Windows 11 Now Enforces the Same System Requirements in Virtual Machines - Including TPM

[leadeater]

1 minute ago, GoodBytes said:

Actually, Edge has a password manager built-in. 

https://blogs.windows.com/msedgedev/2016/04/12/a-world-without-passwords-windows-hello-in-microsoft-edge/

 

Chrome can use TPM as well btw, for SSL certs too.

[jagdtigger]

6 minutes ago, GoodBytes said:

Actually, Edge has a password manager built-in. 

https://blogs.windows.com/msedgedev/2016/04/12/a-world-without-passwords-windows-hello-in-microsoft-edge/

 

A singly browser supporting it for a single function, not much to support your theory that it warrants the tpm mandate....

[HarryNyquist]

21 minutes ago, GoodBytes said:

Microsoft is pushing password-less logins. Windows Hello, to be it's safest, needs TPM. It's your biometrics that it needs to keep safe.

Good on wanting to keep biometric data safe, except for the fact that laws around authorities giving up passwords pretty universally don't protect biometrics. 

Biometric security is meaningless when the local authorities can legally force your hand onto a fingerprint reader or hold your face in front of your webcam until your computer unlocks.

 

They're pushing people to buy new hardware instead of upgrading again under the guise of making your computer secure, when in reality it's making everything far less secure.

[leadeater]

1 minute ago, jagdtigger said:

A singly browser supporting it for a single function, not much to support your theory that it warrants the tpm mandate....

Well Windows has a long history of things not being well supported or adopted until they become a requirement. Current and future usage of TPM might have become more popular in like 10 years, and that's maybe, also by that time TPM will probably be obsolete as well.

[jagdtigger]

3 minutes ago, leadeater said:

Well Windows has a long history of things not being well supported or adopted until they become a requirement.

It would be fine if it was something that is actually useful, but TPM? It wasnt part of PC's by default and not widely supported because there is no use-case for it in the consumer space. Forcing everyone wont change that magically. Besides since TPM is a black box id say its just an added secirty risk besides intel me and the like.

[leadeater]

1 minute ago, jagdtigger said:

It would be fine if it was something that is actually useful, but TPM? It wasnt part of PC's by default and not widely supported because there is no use-case for it in the consumer space. Forcing everyone wont change that magically. Besides since TPM is a black box id say its just an added secirty risk besides intel me and the like.

It has usage, just things you don't use or want to use or don't hold much value for.

• HDD encryption keys
• SSL certs
• Biometric data
• Cryptographic key generation

Probably more I've missed, not bothered to included Hyper-V and Defender usages of them because I know you don't care about them nor think they are useful.

 

Anyway TPM is not a black box

Quote

Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard.

It's as black box as one's willingness to read the standards for it.

[jagdtigger]

2 minutes ago, leadeater said:

Anyway TPM is not a black box

I meant the code running on it, specs and standards are all fine and dandy but those wont say anything about the actual code running on those. Basically security through obscurity which im not a fan of...

[leadeater]

2 minutes ago, jagdtigger said:

I meant the code running on it, specs and standards are all fine and dandy but those wont say anything about the actual code running on those. Basically security through obscurity which im not a fan of...

The code is open under BSD license

[jagdtigger]

4 minutes ago, leadeater said:

The code is open under BSD license

Never found it though, "hw tpm firmware source code" comes up dry on google... Anyway, if tpm were so good  ms would not have to force it by making it mandatory. Its just how things work.

[Fasterthannothing]

1 hour ago, jagdtigger said:

AFAIK on home edition you cant....

Wrong I use an offline one in home edition I was able to keep it from when I setup windows 8 and then upgraded to 10

[jagdtigger]

Just now, SlidewaysZ said:

Wrong I use an offline one in home edition I was able to keep it from when I setup windows 8 and then upgraded to 10

Read the topic title, w10 irrelevant....

[Fasterthannothing]

2 minutes ago, jagdtigger said:

Read the topic title, w10 irrelevant....

When windows 10 came out they claimed the same thing that a local account could not be used. Also there are ways around it for windows 11

 

https://www.extremetech.com/extreme/326879-how-to-install-windows-11-home-with-a-local-account

[leadeater]

2 minutes ago, jagdtigger said:

Never found it though, "hw tpm firmware source code" comes up dry on google... Anyway, if tpm were so good  ms would not have to force it by making it mandatory. Its just how things work.

Well I don't think it's so much of case of it being so great or not, other than disk encryption I don't think it's all that useful and disk encryption has it's own pitfalls anyway. But there's a lot of software use cases that can use TPM that currently do not, or don't actively unless it's enabled and functioning. TPM functions can be brought in to any password manager and MFA process but since the active enabled TPM status is rather low it's not used and that even after Windows 10 made it a requirements for Windows 10 branding after 2016.

 

Microsoft Outlook is an example that uses the TPM if you have it enabled.  Authentication tokens are generated by the TPM and then stored in your local account Appdata, if the tokens are copied to another machine or access by another machine they are not readable. If you change the motherboard/CPU then you have to delete the tokens and reset the Outlook account to generate new ones.

 

Authentication tokens for other applications and services could do similar to the above, probably a few that do just not really all that aware of every single use case active for TPM.

 

I don't know, maybe TPM will get more usage, maybe it won't. I don't really care either way really, something else new will come along at some point and probably the same debate will come about for whatever that is too.

[Arika]

12 minutes ago, jagdtigger said:

Never found it though, "hw tpm firmware source code" comes up dry on google... Anyway, if tpm were so good  ms would not have to force it by making it mandatory. Its just how things work.

took me like 1 minute to find

 

https://github.com/Microsoft/ms-tpm-20-ref

https://trustedcomputinggroup.org/resource/tpm-library-specification/

[jagdtigger]

2 minutes ago, SlidewaysZ said:

Also there are ways around it for windows 11

Which will get ironed out, with w10 all i had to do is install offline. But these hacky workarounds will get squashed by updates.

[Kisai]

1 hour ago, Stahlmann said:

 

And by saying that i'm not saying "everything Microsoft does is ok". If you hate W11, then don't switch to it.

 

If the adoption rate is abysmal due to their changes and reqirements, they will have to do something.

Microsoft's loss is Apple's gain. Pretty much every time.

 

And I'm not suggesting people are going to jump ship to MacOS X, it's more likely they will pick up an iPad and dispense with the PC entirely.

[jagdtigger]

17 minutes ago, Arika S said:

took me like 1 minute to find

 

https://github.com/Microsoft/ms-tpm-20-ref

https://trustedcomputinggroup.org/resource/tpm-library-specification/

Specs and references, do i really have to throw in the cliche about IRL and paperform?

/EDIT

Dont get me wrong its a good start.

[Arika]

18 minutes ago, jagdtigger said:

Specs and references, do i really have to throw in the cliche about IRL and paperform?

So you're actually upset with HOW the source code is provided? too bad that's not what you originally said.

 

there are TPMsimulators made by TCG or even Microsoft that will extract the sourcecode directly if you want it

 

https://www.microsoft.com/en-us/download/details.aspx?id=52507

 

https://github.com/stwagnr/tpm2simulator

[StDragon]

2 hours ago, leadeater said:

It has usage, just things you don't use or want to use or don't hold much value for.

• HDD encryption keys
• SSL certs
• Biometric data
• Cryptographic key generation

Probably more I've missed, not bothered to included Hyper-V and Defender usages of them because I know you don't care about them nor think they are useful.

 

Anyway TPM is not a black box

It's as black box as one's willingness to read the standards for it.

TPM 2.0 isn't ironclad like Apple's "Secure Enclave" is, but it's as good as it gets for an open standard...for now.
 

• Full disk encryption via storing key (BitLocker for example).
• Secure Boot
• Hardware attestation
• Cryptographic key generation with TRNG hardware
• Stores keys.
• Through abstraction, greater security when using 4 digit PIN logins and in concert with biometrics (Windows Hello).

Basically, the TPM makes it easier for your hardware to validate whom it (the MB) claims to be. With this HW trust established, it can be safe to store keys and validate unique identity. This also can make it easier to license software so as to prevent piracy; so expect TPM to be leveraged in this way more often with Windows 11.

Note: In the future, I expect that before you upgrade your CPU you would have to transfer any licenses away from it that would otherwise be bound to the fTPM. Exactly how you go about this would be unique to each software vendor depending on how they manage hardware binding to licenses. I've dealt with vertical market apps before, usually a phone call or e-mail to start the process of confirming removal of ownership of the device prior to license transferal.

[leadeater]

5 minutes ago, StDragon said:

TPM 2.0 isn't ironclad like Apple's "Secure Enclave" is, but it's as good as it gets for an open standard...for now.
 

• Full disk encryption via storing key (BitLocker for example).
• Secure Boot
• Hardware attestation
• Cryptographic key generation with TRNG hardware
• Stores keys.
• Through abstraction, greater security when using 4 digit PIN logins and in concert with biometrics (Windows Hello).

Basically, the TPM makes it easier for your hardware to validate whom it (the MB) claims to be. With this HW trust established, it can be safe to store keys and validate unique identity. This also can make it easier to license software so as to prevent piracy; so expect TPM to be leveraged in the way more often with Windows 11.

Note: In the future, I expect that before you upgrade your CPU you would have to transfer any licenses away from it that would otherwise be bound to the fTPM. Exactly how you got about this would be unique to each software vendor depending on how they manage hardware binding to licenses. I've dealt with vertical market apps before, usually a phone call or e-mail to start the process of confirming removal of ownership of the device prior to license transferal.

Some features require external services though, so not every capability has a current use case for a home user. But a good step to improving things like this is for them to get used, poked, abused, broken etc etc. If it's not used it's unlikely to get better.

[Helpful Tech Witch]

12 hours ago, TempestCatto said:

Linux is free...

And everyone has hours tweaking wine or whatever to play games perfectly.....

[jagdtigger]

1 hour ago, Arika S said:

So you're actually upset with HOW the source code is provided?

Not about the how but the which, but you already know that.

[LAwLz]

2 hours ago, StDragon said:

Perhaps I'm conflating functionality here, but my understanding with Windows Hello is that leveraging TPM is optional whereas it's mandatory for Windows 11 to use it. Also, isn't biometric or a FIDO2 key (Yubico for example) technically "passwordless"?

Nope, Windows Hello does not leverage the TPM. @GoodBytesdoesn't know what he is talking about.

The TPM doesn't even support storing biometric data. It's just flat out not in the spec and can therefore not be used for that purpose.

 

If I sound cranky it's because I am getting really tired of so much misinformation being spread about TPMs. There are so many people saying they increase security without even knowing how they work, or people making shit up about what they are capable of.

 

 

  

2 hours ago, GoodBytes said:

Actually, TPM is great for privacy, can also be used to improve encryption of data. 

No, it's not that clear cut. On one hand, you can do more robust FDE if you got a TPM (more specifically, you can control what hardware can attempt to decrypt it), which I guess you could say is good for privacy.

But on the other hand, there is already one Chinese company (Riot) that have publicly said they will use it to track players and ban cheaters. So we already have conformation that companies will use the TPM to track users. I don't like that developers will have access to an unchangeable and spoof-proof ID that they can read and do whatever they want with. That's very bad for privacy.

[StDragon]

8 minutes ago, LAwLz said:

Nope, Windows Hello does not leverage the TPM. @GoodBytesdoesn't know what he is talking about.

The TPM doesn't even support storing biometric data. It's just flat out not in the spec and can therefore not be used for that purpose.

 

If I sound cranky it's because I am getting really tired of so much misinformation being spread about TPMs. There are so many people saying they increase security without even knowing how they work, or people making shit up about what they are capable of.

I think this was discussed prior with @leadeater and yourself at one point, but apparently there's a difference with Windows Hello and Windows Hello Business.

I quote Microsoft.

"When using Windows Hello for Business, the PIN is not a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server does not have a copy of the PIN. For that matter, the Windows client does not have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key.

 

The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the Multifactor Unlock feature."

 

So the question I have is this: Does Windows 10 use the TPM for Windows Hello? Because clearly it's used for Windows Hello Business. As a follow up to that question, does Windows 11 now incorporate the spec of Windows Hello Business? If so, that stands to reason for using TPM 2.0 along side it.

[GoodBytes]

8 minutes ago, LAwLz said:

Nope, Windows Hello does not leverage the TPM. @GoodBytesdoesn't know what he is talking about.

The TPM doesn't even support storing biometric data. It's just flat out not in the spec and can therefore not be used for that purpose.

Yes, I know nothing... really spreading miss information all days with these Microsoft doc pages all day long....

Quote

TPM 2.0 is required to run Windows 11, as an important building block for security-related features. TPM 2.0 is used in Windows 11 for a number of features, including Windows Hello for identity protection and BitLocker for data protection.

https://support.microsoft.com/en-us/windows/enable-tpm-2-0-on-your-pc-1fd5a332-360d-4f46-a1e7-ae6b0c90645c