Windows Server to require TPM2.0 and Secure boot by default in future release Microsoft has announced that the next “major release” of Windows Server will require TPM 2.0 and Secure Boot installed and enabled by default. “These requirements apply to servers where Windows Server will run, including bare metal, virtual machines (guests) running on Hyper-V or on third party hypervisors approved through the …
Or... they will stick with the old version(s) of server until the budgets allow the purchase of new hardware. To enforce this in VM's is a bit rich. Companies will want to test their back end systems and doing it in a VM makes perfect sense until... Sorry MS this is another fail. IT departments need at least 3 years notice of this sort of change.
Oh wait!
They'll be pressurising bare metal customers to go all cloudy starting tomorrow. "we have all the required hardware ready to go. Sign here (says the Devil)
I wish MS would get it through their thick heads that some systems really don't work if the server is in the cloud. Would you trust an Oil refinery control system to run inside some Azure Cloud somewhere on the planet?
No, you would not. The control system will hopefully be air-gapped at least once from the internet.
Same in many production environments. I used to work for a software company that used software to control PLCs. From the time of receiving an RFID tag on a meat hook, the software had around 20 milliseconds to tell the PLC which lane to push the tag to, before it reached the switch.
It is not "Compulsory", it is "Default". Proper hardware will allow you to turn it off.
Microsoft is a niche product in the server market, no sane hardware manufacturer would arrive at the conclusion that a compulsory secure boot is a good idea. The money that Microsoft (possibly illegally) pays them to do so would still not justify it unlike the desktop space.
Microsoft is a niche product in the server market, no sane hardware manufacturer would arrive at the conclusion that a compulsory secure boot is a good idea.
Correct. It is rare for Windows Server to be deployed nowadays for any reason other than to run Microsoft's own server programs (Active Directory, Exchange, Sharepoint, etc). And with Microsoft trying as hard as they can to push everyone to their cloud-hosted versions, one may wonder what future there is for Windows Server at all outside of Microsoft's own data centers.
Linux has become what Jim Allchin envisioned Windows becoming during the darkest days of the monopoly: "the fabric of standard computing".
"It is rare for Windows Server to be deployed nowadays for any reason other than to run Microsoft's own server programs (Active Directory, Exchange, Sharepoint, etc)"
Incorrect. There's a whole swathe of shared applications, from various vendors, in the health care, logistics, CRM, SRM, finance, HR and other fields that rely on Windows Server OS. Applications with decades of man hours of development behind them.
It's easier and cheaper, though not necessarily painless, to migrate these to new hardware running a newer version of the Windows OS they were written for than it would be to switch OS completely and re-develop the apps for a completely different OS.
The whole reason Windows remains dominant in many areas is due to these legacy apps.
The question isn't so much "how do you install Linux" but how do you install it for evaluation.
Currently I can install the trial version on practically any platform. So want to evaluate the new features, learn about xyz function etc. its an easy install.
So I hope that the new installer will permit the defaults to be overridden to permit installation on systems without Secure Boot and TPM2.0...
It's hardly "every year", just next year and as the article says, TPM 2.0 has been around for a few years in hardware.
On top of that, Server 2016 LTS will still be around for a while yet, 2019 LTS even longer.
And if that weren't enough, a hypervisor can almost certainly emulate it for you.
Although it you are supporting a reasonably large system, it may well cost more to switch to an alternate (once you include things like re-training, the cost of migration, support and even potentially redesigning aspects of the system). Don't get me wrong. I know that Linux is perfectly capable of doing anything in the Data Centre that Windows Server can. I also know it is the primary OS in hundreds of thousands of Data Centres (including Google), but I am making that point that in any reasonably large system upgrade, the cost of the hardware and software is a small percentage of the total cost.
Microsoft have already cooked their goose in the SaaS/Data centre market by charging so much for SQL Server. Enterprise SQL Server can cost you £1000s/month when PostgreSQL costs zero for the license and zero for the OS (Centos) - so requiring Secure Boot is just a marketing statement. If bad actor is in the position to be physically present at your server in your data centre then the least of your worries will be booting Windows.
Because if they can remotely access your boot sector and change boot device
Perhaps via the Intel ME or AMD PSP that Microsoft also effectively* requires?
Food for thought: most of the time, the TPM 2.0 on those platforms is implemented by the Intel ME or AMD PSP.
* Windows might still run on some old pre-ME/pre-PSP hardware, but for how long is anyone's guess given the age of that hardware.
From the article: It's hard to argue against the change because Secure boot is a more-than-useful way of ensuring that servers boot into know and trusted environments..
It's not THAT hard to argue against this. LINUX. FREEDOM to put the OS of YOUR choice on the hardware YOU pay for. And NOT require us to use hardware that RESTRICTS us with "featuers" like 'secure boot'.
Now... if the requirement to BE ABLE TO DISABLE IT is included with secure boot "by default", then I won't object to it. But I'm not seeing this in the article. Shouldn't it be? Remember, it's NOT the case for ARM devices that run windows to REQUIRE the ability to disable secure boot... [that was part of the licensing thing from a decade or so ago, remember? x86 devices needed to have secure boot "disablable", but *NOT* ARM !!!]
This post has been deleted by its author
In the Micosoft blog post that the article links to this is for Windows Server hardware certification with Windows Server preinstalled.
This would indicate that it only effects hardware vendors selling hardware that is certificated for Windows Server.
Presumable then if you have an older server or build your own server then this does not affect you.
There are a few cases that I've encountered on Dell business machines of the BIOS losing the TPM 2.0 chip.
i.e.stops appearing in the BIOS, not available to windows (assuming no bitlocker to fubar).
Does this occur for many other makes?
https://www.dell.com/support/article/en-ie/sln305777/tpm-option-is-missing-in-the-system-bios-setup-latitude-precision-or-xps?lang=en
It looks like it's only the server hardware certification that will require it for now in that announcement ; the OS will still run without TPM 2 enabled..
"Well now, this may push administrators to alternate operating systems such as Linux. Not every IT department can afford new server hardware every year. Many IT departments are cash strapped as it is. Now to mandate new hardware when upgrading an operating system is a joke."
I'm not a Windows fan, but no; usually by the time someone considers slapping a new Windows Server version onto an old server, they find out what Windows Server actually costs and decide blowing a license for that kind of money to stick onto a 10-15 year old computer is silly. Also, similar to going from like XP to Vista or 7, let alone 10, usually they find enough increase in system requirements that the old server would also need a hardware upgrade just to do what it's already doing, let alone anything new.
That said, my two cents on this... Cent one... linux does not run into all these problems despite typically not using secure boot OR TPM. Cent two... I think this is snake oil for systems that just download updates whenever they'd like. That said, I do think this is useful for things like slot machines (I've seen one boot up.. it booted a bootloader, which checksum'ed the BIOS, itself, and a second-layer bootloader... the second-layer bootloader looked suspiciously like grub, but first ran a script to verify the first-level bootloader, the kernel, and the ramdisk it was loading; the ramdisk AGAIN checksum'd the kernel, ramdisk, the bootloader, and whatever code it ran after that. The code than ran after that booted into a slot machine software loader, which ran further checks; FINALLY, the slot machine software loaded and began executing.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
