Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, December 4, 2018 5:51 AM
I have been using TPM 1.2 in previous motherboard for years without any issues and also without any concern or questions how it really works. Now I have a new motherboard and I am currently struggling with process of obtaining compatible TPM 2.0. Vendor does not have (yet) pre-provisioned client version of TPM, suppliers offer only server or unprovisioned versions. Provisioning is lengthy (mainly) bureaucratic process and also only legal (not natural) person can apply for Intel provisioning tools which are needed for TPM provisioning.
I hope that I understand it correctly, but IMHO operating system cannot utilize Intel TXT with unprovisioned TPM.
I also have found contradicting statements that Bitlocker needs (others say can utilize) Intel TXT.
I am running workstation with Windows 10 Prof. I use virtualization only for testing purposes.
My main goal is not typing any passwords for unlocking Bitlocker drives neither using USB sticks for storing Bitlocker keys.
Do you know any scenario in desktop environment where Intel TXT is a must or recommended feature?
All replies (5)
Wednesday, December 5, 2018 8:11 AM
Hi marianh,
Thanks for posting here.
1. Firstly, BitLocker can be used with or without a Trusted Platform Module (TPM) chip, so Intel TXT is not necessary for Bitlocker without TPM. TPM is a dependency of TXT but not the other way around. The TPM is where TXT will store the measurements - hash of components - of the platform.
2. You will be asked to enter a password that must be entered every time you turn on your PC, before you even get to the Windows login screen. Windows gives you a choice of either entering the password manually or inserting a USB key. Choose whichever method you prefer, but I recommend sticking with the manual password so you aren’t depending on a single USB key for authentication.
Besides, The following combinations of the above authentication mechanisms are supported, all with an optional escrow recovery key:
TPM only(the transparent mode operation of BitLocker in conjunction with TPM and that no startup PIN is required)
TPM + PIN
TPM + PIN + USB Key
TPM + USB Key
USB Key
Password only
3. One example of TXT usage is Bitlocker. It can also block rootkits on hypervisors if supported by the hypervisor.
Best regards,
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, December 11, 2018 8:27 AM
Hi,
Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.
Best regards,
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, December 12, 2018 6:21 AM
One example of TXT usage is Bitlocker.
Can you elaborate more or point me where I can find more info about it?
Wednesday, December 12, 2018 7:13 AM
Hi marianh,
Thanks for your replying.
The TPM is a vital part of Intel TXT. Without it Intel TXT does not work. So, when you use bitlocker encryption with TPM, intel TXT came in handy.
Please check this link: http://theinvisiblethings.blogspot.com/2009/01/why-do-i-miss-microsoft-bitlocker.html
Note: This is a third-party link and we do not have any guarantees on this website. This is just for your convenience. And Microsoft does not make any guarantees about the content.
Best regards,
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, July 3, 2020 6:58 PM
Hello.
While reading (or scanning through) these online:
...I got the impression that Windows does not support Intel TXT. Windows is almost never mentioned in there.
I got the impression that TXT was only used by Linux systems and that Windows had its own implementation with BitLocker (which utilizes the TPM directly, without the TXT).
My questions:
- So, Windows does support/use TXT? Or it only uses the underlying TMP module?
- Based on what you wrote above, if you enable TXT on a Windows server (say, Hyper-V Server 2019), it will prevent you from doing remote reboots? I mean, how will you enter the password or the USB key, if you are in another physical location? You might say that you can use iDRAC, but that will require an Enterprise license (as far as I know). I was considering using this, but this gave me a pretty strong scare... Maybe the troubles it creates outweigh the benefits for my case. Probably I should stick with things being simple.
- If Windows supports TXT, is there any process for enabling it from the software side? I mean, you enable it from the BIOS and then what? You just enable BitLocker and you are done, or there is something else involved in it? Because, I cannot find any Windows section in the linked PDFs and it feels like there is no documentation anywhere.
I think I found an answer here: https://security.stackexchange.com/a/200926 that links to other pages and suggests that Windows supports TXT under some hardware and software requirements. I wonder why Intel won't mention this.
Thanks.