Windows 10 and TPM 2.0

By Johan Arwidmark / June 29, 2018
Share
Share

Starting with Windows 10 v1607, OEMs like Dell, HP, Lenovo etc. are required to support TPM 2.0 for new machines certified for Windows 10. Exceptions apply for special purpose commercial systems, as well as custom orders, or machines delivered with a custom image from the customer, but anyway.

But does that mean Windows 10 won't run on machines that only have TPM 1.2, or won't run on machines that haven't been updated/configured to use TPM 2.0?
– Nope, Windows 10 will run just fine. The machines are just less secure, and you can't use all security features in Windows 10, or at least not as secure as they can be.

Why TPM 2.0?

TPM 2.0 has actually been around since 2013, so it's not exactly new. But why should you bother upgrading?

Security, of course – TPM 2.0 is simply much more secure. TPM 1.2 was originally built around RSA and SHA-1 algorithms, which are not the most secure ones to say the least (read unsecure). Once you start to read up on TPM 2.0 you'll learn that there are a ton of added security features compared to TPM 1.2. In fact there is a free 375 page eBook on from Apress on the topic: A Practical Guide to TPM 2.0.

Microsoft also have a good, and much shorter, read here: TPM recommendations.

Windows 10 features that requires TPM 2.0

Since TPM 2.0 was released back in 2013, Windows 7 obviously won't work with it (Windows 7 was released in 2009), but what Windows 10 features requires TPM 2.0?

Here is the list:

  • Device Encryption (not regular BitLocker which works with 1.2, but for modern standby / connected standby devices)
  • The very first version of Windows 10, v1507, only supported TPM 2.0 for the credential guard feature. But all current versions supports both TPM 1.2 and TPM 2.0

Windows 10 features that are more secure with TPM 2.0

All of them, but especially BitLocker, Windows Hello, Credential Guard, EUFI Secure boot etc..

Converting/Upgrading TPM 1.2 to TPM 2.0

If you have machines running Windows 7, and you want to upgrade/reuse them for Windows 10, you should convert/upgrade TPM 1.2 to TPM 2.0 on system that supports it. Preferably in the deployment task sequence. All major vendor provides tools that allow you to configure that in an automated fashion.

Anton Romanyuk (@admiraltolwyn) has good post about automating the process in a task sequence here:

TPM Upgrade Process on Dell & HP Systems Using MDT
http://www.vacuumbreather.com/index.php/blog/item/44-tpm-upgrade-process-on-dell-hp-systems-using-mdt

Note: Most currently used hardware models requires physical presence during the upgrade of TPM 1.2 to TPM 2.0. 

/ Johan

About the author

Johan Arwidmark

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
←Previous post Next post→
>