Microsoft Releases Standards for Secure Windows 10 Devices

Microsoft released a set of standard that will apply a safe and secure Windows 10 system. For example, the Redmond company sets requirements for a particular processor and a trusted platform module.

The new standards apply to the latest Feature Update of Windows 10, the Fall Creators Update. Processors wise, Microsoft recommends a 7th generation of Kaby Lake processor from Intel. The standards are intended for general purpose desktops, laptops, tablets, 2-in-1’s, mobile workstations, and desktops and applies specifically and uniquely for Windows 10 version 1709, Fall Creators Update. Windows enterprise security features light up when you meet or exceed these standards and your device is able to provide a highly secure experience.

The hardware standards are broken up into 6 categories reports bleeping computers, which are processor generation, processor architecture, virtualization, trusted platform modules (TPM), platform boot verification, and RAM:

The processor architecture requirement is to have a 64-bit processor so that Windows can take advantage of VBS, or Virtualization-based security, which uses the Windows hypervisor. The hypervisor is only supported on 64-bit processors.

Virtualization, as mentioned above, is an important component of the Windows Security framework. Highly secured Windows 10 devices should support Intel VT-d, AMD-Vi, or ARM64 SMMUs in order to take advantage of Input-Output Memory Management Unit (IOMMU) device virtualization. To use Second Layer Address Translation, or SLAT, processors should support Intel Vt-x with Extended Page Tables (EPT) or AMD-v with Rapid Virtualization Indexing (RVI).

Another recommended component is a Trusted Platform Module, or TPM — a hardware module that is either integrated into a computer chipset or can be purchased as a separate module for supported motherboards that handles the secure generation of cryptographic keys, their storage, a secure random number generator, and hardware authentication.

In addition, Microsoft recommends platform boot verification, which is a feature that prevents the computer from loading a firmware that was not designed by the system manufacturer. This prevents attackers from uploading a maliicous or compromised firmware to the computer. You can use Intel Boot Guard in Verified Boot mode or AMD Hardware Verified Boot to achieve this.

Finally, we have memory, which is recommended to be at a minimum of 8GB. I am unsure why this is a security requirement, rather than just a performance requirement for Windows.

Firmware Standards
A computer's firmware is also expected to meet certain requirements to be a highly secure computer. These requirements are:

• Systems must have firmware that implements Unified Extension Firmware Interface (UEFI) version 2.4 or later.
• Systems must have firmware that implements UEFI Class 2 or UEFI Class 3.
• All drivers shipped inbox must be Hypervisor-based Code Integrity (HVCI) compliant.
• System's firmware must support UEFI Secure Boot and must have UEFI Secure Boot enabled by default.
• System's firmware must implement Secure MOR revision 2.
• Systems must support the Windows UEFI Firmware Capsule Update specification.

Meeting these standards is not that expensive
After seeing the above requirements, you may be thinking that a computer that meets these standard would be costly. Surprisingly, it's not as bad as I expected. For example, this ASUS P-Series P2540UA-AB51 appears to meet all of the requirements listed above and does so for $499 USD. I am sure if I searched harder, I could find even cheaper machines.

Unfortunately, many consumer based computers would not be 100% compliant with the above requirements, simply because many do not include a TPM module. For those looking for a consumer based computer, you should look for ones whose motherboards contain a TPM socket that you use to install a TPM module.