With regular security updates and enhancements, Microsoft has been extremely proactive trying to keep its devices and the Windows operating system (OS) safe from any sort of threats. Following the same approach, the company has released a set of new instructions which would secure the devices running on the Windows 11/10 OS even better. This article details out the minimum hardware and firmware requirements for having systems which can be termed as highly secure Windows 10 device.
Standards for Highly Secure Windows Device
Before getting into the details, users need to note that these standards are for general purpose desktops, laptops, tablets, 2-in-1’s, mobile workstations, and desktops. Also, these security recommendations apply to Windows 10 version 1709.
The hardware side list laid down by Microsoft is very specific. For those who are planning to buy new Windows machines should pay close attention to these requirements, because they can cost them the difference between security and exposure to outside threats.
- Processor Generation
Devices must have the latest certified silicon chip that supports the OS. Intel through 7th generation Processors (Intel i3/i5/i7/i9-7x), Core M3-7xxx and Xeon E3-xxxx and current Intel Atom, Celeron and Pentium Processors. On the AMD side, through the 7th generation processors (A Series Ax-9xxx, E-Series Ex-9xxx, FX-9xxx)
- Process Architecture
Microsoft suggested that 64-bit support is necessary for secure devices, which includes modern AMD64/x64 processors, as well as ARMv8.2 CPUs.
VBA is Microsoft’s latest star for Windows security. To ensure it works, it needs a processor which is capable of input-output memory management unit (IOMMU) virtualization, VM extensions with second level address translation (SLAT), and I/O device protection by IOMMU or system memory management unit (SMMU).
- Trusted Platform Module (TPM)
To support the requirement for Trusted Platform Module version 2.0, Windows 10 device would need Intel PTT, AMD, or a discrete Trusted Platform Module from Infineon, STMicroelectronics, or Nouvoton Platform Boot Verification
Windows 10 Systems must have 8 gigabytes or more of system RAM.
The firmware section is divided into six different categories:
- Standard and Class – Unified Extension Firmware Interface (UEFI) version 2.4 or later, and Class 2 or Class 3.
- Drivers – Must be Hypervisor-based Code Integrity (HVCI) compliant.
- UEFI Secure Boot – Must be enabled by default.
- Secure MOR – System’s firmware must implement Secure MOR revision 2.
- Update Mechanism – Must support the Windows UEFI Firmware Capsule Update
These new hardware and firmware requirements for “highly secure Windows devices” are quite reasonable and they should enable the development of Windows devices which have a baseline of security. For those who are looking to buy a new “highly secure” Windows device should follow this list of standards.