Windows 8 Boot Security FAQ
This article provides answers to common IT professional questions about boot security in the Windows 8 operating system.
What is UEFI?
UEFI (Unified Extensible Firmware Interface) is a specification that defines an interface between a PC’s firmware and an operating system. It replaces or can work in concert with the Basic Input/Output System (BIOS) firmware that PCs have traditionally used. For Windows 8, a key part of this specification is Secure Boot, which protects the PC from malware by allowing only authorized boot loaders to run when the computer starts.
What is a TPM?
A TPM (Trusted Platform Module) is a processor that provides basic security-related functions, primarily related to the creation or secure storage of platform measurements, certificates, and encryption keys. OEMs may install a TPM on a computer’s mainboard as a discrete component, or it can be implemented as a firmware-based solution on devices that include ARM’s Trusted Zone or Intel’s Platform Trust Technology (PTT). Computers with a TPM can secure data in a way that requires the original TPM to unseal or decrypt them.
What are the minimum hardware requirements for Windows 8 to use UEFI and TPM?
Windows 8 will work without UEFI or a TPM. However, UEFI 2.3.1 is required for Secure Boot. Windows 8 supports both TPM 1.2 and the newer TPM 2.0 specification, and from a Windows perspective, they offer the same capability. TPM 2.0 primarily offers Windows devices cost benefits. For systems that provide TPM 1.2, the TPM must comply with the TCG TPM Main Specification, Version 1.2, Revision 103 (or a later), parts 1, 2 and 3. For more information, see the article Windows 8 Hardware Certification Requirements.
What features and capabilities will be missing without UEFI or a TPM?
If UEFI is missing, Secure Boot will not be available. However, Trusted Boot along with it Early Load Anti-Malware (ELAM) capability are still possible without UEFI. If a TPM is not present, Measured Boot will not be enabled. BitLocker is available without a TPM but it will not be as secure or as easy to manage—especially at scale. For more information about BitLocker, see the article BitLocker Drive Encryption Overview.
How does Windows 8 prevent attackers from replacing boot components?
All systems with the Windows 8 certification use Secure Boot (part of the UEFI specification) to protect hardware-related firmware and the operating-system loader from tampering. Secure Boot can prevent the system from booting if unauthorized changes have been made or possibly even refresh the some boot components, such as the UEFI firmware, to a known good state.
In the case of Windows 7 certified devices, the Trusted Platform Module (TPM) can be used to measure boot code and provide similar protection to UEFI’s Secure Boot feature. In this case the TPM will not unlock the operating-system drive if the BIOS firmware, boot order, MBR, or operating-system boot loader changes, just to name a few (unless an administrator previously authorized it from Windows or until the user provides the BitLocker recovery password). As a result, an attacker trying to replace boot components, or change boot media to force a boot through components they control in an attempt to get the key, will fail. Use of the TPM for boot protection is an effective capability on Windows 7 devices; however, systems equipped with UEFI and its Secure Boot will benefit from the additional security and recovery-related capabilities that UEFI offers.
What are the hardware requirements for Secure Boot?
To run Secure Boot, PCs must be equipped with UEFI version 2.3.1 firmware or greater. UEFI version 2.3.1 firmware or greater is a certification requirement for Windows 8.
What is Trusted Boot?
Trusted Boot is a Windows 8 feature that secures the entire Windows boot process. It prevents malware from hiding and taking up permanent residence within the PC by ensuring none of the Windows components loaded during boot have been tampered with. Trusted Boot also ensures that anti-malware software is loaded before any third-party drivers and applications using its Early Launch Anti-Malware (ELAM) capability. This prevents malware from inserting itself in front of the anti-malware engine so that it can compromise the anti-malware engine’s ability to protect the system. In the event that malware was able to successfully compromise the any of the Windows boot process, Trusted Boot will attempt to automatically remediate the issue.
What is the difference between Trusted Boot and Secure Boot?
Trusted Boot is a Windows 8 feature that can protect the Windows boot process and anti-malware solution (if properly designed and ELAM compliant) from tampering by malware. Trusted Boot specifically prevents boot-kit infections that inject themselves into the Windows boot process. Trusted Boot does not require a Windows 8 certified device or a device that includes UEFI 2.3.1.
Trusted Boot is best able to protect the system, boot process, and antimalware solution on Windows 8 certified devices that include UEFI 2.3.1 hardware with the Secure Boot feature enabled. Secure Boot prevents root-kit infections, which inject themselves before the Windows boot process, from starting. Secure Boot requires a Windows 8 certified device that includes UEFI 2.3.1.
What prevents malware from replacing the anti-malware software and engine?
Trusted Boot-compatible anti-malware must be specially certified and signed by Microsoft. Unsigned anti-malware software and malware will be unable to insert themselves in the Trusted Boot anti-malware process.
What vendors are working on Trusted Boot-compatible anti-malware software?
Windows Defender, included in Windows 8, and System Center 2012 Endpoint Protection SP1 include ELAM capable antimalware solutions that are certified for Trusted Boot compatibility. Microsoft is working with internal and external partners to ensure that additional ELAM capable solutions are available to customers.
Can Trusted Boot prevent all malware infections?
No. Trusted Boot protects the boot process. It prevents malware from getting into the boot process, ensures that only authorized Windows components start, and prevents malware from compromising the capability of anti-malware software.
What editions of Windows 8 will include Trusted Boot?
All editions of Windows 8 include Trusted Boot.
Does Secure Boot prevent me from dual booting or running other operating systems?
No. Secure Boot is a feature that prevents the PC from starting unsigned and unauthorized operating systems. It can prevent certain types of malware (e.g., boot kits) from starting on the PC. If you want to single or dual boot a PC with an operating system that does not support Secure Boot (e.g., Windows 7 or Linux) you can disable Secure Boot. For more information about Secure Boot, see Protecting the pre-OS environment with UEFI.
What is Measured Boot?
Measured Boot is a Windows 8 feature that complements Trusted Boot. Trusted Boot can protect the boot process, Windows components, and anti-malware software to provide a high level of assurance, but only an external, trusted third-party can verify the integrity of the system.
Measured Boot takes measurements of each aspect of the hardware and Windows boot process; then, signs and securely stores those measurements with the TPM. Upon request, Windows 8 can send these measurements to a trusted third-party (i.e., Remote Attestation service) to compare the measurements with known good values. From here, the Remote Attestation service can attest that the boot process is secure and that the anti-malware software’s ELAM driver has integrity. Additional checks may also be executed by the Remote Attestation service as well. Once analysis is complete, the Remote Attestation service issues a secured Device Claim to the client, which you can use for access control scenarios (e.g., to grant network or file access if the client’s Device Claim indicates that it is secure).
What hardware does Measured Boot require?
To use Measured Boot, PCs must be equipped with TPM version 1.2, 2.0, or greater. The TPM can be a discrete part or firmware-based. TPM is a Windows certification requirement for devices that are certified for Connected Standby. These devices will be running Intel’s Atom or ARM processors. TPM is not a certification requirement for non-Connected Standby device, but it is found in most business class devices. We recommend confirming that TPM is present in the devices you’re interested in during the purchasing process.
Does Windows Server 2012 include a Remote Attestation service?
No. Microsoft is working with external partners to ensure that software that can provide Remote Attestation services will be available to customers.
What editions of Windows 8 will include Measured Boot?
All editions of Windows 8 will include Measured Boot.