server host hardware has fully expected Windows Server 2022 to require those capabilities, since Microsoft requires them for hardware certification,” he told me via email.

He hypothesizes that for customers who are still on-premises and keeping up with the latest Server OS versions, they likely already have server hardware with UEFI and TPM support. For other customers, if they’re not keeping up with the latest, then it’s likely a non-issue. “They won’t be adopting 2022 anytime soon. They’ll adopt 2022 (if they aren’t still considering 2019) with a hardware refresh,” he said.

Microsoft made a lengthy blog announcement detailing its plans and intentions last June, and the OS isn’t due until next year. So the Server team gave customers a lot more running room and just handled the whole thing much better than the client team.

Competing With Apple

So why did Microsoft drop this bombshell on its Windows user base? Ashish Nadkarni, group vice president in IDC’s Worldwide Infrastructure Practice believes it’s because Apple had a similar security chip, the T2, in its Macs.

“They are being beat up by Apple [over the T2] making it a hardware conversation. By forcing people to use TPM they can say they have a similar feature,” Nadkarni said.

IDC did a study for Dell of what features customers wanted in a server, and TPM was at the bottom of the list. The reason he says is that TPM has not found much favor in servers because the server side had better drive security features like Dell’s iDRAC and self-encrypting hardware in general.

Nadkarni notes that TPM only works if drive is physically compromised. For a stolen laptop, that’s an issue. An unencrypted drive could be removed from the laptop and its contents compromised. So that’s valuable to a Windows client.

But how many hard drives get stolen from a data center? Some, I’m sure, but it’s nothing compared to laptop theft. So for servers, TPM is low on the list of priorities.