Microsoft's TPM struggles spark Windows security concerns

The best (though still somewhat chaotic and mixed) explanation of the need for TPM by Microsoft is a video from the Microsoft Mechanics channel from over three years ago. It uses examples to explain what types of attacks are blocked by using TPM. Unfortunately, it covers everything at once, adding issues related to RDP, Secure Boot, DMA protection, and UEFI, creating the impression that these topics are more interconnected than they actually are.

However, this is a much better description than what Microsoft prepared in December, which praised TPM with arguments such as compliance with ISO standards, "isolation of cryptographic processes and keys" (a semantic overreach), Windows Hello, BitLocker, and "preparation for future use in the age of AI." While the previous explanation was chaotic, the current one states that TPM is essential, so it will be mandatory.

To explain the benefits of TPM, it's necessary to separately consider several related technologies. Even within Windows itself, in the Windows Security window, these issues are presented separately, indicating missing, partial, or full compliance with the new hardware security model. What does this compliance entail, or rather—what will we miss in its absence?

Without installation in UEFI mode (using the new bootloader instead of the classic MBR), you won't get support for Secure Boot. This means the computer will not block attempts to load malicious software that starts even before drivers and antivirus load (such as the most aggressive representatives of rootkits and ransomware). Computers with UEFI have been available for about 12 years.

A suitably new UEFI version also allows for the activation of DMA protection, which can prevent malicious Thunderbolt devices from accessing memory directly and attempting to bypass security measures. Thunderbolt devices with USB-C plugs were introduced in 2015. The presence of Thunderbolt ports almost guarantees support for DMA protection.

Memory integrity protection (code integrity, HVCI) introduces mechanisms that prevent malicious software from operating on the system kernel, which theoretically has read/write rights to the memory where the kernel is loaded. CI forces drivers to adhere to strict memory management discipline. Platforms with compliant drivers have only been developed since 2018.

HVCI, however, has more requirements. Since the entire mechanism uses virtualization, it needs SLAT, IOMMU, UEFI 2.6, and Secure Boot. For cryptography, it also needs... TPM 2.0. Beyond HVCI, the demand for TPM 2.0 also arises from other functions.

Windows Next Generation Cryptographic Services (CNG) use TPM to unlock private certificate keys. Windows also supports virtual smart cards stored as entries in the TPM. Hardware keys and biometrics used for authentication within Windows Hello for Business can also be secured with TPM.

Finally, TPM is also used by BitLocker (although it only requires version 1.2). This includes a variant with a PIN. Detecting changes leads to TPM locking, requiring the BitLocker key and preventing unauthorized data access. The idea behind Windows 11's stringent requirements is that the mechanisms preventing the misleading of security states should be impossible to counterfeit (TPM) or extract from memory (HVCI, DMA protection, Secure Boot).

All of these mechanisms are optional. But they are not unnecessary—unless the computer is used solely for fun. If we are not worried about identity theft, theft of our work and passwords, or undetectable spying, the “new” (introduced since 2012) security mechanisms are indeed unnecessary.

Even using a PC for gaming is not a sufficient excuse in the era of ubiquitous accounts and subscriptions. However, Microsoft is aware of the consequences of password leaks today and applies protective mechanisms even in laptops with the Home version of the system.

The days when the only important password was for email without two-factor authentication—and whose takeover would have been just a temporary inconvenience—are over. Although Microsoft seems unable to communicate new needs effectively from a marketing perspective, its technical documentation dispels all doubts. Nevertheless, Windows 11 can operate without all these security features and remains installable even on sixteen-year-old Nehalem processors.