Microsoft this week published information on the standards a Windows 10 device is required to meet to be considered highly secure.
The company has provided details on both hardware and firmware requirements that these devices should meet, including information regarding processor type, amount of required RAM, virtualization support, support for specific UEFI versions, secure boot support, and more.
In Microsoft’s vision, only devices with an Intel CPU through 7th generation processors (Intel i3/i5/i7/i9-7x), Core M3-7xxx and Xeon E3-xxxx and current Intel Atom, Celeron and Pentium processors, along with those featuring AMD through the 7th generation processors (A Series Ax-9xxx, E-Series Ex-9xxx, FX-9xxx) can be considered highly secure.
The systems must include a processor that supports 64-bit instructions, and should also support Input-Output Memory Management Unit (IOMMU) device virtualization, must have virtual machine extensions with second level address translation (SLAT), and should not mask the presence of these hardware virtualization features, but be available for the operating system to use.
A Trusted Platform Module (TPM) version 2.0 is also needed, along with a cryptographically verified platform boot (Intel Boot Guard in Verified Boot mode, or AMD Hardware Verified Boot, or an OEM equivalent mode with similar functionality). The system must also meet the latest Microsoft requirements for the Trustworthy Computing Group (TCG) specification.
On the firmware side, Unified Extension Firmware Interface (UEFI) version 2.4 or later is a must, as well as firmware that implements UEFI Class 2 or UEFI Class 3. According to Microsoft, only devices that ship with Hypervisor-based Code Integrity (HVCI) compliant drivers can be considered highly secure.
The tech company also notes that a system’s firmware must support UEFI Secure Boot and must have UEFI Secure Boot enabled by default to meet the requirements for highly secure Windows 10 devices. Secure MOR revision 2 is also required, along with support for the Windows UEFI Firmware Capsule Update specification.
The publishing of these standards appears yet another step Microsoft is taking toward providing users with increased security and privacy when using Windows 10 devices. Last year, the company announced that all new platform installations would require signed kernel mode drivers, while this year it revealed Windows 10 protections against various threats, including code injection attacks, PowerShell attacks, and zero day exploits.
Related: Windows 10 Exploit Guard Boosts Endpoint Defenses
Related: Windows 10 Can Detect PowerShell Attacks: Microsoft