Next Major Release of Windows Server to Require TPM 2.0

Microsoft recently announced that the next version of Windows Server, which we presume to be Windows Server 2022, will require servers to have a physical TPM 2.0 chipset supporting secure boot in order to be considered compatible.

TPMs (Trusted Platform Module) are chips on the system used to provide hardware-based security functions. TPMs are crypto-processors, which help with things like generating, storing and using cryptographic keys. You’re most likely familiar with a TPM for supporting BitLocker on laptops/desktops.  The assumption is that the TPM requirement is to try to start forcing people to encrypt their servers.

If you aren’t familiar, secure boot is a feature that you’ve probably been seeing on a lot of laptops lately.  It prevents a box from booting if someone has tampered with the hardware, firmware or software. It checks the UEFI firmware, EFI applications and the OS. If anything has been tampered with, the system won’t boot. It’s a great security feature…that almost no one uses on servers…until now.

Essentially, Microsoft is drawing a line in the sand to say, “You need to take security seriously, and we aren’t going to certify/support hardware that doesn’t enable that security.”

That means that any servers out in the wild now that do not have this component will cap out at Windows Server 2019 in terms of compatibility. Some systems can have a TPM added after the fact, but some embed it on the motherboard.

Additionally, Windows Server will also require TPM 2.0 installed and enabled on virtual machines, both Hyper-V and third-party like VMware in order to be certified.

The addition of the TPM chipset in your server build shouldn’t cost any more than 50 dollars, but is often overlooked. As you begin to spec out your new server hardware starting now, we strongly recommend you include TPM 2.0.

There’s a chance Microsoft will backpedal if there is enough pushback from the community, but as of right now it’s best to prepare for the chance of this requirement. And it is in the name of a more secure server environment, so it’s hard to get TOO upset.

If you need help understanding if your servers are ready for this or you need help getting new hardware, we can help. Send us an email at info@mirazon.com or call 502-240-0404!