Standards for Highly Secure Windows Device
Before getting into the details, users need to note that these standards are for general purpose desktops, laptops, tablets, 2-in-1’s, mobile workstations, and desktops. Also, these security recommendations apply to Windows 10 version 1709.
Hardware
The hardware side list laid down by Microsoft is very specific. For those who are planning to buy new Windows machines should pay close attention to these requirements, because they can cost them the difference between security and exposure to outside threats.
Processor Generation
Devices must have the latest certified silicon chip that supports the OS. Intel through 7th generation Processors (Intel i3/i5/i7/i9-7x), Core M3-7xxx and Xeon E3-xxxx and current Intel Atom, Celeron and Pentium Processors. On the AMD side, through the 7th generation processors (A Series Ax-9xxx, E-Series Ex-9xxx, FX-9xxx)
Process Architecture
Microsoft suggested that 64-bit support is necessary for secure devices, which includes modern AMD64/x64 processors, as well as ARMv8.2 CPUs.
Virtualization
VBA is Microsoft’s latest star for Windows security. To ensure it works, it needs a processor which is capable of input-output memory management unit (IOMMU) virtualization, VM extensions with second level address translation (SLAT), and I/O device protection by IOMMU or system memory management unit (SMMU).
Trusted Platform Module (TPM)
To support the requirement for Trusted Platform Module version 2.0, Windows 10 device would need Intel PTT, AMD, or a discrete Trusted Platform Module from Infineon, STMicroelectronics, or Nouvoton Platform Boot Verification
RAM
Windows 10 Systems must have 8 gigabytes or more of system RAM.
Firmware
The firmware section is divided into six different categories:
Standard and Class – Unified Extension Firmware Interface (UEFI) version 2.4 or later, and Class 2 or Class 3.Drivers – Must be Hypervisor-based Code Integrity (HVCI) compliant.UEFI Secure Boot – Must be enabled by default.Secure MOR – System’s firmware must implement Secure MOR revision 2.Update Mechanism – Must support the Windows UEFI Firmware Capsule Update
Conclusion These new hardware and firmware requirements for “highly secure Windows devices” are quite reasonable and they should enable the development of Windows devices which have a baseline of security. For those who are looking to buy a new “highly secure” Windows device should follow this list of standards.