Microsoft Releases Standards for Secure Windows 10 Devices
Microsoft released a set of standard that will apply a safe and secure Windows 10 system. For example, the Redmond company sets requirements for a particular processor and a trusted platform module.
The new standards apply to the latest Feature Update of Windows 10, the Fall Creators Update. Processors wise, Microsoft recommends a 7th generation of Kaby Lake processor from Intel. The standards are intended for general purpose desktops, laptops, tablets, 2-in-1’s, mobile workstations, and desktops and applies specifically and uniquely for Windows 10 version 1709, Fall Creators Update. Windows enterprise security features light up when you meet or exceed these standards and your device is able to provide a highly secure experience.
The hardware standards are broken up into 6 categories reports bleeping computers, which are processor generation, processor architecture, virtualization, trusted platform modules (TPM), platform boot verification, and RAM:
The processor architecture requirement is to have a 64-bit processor so that Windows can take advantage of VBS, or Virtualization-based security, which uses the Windows hypervisor. The hypervisor is only supported on 64-bit processors.
Virtualization, as mentioned above, is an important component of the Windows Security framework. Highly secured Windows 10 devices should support Intel VT-d, AMD-Vi, or ARM64 SMMUs in order to take advantage of Input-Output Memory Management Unit (IOMMU) device virtualization. To use Second Layer Address Translation, or SLAT, processors should support Intel Vt-x with Extended Page Tables (EPT) or AMD-v with Rapid Virtualization Indexing (RVI).
Another recommended component is a Trusted Platform Module, or TPM — a hardware module that is either integrated into a computer chipset or can be purchased as a separate module for supported motherboards that handles the secure generation of cryptographic keys, their storage, a secure random number generator, and hardware authentication.
In addition, Microsoft recommends platform boot verification, which is a feature that prevents the computer from loading a firmware that was not designed by the system manufacturer. This prevents attackers from uploading a maliicous or compromised firmware to the computer. You can use Intel Boot Guard in Verified Boot mode or AMD Hardware Verified Boot to achieve this.
Finally, we have memory, which is recommended to be at a minimum of 8GB. I am unsure why this is a security requirement, rather than just a performance requirement for Windows.
Firmware Standards
A computer's firmware is also expected to meet certain requirements to be a highly secure computer. These requirements are:
- Systems must have firmware that implements Unified Extension Firmware Interface (UEFI) version 2.4 or later.
- Systems must have firmware that implements UEFI Class 2 or UEFI Class 3.
- All drivers shipped inbox must be Hypervisor-based Code Integrity (HVCI) compliant.
- System's firmware must support UEFI Secure Boot and must have UEFI Secure Boot enabled by default.
- System's firmware must implement Secure MOR revision 2.
- Systems must support the Windows UEFI Firmware Capsule Update specification.
Meeting these standards is not that expensive
After seeing the above requirements, you may be thinking that a computer that meets these standard would be costly. Surprisingly, it's not as bad as I expected. For example, this ASUS P-Series P2540UA-AB51 appears to meet all of the requirements listed above and does so for $499 USD. I am sure if I searched harder, I could find even cheaper machines.Unfortunately, many consumer based computers would not be 100% compliant with the above requirements, simply because many do not include a TPM module. For those looking for a consumer based computer, you should look for ones whose motherboards contain a TPM socket that you use to install a TPM module.
Microsoft ends its free Windows 10 upgrades December 31st - 11/06/2017 08:48 AM
Remember that loophole to upgrade to Windows 10 for free? It appears the end of that deal is coming on December 31. So if you still want to update an older version of Windows towards Windows 10 for fr...
Microsoft releases cumulative updates for Windows 10 ahead of regular Patch Tuesday - 11/06/2017 08:48 AM
Microsoft has released cumulative updates for Windows outside its regular Patch Tuesday updates cycle. The company today released updates for Windows 10 Creators Update (build 1703), Windows 10 Nove...
Awkward: Edge fails during demo at Microsoft Ignite conference - 11/02/2017 08:25 AM
A bit of an awkward yet funny moment for Microsoft, at the Microsoft Ignite conference they where presenting Azure infrastructure and cloud platforms with Microsoft Edge. Edge however fails, so ho...
FTC settles with operators of infamous fake Microsoft tech support scam - 10/30/2017 08:37 AM
The FTC announced it settled with two Microsoft scammers. The criminals tried to convince internet users that their computer was infected with malware and then billed them hundreds of dollars for unne...
Microsoft’s security software causes some Windows PCs to no longer boot - 10/27/2017 07:48 AM
And it's related to a false positive. Windows Defender and Microsoft Security Essentials cause some Windows computers to produce a failed boot. The software falsely identifies the bootloader of open...
Senior Member
Posts: 12508
Joined: 2010-05-22
It doesnt consider the main issue, keeping MS out of my PC.
Data still isnt secure, it leaks out.
Senior Member
Posts: 21798
Joined: 2008-07-14
Microsoft specifically recommends an Intel Kaby Lake processor.....for security....and a TPM module... What good is that TPM module going to do when IME gets compromised? Or IF MS gets hacked? Or if Facebook, Twitter, Google, etc get hacked? Didn't know a TPM module could encrypt all that data that is mined from our computers, while it's stored on servers all over the world.... Shit....let me go enable my TPM module so my next upgrade is just as much a PITA as the last was....
Senior Member
Posts: 881
Joined: 2002-09-14
micro$hitting and throwing dust into our eyes, that's all they do (and ever did)...
Senior Member
Posts: 881
Joined: 2002-09-14
M$ is here concerned with two things only: disabling the use of pirated window$, and being able to sneak-peek into the people's PCs, hand in hand with NSA & co...