Windows 10 is one of the most secure OS you can use, but even though Microsoft is constantly patching vulnerabilities and adding security features (e.g., Controlled folder access, Exploit protection, Windows Defender Application Guard) it’s still vulnerable to attacks if you don’t use the right combination of software and hardware.
On an effort to make Windows 10 (version 1709) more secure, Microsoft has published a set of standard requirements for a “highly secure Windows 10 device.”
These new Microsoft’s standards are recommended for “general purpose desktops, laptops, tablets, 2-in-1’s, mobile workstations, and desktops,” and outlines the processor, process architecture, virtualization, secure boot, firmware requirements, and even the new minimum amount of memory to ensure a secure experience running Windows 10.
In this guide, we’ll take a closer look at the hardware recommendations to have a “highly secure” computer running Windows 10.
|Processor generation||Systems must be on the latest, certified silicon chip for the current release of Windows||Intel 7th generation Processors (Intel i3/i5/i7/i9-7x), Core M3-7xxx and Xeon E3-xxxx and current Intel Atom, Celeron and Pentium Processors.
AMD 7th generation processors (A Series Ax-9xxx, E-Series Ex-9xxx, FX-9xxx).
|Process architecture||Systems must have a processor that supports 64-bit instructions||Virtualization-based security (VBS) features require the Windows hypervisor, which is only supported on 64-bit IA processors, or ARM v8.2 CPUs|
|Virtualization||Systems must have a processor that supports Input-Output Memory Management Unit (IOMMU) device virtualization and all I/O devices must be protected by IOMMU/SMMU
Systems must also have virtual machine extensions with second level address translation (SLAT)
The presence of these hardware virtualization features must be unmasked and reported as supported by the system firmware, and these features must be available for the operating system to use.
|For IOMMU, the system must have Intel VT-d, AMD-Vi, or ARM64 SMMUs
For SLAT, the system must have Intel Vt-x with Extended Page Tables (EPT), or AMD-v with Rapid Virtualization Indexing (RVI)
|Trusted Platform Module (TPM)||Systems must have a Trusted Platform Module (TPM), version 2.0, and meet the latest Microsoft requirements for the Trusted Computing Group(TCG) specification||Intel (PTT), AMD, or discrete TPM from Infineon, STMicroelectronics, Nuvoton|
|Platform boot verification||Systems must implement cryptographically verified platform boot||Intel Boot Guard in Verified Boot mode, or AMD Hardware Verified Boot, or an OEM equivalent mode with similar functionality|
|RAM||Systems must have 8 gigabytes or more of system RAM|
|Standard||Systems must have firmware that implements Unified Extension Firmware Interface (UEFI) version 2.4 or later||For more information, see Unified Extensible Firmware Interface (UEFI) firmware requirements and Unified Extensible Firmware Interface Forum specifications|
|Class||Systems must have firmware that implements UEFI Class 2 or UEFI Class 3||For more information, see Unified Extensible Firmware Interface Forum specifications|
|Code integrity||All drivers shipped inbox must be Hypervisor-based Code Integrity (HVCI) compliant||For more information, see the Enable virtualization-based isolation for Code Integrity section of Driver compatibility with Device Guard in Windows 10|
|Secure boot||System's firmware must support UEFI Secure Boot and must have UEFI Secure Boot enabled by default||For more information, see UEFI firmware requirements and Secure Boot|
|Secure MOR||System's firmware must implement Secure MOR revision 2||For more information, see Secure MOR implementation|
|Update mechanism||Systems must support the Windows UEFI Firmware Capsule Update specification||For more information, see Windows UEFI firmware update platform|
As you can see, the main requirements are at least a seventh-generation 64-bit processor from Intel or AMD, a minimum of 8GB of memory, Trusted Platform Module (TPM), and a UEFI with secure boot enabled.
While Microsoft is aiming these technical specifications for manufacturers to build secure devices running the Windows 10 Fall Creators Update, it’s a great resource that would make it easier to decide which device to purchase, or which components to get if you like to build your computers from scratch.