Skip to content

SecureBoot & TPM

Secure Boot

Secure Boot works during the startup of the computer. Before even getting into the operating system, it checks the OS, firmware drivers, and any other piece of boot software for a valid signature. The reason this is so critical is because it can stop malicious software from being able to boot. One of the things it protects against is bootkits. Refer to the section on this site talking about malware threats for more info about this.

The other reason this is an excellent feature is because it works hand in hand with Bitlocker and the TPM. When you get to the Bitlocker section, this will be discussed in more detail. To keep it simple, Secure Boot helps check the integrity of Bitlocker. This is to keep something like malicious boot firmware or apps from being able to get the Bitlocker keys.

The original equipment manufacturers (OEMs) are the ones who work with MS to make sure their firmware is properly signed. For example, if you buy a motherboard from ASUS, they are one of the OEMs that will work with MS to make sure the signature database is taken care of for the different models of motherboards.

Secure Boot is a critical piece of the layered security approach in Windows. There has been a lot of angst about this feature in the IT community, mostly from the Linux users. I can personally attest to the fact that it is a PITA to get to work well with Linux, but if you just want to use Windows, it works great and hasn’t been an issue for me in that regard. This feature is part of the BIOS and has been a standard part of motherboards for the better part of a decade, if not longer.

In the case of Linux, each distro has to work with MS to make sure their software is signed. Many distros seem to work well these days, but in the case of a distro not having Secure Boot signatures, you wouldn’t even be able to boot into one. Counter to what some think, MS isn’t doing this to screw with other operating systems. They do it because this is a great countermeasure against things like bootkits.

As for enabling it, that varies massively between different motherboards. Sometimes it’s marked well from the main page of the BIOS and sometimes you have to root around through several tabs and sub menus to find it. I have a Dell office computer where it’s easy to see. I also have other computers where it’s piled in with other options. If you aren’t sure of where it is or how to enable it, you’ll need to refer to the users manual for your motherboard model.

Trusted Platform Module (TPM)

The TPM is another critical part of security and is absolutely essential to run with Bitlocker. TPM came out about 15 or so years ago, around the time that Secure Boot did. It used to be a small chip that had to be plugged into the motherboard. OEMs like Dell would usually put these in for office computers, but someone that was building their own computer wouldn’t have one of these and would have to buy it separately if they wanted it. Now, the standard has moved to 2.0, which is a massive upgrade over 1.2.

These come in a few different flavors. There are discrete TPMs, firmware TPMs, hypervisor TPMs, etc. Discrete TPMs are the most secure of all the different TPMs available, though firmware TPMs are the most common for many home users today.

AMD and Intel have both integrated firmware TPMs into their CPUs. It depends on the model, though most if not all Ryzen CPUs should have this feature as well as 8th gen and newer Intel CPUs. These run on the 2.0 standard and can be toggled in the BIOS. As with Secure Boot, the option may be easily seen from the main page or you might need to dig around to find it. Sometimes it will be referred to as TPM and other times might be called something like Security Device Support, in the case of MSI motherboards. Your motherboard user manual will have more details.

Warning

Some motherboards will give you the option to reset the TPM. You also have the option to turn it off. If Bitlocker is enabled, and you either turn the TPM off, reset it, or update the motherboard firmware, Bitlocker will go into recovery mode. If you don’t have your recovery keys, ALL DATA ON BITLOCKER PROTECTED DRIVES WILL BE PERMANENTLY LOST! Refer to the Bitlocker section for more information.

Now let's talk about why this is important. The TPM is used for cryptographic operations, such as generating and storing cryptographic keys. It’s also made to be tamper resistant and helps protect against attacks as long as several conditions have been met. These will be discussed more in the Bitlocker section. TPMs are also used after Windows boots to perform different functions related to cryptography. If you want to install Windows 11, one of the requirements now is TPM 2.0. Make sure to read through the Bitlocker section to get a more complete understanding of how this feature works.