At first glance, Windows Server 2022 looks like a carefully modeled update of its direct ancestor, Windows Server 2019. Microsoft has clearly focused on evolution instead of revolution. However, a second glance reveals exciting new features, especially in the field of information security. Secured-core server sees Microsoft add no fewer than six components to its new operating system that boost the system's security with minimal overhead. Whether an instance of Windows Server 2022 supports these features, and which ones, depends on the underlying hardware and whether you have a physical or virtual machine; the firmware and, in the case of a VM, the hypervisor, also need to be compatible.

Differences

Before I go into the details of and technical requirements for Secured-core server, I would like to prevent a misunderstanding. Microsoft also used the term "core" in connection with earlier editions of Windows Server, but that meant an installation without a graphical user interface. As early as Windows Server 2008 R2, you were allowed to choose between a core installation and a full installation with desktop display as part of the setup.

A Secured-core server and its functionality are different. You can use all of the new security features in conjunction with a graphical user interface in all editions. Windows Server 2022 Standard, Datacenter, and Datacenter Azure Edition support Secured-core servers, provided the hardware and virtualization are ready for them.

Secure Boot Explained

Security starts as early as the BIOS, or more likely in a state-of-the-art Unified Extensible Firmware Interface (UEFI) that supports the Secure Boot standard, which is not a Microsoft invention but a part of the UEFI specification determined by various original equipment manufacturers (OEMs).

Secure Boot starts even before an operating system fires up and is intended to verify the firmware's integrity and to lock out rootkits. To do this, the UEFI checks the signatures of its boot code and firmware drivers. If this check fails, the firmware triggers a process defined by the OEM to restore a trusted state [1]. Similarly, the firmware also verifies the operating system's boot manager. The firmware will only hand over control for further startup if it also has a valid signature. The other components of the operating system, such as the kernel and device drivers, must also prove by means of signatures that they have not been changed. If any of the signatures do not match those in the UEFI database, the system will not boot.

Under the hood, Secure Boot uses asymmetric encryption, much like a public key infrastructure (PKI). Like a certification authority (CA), UEFI firmware manufacturers form the root of trust. They own the platform keys (PKs) with which they demonstrate the authenticity and genuineness of their firmware. Manufacturers such as Microsoft sign their operating systems and drivers with key exchange keys (KEKs), which an OEM stores in its firmware at the factory before blocking any write access. Subsequent updates of the KEK database are possible but need to be signed with the PK. Microsoft has a KEK that it can use to sign new versions of Windows and other software components and drivers or to block existing signatures. This procedure is known as the static root of trust for measurement (SRTM).

TPM 2.0

As a further root of trust, the Secured-core server uses an active Trusted Platform Module (TPM) version 2.0. The TPM chip generates, stores, and controls access to cryptographic keys and hash values. Microsoft uses a TPM for biometric logins with Windows Hello on client computers and for BitLocker drive encryption.

As part of a measured boot, the TPM generates and stores hashes for all components involved in the system startup process [2]. However, these hashes cannot be verified by a trusted server with just on-board tools (remote attestation); instead, this requires Intune, the Microsoft Endpoint Configuration Manager, or some third-party software. However, even without additional applications and services, a TPM helps enhance security because it forms the basis for another component of the Secured-core server: system monitoring.