TPMpocalypse; Microsoft singlehandedly destroys the TPM market

[chebsy]

10 minutes ago, LAwLz said:

But it won't, unless it is actually used for something which we don't know yet.

Just having a TPM does not inherently make your PC more secure just like having a safe in your house doesn't make your house more secure. You need to actually use it (like putting something in it) in order for it to do anything.

This is a false analogy.  TPM can also be used by a trusted 3rd party to put something in the safe that the home owner would not have access to.  So just because the home owner does not use the safe personally, it is still being used by others.  TPM is as much about protecting the PC from its owner (or whoever is in physical procession of it), than it is protecting the owner from outside threats.  

 

17 minutes ago, LAwLz said:

Yes and that's the problem I am having with the requirement. They say they require it but won't tell us why. That is the entire reason why I am so frustrated with Microsoft.

Their attitude of "because we say so" is not how you do security. Security is about transparency and understanding, and right now Microsoft are essentially giving anyone who asks them why TPM is required a big middle finger.

I mean would it really matter.  If they tell us we need TPM for X purpose, the conversation will just transform to a debate about whether X is good or bad instead of whether TPM is actually needed or not.  It's the same conversation with a different flavor.  It's also possible they don't know what it will be used for, and just want to lay the groundwork for mandatory trusted computing going forward.

 

28 minutes ago, LAwLz said:

I will keep telling people that TPMs are useless IF they are not used by some feature. Because that is the truth.

And spare tires are useless on flying cars.  This is a truism.  If they actually ship this product with TPM as a hard requirement, surely they intend to have a use case for it, long term if not immediately.

 

32 minutes ago, LAwLz said:

What? Why are you bringing up TC-DRM? Nobody in this thread has mentioned that.

Is that what you think the TPM will be used for? I understand how a TPM could be used to enforce DRM but I am not too worried about that. There are other ways Microsoft could force DRM into Windows if they wanted, that wouldn't have to rely on a TPM.

I bring up TC-DRM because it's a major part of the armageddon that open source activists like Stallman have been writing about for ages.

 

Can You Trust Your Computer? - GNU Project - Free Software Foundation

 

And I'm using it as an example for that exact reason.  Even if W11 uses TPM in the worst possible way (Stallman's nightmare), it is still technically useful and serves a purpose.  You and I might not agree with and support that purpose, but that is besides the point.

[NumLock21]

8 minutes ago, chebsy said:

TPM is as much about protecting the PC from its owner

It also screws with the owner, not just protecting.

[chebsy]

1 minute ago, NumLock21 said:

It also screws with the owner, not just protecting.

That is a better way to put it, yes.  It prevents the PC owner from accessing certain things in certain ways deemed "inappropriate" by the TC stack. 

[StDragon]

16 minutes ago, chebsy said:

That is a better way to put it, yes.  It prevents the PC owner from accessing certain things in certain ways deemed "inappropriate" by the TC stack. 

DRM is seen as a bad thing. But, it's just a tool; it's how it's used that determines if it's "good" or "bad" to the end-user.

 

For example, some banking applications might not want the info screen captured. If you're the one doing the banking, and malware gets on there, you don't want it taking screenshot of the account. If your system did get infected, the best you can hope for is that any attempts to capture screenshots results in that portion of the banking app or site being blacked out.

[NumLock21]

18 minutes ago, chebsy said:

That is a better way to put it, yes.  It prevents the PC owner from accessing certain things in certain ways deemed "inappropriate" by the TC stack. 

So which is why TPM is a requirement for windows 11 is stupid, unless MS was to claim Windows 11 is the most secure OS they ever built.

[chebsy]

2 minutes ago, StDragon said:

DRM is seen as a bad thing. But, it's just a tool; it's how it's used that determines if it's "good" or "bad" to the end-user.

 

For example, some banking applications might not want the info screen captured. If you're the one doing the banking, and malware gets on there, you don't want it taking screenshot of the account. If your system did get infected, the best you can hope for is that any attempts to capture screenshots results in that portion of the banking app or site being blacked out.

Completely agree. 

2 minutes ago, NumLock21 said:

So which is why TPM is a requirement for windows 11 is stupid, unless MS was to claim Windows 11 is the most secure OS they ever built.

I'm not saying that's how it will be used or implemented.  Just pointing out it's a possibility.  StDragon gave a real-world example of how that technology can be used in a constructive way. 

[NumLock21]

5 minutes ago, chebsy said:

I'm not saying that's how it will be used or implemented.  Just pointing out it's a possibility.  StDragon gave a real-world example of how that technology can be used in a constructive way. 

No idea who that person is or what they do that's consider as a constructive way, the cons of TPM still outweighs the pros.

[LAwLz]

1 hour ago, StDragon said:

I'm still unclear though how TPM involves kernel isolation via virtualization .

I think I've figured out not only why TPM is a requirement, but also why it needs such new processors (Intel 7th gen and Zen+) for "experience" reasons.

 

Will post more tomorrow. It's 1 AM where I live and the post still need some research and might be very technical. 

 

 

It probably has to do with memory isolation.

Although since Microsoft aren't telling us it's just a guess from me.

[Brooksie359]

2 hours ago, Radium_Angel said:

The last line about having a hard time visualizing how TPM improves security for me?

That's the key. 

 

MS is making it mandatory...what I"m asking is why? What does having the TPM enabled offer me?

https://www.google.com/amp/s/www.theverge.com/platform/amp/2021/6/25/22550376/microsoft-windows-11-tpm-chips-requirement-security

Well according to this it protects against in Microsofts own words . “Its purpose is to protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data" 

now if you care about this or not is up to you but Microsoft seems to be pushing for this so

[Brooksie359]

1 hour ago, LAwLz said:

Memory integrity might be a reason why Windows 11 requires TPM 2.0.

Maybe they will make memory integrity mandatory? It doesn't require a TPM but becomes more secure with it. If they make that mandatory in Windows 11 then I can kind of see why they would want TPM 2.0 to be a requirement. Although I think that's very ham-fisted. I also don't think making it a requirement is a good idea since, as the how-to-geek article says, it breaks some drivers. Microsoft are so aware of this they even made the feature silently turn off if it runs into errors. Making it mandatory might cause a lot of issues for people.

Also, does it even work in the Home version of Windows? Windows 10 Home doesn't have Hyper-V support and Memory Integrity relies on Hyper-V. 

 

Also, it solve the reason why I am upset with Microsoft. We shouldn't have to sit here on an Internet forum and guess why they are pushing the requirements they are pushing. Why not just tell us?

 

Great finding by you and @Brooksie359 though.

I think I found the article I was recalling. It's this one I believe https://www.google.com/amp/s/www.theverge.com/platform/amp/2021/6/25/22550376/microsoft-windows-11-tpm-chips-requirement-security

[Mark Kaine]

1 hour ago, chebsy said:

This is a false analogy.  TPM can also be used by a trusted 3rd party to put something in the safe that the home owner would not have access to. 

Do u understand this is a recipe for disaster? If you thought ransomware was bad now then wait until its prebuilt into your hardware lol.

 

This isnt going to fly, but i look forward  to Microsoft trying , i guess.

 

 

[NumLock21]

9 minutes ago, Mark Kaine said:

Do u understand this is a recipe for disaster? If you thought ransomware was bad now then wait until its prebuilt into your hardware lol.

 

This isnt going to fly, but i look forward  to Microsoft trying , i guess.

 

 

TPM required is the most dumbest things I ever heard. Hopefully this dumb requirement gets removed when the OS goes RTM.

[chebsy]

7 minutes ago, Mark Kaine said:

Do u understand this is a recipe for disaster? If you thought ransomware was bad now then wait until its prebuilt into your hardware lol.

 

This isnt going to fly, but i look forward  to Microsoft trying , i guess.

 

 

Sure, but I can see both sides. 

 

Maybe it would be better if Joe's Used Car Emporium can only view my credit report on a trusted platform for a brief amount of time before it becomes inaccessible and useless. 

 

Because right now, how many countless credit reports, financial documents, and private information is floating around on insecure WinXP and Win7 systems at small businesses? 

 

There obviously needs to be a change in the way things are done, and MS needs to find the right balance. 

 

Perhaps sometime in the not too distant future, sensitive information (credit reports etc) can only be accessed on TC platforms like W11.  Would this be a bad thing?  Would it have unintended consequences?  I don't know.

[leadeater]

8 hours ago, NumLock21 said:

No it doesn't, it just adds more hassle down the road, which is also the reason TPM never took off as must have Security feature.

While I agree it does add hassle, especially when device encryption is enabled (RIP data recovery), it's actually widely used on every Windows laptop being sold that supports Windows Hello and/or has Secure Boot.

 

It has all the same problems and complaints as Apple's T2 chip does, although at least that does some extra things like audio processing (not that I agree it should be done there anyway).

 

The difference between Apple's implementation and Microsoft's, at least as it is now i.e. Windows 10, is that things like device encryption is optional not default so you can choose to have rather than you must have it. I can't realistically see Microsoft making that mandatory/default with Windows 11 either.

 

It just seems highly silly to me to be criticizing Microsoft for leaving these things as optional so you can enable them if you want to. And sure you could raise the argument that if it's optional then so should TPM 2.0 but if you intend to only support TPM 2.0 implementations of these security features and not have the non TPM implementations supported anymore then it gets either confusing or frustrating for the consumer who may want to enable it but cannot because they lack the TPM 2.0 hardware becuase it was either omitted by the manufacture because it was only optional on Microsoft's side so cost savings win out or you are using an older system. It would be even worse if you were that older system owner who was using these features in Windows 10 and then upgraded to Windows 11 only to find they no longer work.

 

Windows 11 is only in technical preview, it doesn't go RTM until November or December. There's A LOT of time for both things to change and information and documentation to be released. Patience and waiting for information is always an option.

[GoodBytes]

 

[Edit] I saw @LAwLz post after I posted mine. To avoid repeated info, I edited to add something that was missed:

 

TPM is also used for:

• Hyper-V to check for untrusted hypervisors (Note that WSL2 and WSA (Android) uses Hyper-V. A "light" version of Hyper-V is used for WSL2/WSA which is how Home edition of Windows 10 (and I assume 11) can use WLS2)
  
  This is perhaps why Windows 11 also requires: virtualization-based security (VBS), hypervisor-protected code integrity (HVCI). But those aren't related to TPM.
   
• Third-party software can use it.
• OEMs or motherboard manufacturer CAN use it for firmware protection. (But sadly, to my knowledge, all or nearly all don't, and PCs still have malware being injected in firmware, forcing people to buy a new PCs to fix the problem (Well, change the motherboard..., but on laptops.. it's basically the entire system as everything or near that is soldered on it... if lucky, then the keyboard or touchpad only, all depending on which firmware chip is compromised...)) 

 

 

Personally, I have no problem with Microsoft requiring TPM.

In fact, shame on motherboard manufacturers in the DIY space who set it to disabled by default, as if there is a downside in having it enabled. This is like, years ago, Motherboard manufacture setting SATA controller to IDE emulation mode instead of SATA mode, leaving out AHCI from being used, and blocking getting the full performance out of the user drive, because in area of Windows 7/8 days, the manufacturer was afraid of a support call from someone installing XP. Smart!

 

[leadeater]

10 hours ago, LAwLz said:

You can't say Microsoft have been clear with what features use the TPM, and then in literally the next sentence say you don't know what Windows 11 features will use the TPM.

Yes I can, I said they are at least that. That is the literally minimum they will be, they could be better or Home now included, that's the part I do not know. But those same features are in both Windows 10 and Windows 11 and Windows 10 has TPM 2.0 implementations of these some being optional. With Windows 11 requiring TPM 2.0 then all the existing features that can use TPM 2.0 will do so in Windows 11 as opposed to might do so, why is this so hard for you? It's not complicated.

 

Take the blindfold off and actually think about it, this SHOULD have been obvious.

 

Go back to the original table I post, only read the the TPM 2.0 column, there that is your starting point.

• Secure Boot will Only use TPM 2.0
• Windows Hello will Only use TPM 2.0

These are just two changes I can with 100% confidence say is different between Windows 10 and Windows 11 that will be applicable to even Home edition if nothing in that feature support area changes. Outside of only sticking to Home edition, a seemingly sticking point for you, every No in the fist column is a change for Windows 11, that's 7 of 15 current features.

[leadeater]

11 hours ago, LAwLz said:

Windows Hello (non business) does not use the TPM.

Biometric data is not stored in the TPM as I said earlier (not supported by the standard) and the encryption key is not stored in the TPM either because Windows Hello (non business) uses symmetric encryption so there is no key to store.

Incorrect, it can use TPM even in Home edition. I have no idea where you got the idea from that it cannot.

 

 

Quote

9 - To use Windows Hello with biometrics specialized hardware, including fingerprint reader, illuminated IR sensor, or other biometric sensors is required. Hardware based protection of the Windows Hello credential/keys requires TPM 1.2 or greater; if no TPM exists or is configured, credentials/keys protection will be software-based.

https://cdw-prod.adobecqms.net/content/dam/cdw/on-domain-cdw/brands/microsoft/Win10-Compare-Table.pdf

 

11 hours ago, LAwLz said:

Also, Secure Boot does not use a TPM.

Incorrect, Secure Boot can use TPM. You aren't reading anything are you?

 

Quote

 

Windows Features	TPM Required	Supports TPM 1.2	Supports TPM 2.0	Details
UEFI Secure Boot	No	Yes	Yes

 

 

Quote

Implementation of UEFI Secure Boot is part of Microsoft’s Trusted Boot Architecture, introduced in Windows 8.1. A growing trend in the evolution of malware exploits is targeting the boot path as a preferred attack vector. This class of attack has been difficult to guard against, since antimalware products can be disabled by malicious software that prevents them from loading entirely. With Windows Trusted Boot architecture and its establishment of a root of trust with Secure Boot, the customer is protected from malicious code executing in the boot path by ensuring that only signed, certified “known good” code and boot loaders can execute before the operating system itself loads.

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance

 

TPM Windows Secure Boot is old as.

 

You post false information, then keep bosting, ignore literal evidence right in front of you, refuse to comprehend rather basic points. I'm out, this is futile and literally pointless as it's still only a technical preview. You'd have a much stronger position if Windows 11 were RTM or GA but it's not, information may just not be ready to be release yet.

 

If you are intentionally trying to annoy me by ignoring literal first party evidence right in front of you then you are doing a right stand up job. Don't tell me I'm wrong when I posted the correct information page(s) before hand that you didn't even read.

 

[atxcyclist]

8 hours ago, chebsy said:

Sure, but I can see both sides. 

 

Maybe it would be better if Joe's Used Car Emporium can only view my credit report on a trusted platform for a brief amount of time before it becomes inaccessible and useless. 

 

Because right now, how many countless credit reports, financial documents, and private information is floating around on insecure WinXP and Win7 systems at small businesses? 

 

There obviously needs to be a change in the way things are done, and MS needs to find the right balance. 

 

Perhaps sometime in the not too distant future, sensitive information (credit reports etc) can only be accessed on TC platforms like W11.  Would this be a bad thing?  Would it have unintended consequences?  I don't know.

As someone that works in a place with zero computers compatible with the W11 requirements, sticking it to small businesses and forcing them to buy new hardware is pretty craptastic. Thankfully W10 has some more years of support and so we're not hung out to dry, but our Ryzen 1600 machine being incompatible is particularly annoying to me. I'm not shocked the AMD FX system is too old, and while it should work because in every other way it would be fine, my personal 4th gen i7 system has plenty of life left in it for what I do.

 

Especially right now and maybe even into 2022, there will be hardware shortages and none of it is getting any cheaper, so knowing in a few years we'll be replacing multiple entire platforms due to incompatibility, sucks.

[LAwLz]

2 hours ago, leadeater said:

Go back to the original table I post, only read the the TPM 2.0 column, there that is your starting point.

• Secure Boot will Only use TPM 2.0
• Windows Hello will Only use TPM 2.0

The problem is that you don't understand what the information presented to you in that table means and because of this you're making assumptions.

 

 

2 hours ago, leadeater said:

Incorrect, it can use TPM even in Home edition. I have no idea where you got the idea from that it cannot.

 

 

It doesn't. You are confused because you don't fully understand how Windows Hello works and are making assumptions.

Windows Hello and Windows Hello for Business are two very different things that works completely differently.

Windows Hello for Business can and should use a TPM.

Windows Hello (non-business) does not and can not use a TPM. It doesn't use it for biometric data like you said because a TPM can not store biometric data. It's simply not in the spec. It doesn't store the encryption key either because there is no key to store. Windows Hello (non-business) uses symmetrical encryption. Do you understand what that means and what implications that has? Because I want you to tell me if you don't because otherwise we'll just end up talking in circles.

You have to understand the intricate details of these things before we can discuss them. There is no room for assumptions.

 

Like I said, you can even test this on your own by configuring Windows Hello (non-business) on a computer with a TPM and then clearing your TPM. Windows Hello will still work because it does NOT store anything in the TPM unless you are using Windows Hello for Business.

 

 

2 hours ago, leadeater said:

Quote

9 - To use Windows Hello with biometrics specialized hardware, including fingerprint reader, illuminated IR sensor, or other biometric sensors is required. Hardware based protection of the Windows Hello credential/keys requires TPM 1.2 or greater; if no TPM exists or is configured, credentials/keys protection will be software-based.

https://cdw-prod.adobecqms.net/content/dam/cdw/on-domain-cdw/brands/microsoft/Win10-Compare-Table.pdf

That's talking about Windows Hello for Business. The problem is that the chart you posted is from 2015, and Microsoft used the umbrella term "Windows Hello" to refer to both the business and non-business version back then. It wasn't until later that they started distinguishing between the two. I mean, just look at the announcement of Windows Hello. This is a quote from the Windows Hello announcement in 2015:

Quote

Of course, convenience and simplicity should never sacrifice security and privacy. Windows Hello offers enterprise-grade security that will meet the requirements of organizations with some of the strictest requirements and regulations. It’s a solution that government, defense, financial, health care and other related organizations will use to enhance their overall security, with a simple experience designed to delight.

 

Does that sound like the non-business or business version to you?

 

Also, I found this GitHub thread so you don't even have to test the "clear TPM" thing for yourself:

Quote

Please note that TPM has nothing to do with Fingerprints data. It only stores passwords, certificates, or encryption keys. While the passport services handle the identity keys to authenticate the users.

 

 

 

 

2 hours ago, leadeater said:

Incorrect, Secure Boot can use TPM. You aren't reading anything are you?

The problem is that you are reading things incorrect and are making assumptions.

Secure Boot does not use the TPM. When Microsoft says that Secure Boot supports the use of a TPM it doesn't mean it the way you think it means, and it certainly doesn't mean it in a way a home user can use it.

 

Take the flowchart you posted as an example. It is what I talked about here:  

21 hours ago, LAwLz said:

• Measured Boot - A feature where the bootloader loggs what happens during the boot, so that it can be sent to a posture check server.

You are literally posting things I have tried to explain to you before.

If you don't understand the intricate details of exactly what is being stored in the TPM, or how it is used then this is a very difficult conversation to have. You have to understand these details in order to discuss them because details matters a lot.

I got a feeling you just googled "what is a TPM used for" and then clicked on the first link and started posting this stuff without understanding it. Trust me, I do understand what a TPM is and how Windows uses it in a fairly decent level. Nothing I have said in this thread is incorrect. The reason why you think it is misinformation is because you don't understand it.

You think that a check box at "Windows Hello - TPM recommended" means that Windows Hello (non business) will use a TPM to store a fingerprint or whatever. That is not the case and that's not what the chart is trying to tell you. 

 

The flowchart showing how "Secure boot can use a TPM" you just posted doesn't actually say what you think it says either. It shows the entire secure boot process going through before the TPM gets invoked. Like I said earlier, the certificates necessary to run secure boot are not stored in the TPM, because the TPM hasn't even been initialized when the secure boot process starts.

What that flowchart shows is that once secure boot has checked everything, it can save a hash of the secure boot sequence to the TPM, and then the Windows login process can send that hash to a health attestation server which then can reject the computer from logging in if it detects something out of the ordinary. Notice how the health check is done after the "Windows Logon" process? That should be a pretty big hint to you that it is not part of the secure boot process. Because once the Windows Logon service is running, secure boot is done.

 

 

2 hours ago, leadeater said:

Quote

Implementation of UEFI Secure Boot is part of Microsoft’s Trusted Boot Architecture, introduced in Windows 8.1. A growing trend in the evolution of malware exploits is targeting the boot path as a preferred attack vector. This class of attack has been difficult to guard against, since antimalware products can be disabled by malicious software that prevents them from loading entirely. With Windows Trusted Boot architecture and its establishment of a root of trust with Secure Boot, the customer is protected from malicious code executing in the boot path by ensuring that only signed, certified “known good” code and boot loaders can execute before the operating system itself loads.

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance

 

TPM Windows Secure Boot is old as.

I recommend you read that article again, because it does not say what you think it says. That article refers to BitLocker and how BitLocker won't decrypt the drive until the Secure Boot process is finished. It does not say Secure Boot uses the TPM.

 

 

2 hours ago, leadeater said:

You post false information, then keep bosting, ignore literal evidence right in front of you, refuse to comprehend rather basic points. I'm out, this is futile and literally pointless as it's still only a technical preview. You'd have a much stronger position if Windows 11 were RTM or GA but it's not, information may just not be ready to be release yet.

No I don't It's just that I understand what the "evidence" posted actually says, and it's not the same as what you think it says.

 

 

2 hours ago, leadeater said:

If you are intentionally trying to annoy me by ignoring literal first party evidence right in front of you then you are doing a right stand up job. Don't tell me I'm wrong when I posted the correct information page(s) before hand that you didn't even read.

I have read the information pages. It's just that I don't think you understand what they say. That's why you keep posting misinformation such as biometric data being stored in the TPM, or that Secure Boot uses the TPM. None of those are true. 

[LAwLz]

4 hours ago, GoodBytes said:

Personally, I have no problem with Microsoft requiring TPM.

I don't have that either, if they can justify it.

Right now however, they have not provided us with any info about why it is a requirement and until they do I will remain skeptical (but not against it).

 

I just want Microsoft to tell us why. Maybe I am too eager and they will tell us soon, but I would like for them to have these documents ready for when they announce the requirements. There are a lot of misinformation being spread right now (and no, it's not me spreading it) and I think Microsoft could have saved themselves a lot of hate and misinformation if they had prepared the documentation and justifications for the system requirements before announcing them. It doesn't help that Microsoft employees aren't commenting on it either other than basically going "just trust us" and "because we say so", which is not how you should talk when it comes to security features. Absolute transparency is how you should approach security. Right now Microsoft are about as transparent as a brick wall.

[LAwLz]

12 hours ago, StDragon said:

I'm still unclear though how TPM involves kernel isolation via virtualization .

10 hours ago, Brooksie359 said:

https://www.google.com/amp/s/www.theverge.com/platform/amp/2021/6/25/22550376/microsoft-windows-11-tpm-chips-requirement-security

Well according to this it protects against in Microsofts own words . “Its purpose is to protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data" 

12 hours ago, D13H4RD said:

Honestly, I'm just as baffled as you are. This is confusing, as if it needs to be even more so.. 

@GoodBytes and @leadeater.

 

 

After having thought this through a bit I think I've come up with a plausible explanation for both the TPM and CPU requirements. 

 

 

Some things to know about:

 

Hyper-V is a hypervisor. What it does is essentially run a lightweight OS, that then virtualizes your Windows install. So the Windows you see when you boot your PC is actually a VM running on top of Hyper-V. It can be used for other things too but that's what it is used for when you turn on VBS on your Windows 10 install.

 

VBS stands for Virtualization-based security and most of it relies on Hyper-V.

 

The feature "memory integrity", which is part of Core isolation, is a technology that prevents malicious code from being injected into processes. It is also called HVCI and stands for "Hypervisor-Enforced Code Integrity".

Memory integrity works by having Hyper-V check the signatures of all software that tries to start in kernel mode. Any unsigned driver of file that tries to be loaded into memory will be stopped by Hyper-V before it can be loaded into the OS (Windows). Basically, it runs a code integrity check inside the secure memory region created by Hyper-V, and then passes that to the Windows 10 OS if it passes the checks.

 

This is just speculation from me because I haven't been able to confirm anything, because Microsoft's documentation is very lackluster and Microsoft aren't telling us jack shit about Windows 11 right now.

 

 

I think that HVCI and other VBS features are why Windows 11 has such high and strange requirements. Microsoft has tried to make HVCI a default setting ever since Windows 10 1803 but the uptick has been slow. I haven't been able to find info how HVCI uses the TPM, but Microsoft "highly recommends it". If I had to guess, I'd say that the Windows 10 OS will store its boot sequence hash to the TPM and then the Hyper-V OS will be used as a attestation server similar to how Measured Boot works. It's basically like the posture check architecture some companies have, but virtualized inside your PC.

 

One of the big problems with HVCI is that it requires quite a lot of system resources to constantly check and pass the code trying to run in kernel mode. That's why Intel has a feature they call "mode-based execution control" (MBEC) and AMD has a feature they call Guest Mode Exaction Trap (GMET, although in Windows it is still called MBEC).

According to this blog post I found, the performance difference between a MBEC/GMET capable processor running Windows with HVCI enabled is about 40% compared to a non-MBEC/GMET capable processor.

In order words, turning on HVCI on a processor that doesn't have MBEC or GMET is a massive performance hit to some programs.

 

Anyone wanna guess when Intel started adding MBEC to their processors?

It started with the 7th gen Xeons, and it might not have been until the 8th gen consumer chips.

I haven't been able to find reliable info about when AMD started adding MBEC but it seems to be either Zen+ or Zen2. My guess is on Zen+ since that's what Microsoft says is the minimum recommended for Windows 11.

 

If anyone with a Zen+ processor could run this command in PowerShell and post the results I'd be very happy:

Get-CimInstance -Namespace ROOT\Microsoft\Windows\DeviceGuard -ClassName Win32_DeviceGuard

 

What I'm interested in is the "AvailableSecurityProperties". It should have the number 7 in there. On my Zen (non-plus) computer I do not have a 7 in there. The 7 signifies the presence of MBEC support. Please note that it is depending on motherboard though. So even if your processor might support it, it still might not show up as supported in Windows.

I have found people with Zen2 processors that have MBEC support, and I know that my Zen processor doesn't have it. So what I'm wondering now is if Zen+ has it.

 

 

In any case, VBS and HVCI in particular seems to be the reason for the TPM requirement as well as the strong recommendation for 8th gen Intel and 2000 series AMD processors. At least from what I've gathered.

[Mark Kaine]

… maybe they're doing what i suggested… built in emulator for all windows versions…?

 

i could see why that would be needed to be secured.

 

Otherwise i dont, i dont want my data to be encrypted, unless theres a guaranteed, bullet proof way to decrypt it, which this TPM thing is all but…

[jagdtigger]

1 hour ago, LAwLz said:

I'd say that the Windows 10 OS will store its boot sequence hash to the TPM

Since it is a hypervisor it could also hide it in the boot partition then deny access from the guest OS.... Same result without extra HW.

[leadeater]

1 hour ago, LAwLz said:

If anyone with a Zen+ processor could run this command in PowerShell and post the results I'd be very happy:

Get-CimInstance -Namespace ROOT\Microsoft\Windows\DeviceGuard -ClassName Win32_DeviceGuard

That might be a little challenging for many to be able to run sadly

 

Quote

The Win32_DeviceGuard WMI class is only available on the Enterprise edition of Windows 10.

 

Output from a EPYC 7272 (Zen 2) (HPE DL325 Gen10 Plus)

 

Quote

AvailableSecurityProperties

This field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard.

Value	Description
0.	If present, no relevant properties exist on the device.
1.	If present, hypervisor support is available.
2.	If present, Secure Boot is available.
3.	If present, DMA protection is available.
4.	If present, Secure Memory Overwrite is available.
5.	If present, NX protections are available.
6.	If present, SMM mitigations are available.
7.	If present, Mode Based Execution Control is available.
8.	If present, APIC virtualization is available.

 

My 8700 work PC

$Win32_DeviceGuard = Get-CimInstance -Namespace ROOT\Microsoft\Windows\DeviceGuard -ClassName Win32_DeviceGuard
$Win32_DeviceGuard.AvailableSecurityProperties
1
2
3
5
6
7

 

[leadeater]

3 hours ago, LAwLz said:

Windows Hello (non-business) does not and can not use a TPM.

Yes it can, show me anywhere where it says it cannot. Argh.

 

I understand that almost all information regarding Windows Hello and TPM is for Hello for Business but that does not mean regular Windows Hello cannot. Anywhere, anything from Microsoft that says standard Hello cannot use TPM.

 

3 hours ago, LAwLz said:

I recommend you read that article again, because it does not say what you think it says. That article refers to BitLocker and how BitLocker won't decrypt the drive until the Secure Boot process is finished. It does not say Secure Boot uses the TPM.

I did read the whole thing and no it is not only for Bitlocker. UEFI Secure Boot is not generic secure boot, you are confusing generic "Secure Boot" with the Windows Secure Boot that the usage of TPM is within that, since 8.1. And even then generic Secure Boot can and does use TPM, or are you forgetting that? The original point of generic Secure Boot was signed bootloaders with the trusted keys stored in UEFI Firmware or TPM (pre-loaded by the OEM/ODM literally as explained in my article). You are making me question if you remember how Secure Boot even works.

 

Yes TPM and Bitlocker is mentioned, doesn't mean you should leap to the conclusion that is the only use of the TPM.

 

What I will say is no DIY user is going to be able to configure/setup UEFI Secure Boot because nobody (realistically) is going to have an HSM and the know how to do all the required key generation and signing. OEM/ODS yes. Enterprises, yes too though I would be weary of the ongoing support requirements.