Microsoft has published a list of standards for “extremely secure” Windows 10 systems. These are hardware and firmware requirements and apply to devices running on the latest Windows 10 Fall Creators Update.
Microsoft recommends using a system with a 7th generation Intel or AMD processor on board. On Twitter, Dave Weston, Windows Device Security Manager at Microsoft, clarifies this requirement. The new generation of chips is equipped with Mode-Based Execution Control (MBEC), which is important in virtualisation for improved kernel security.
In addition, Microsoft emphasizes the importance of 64-bit processor architecture. This is a requirement to use the Windows hypervisor for Virtualization-Based Security (VBS).
In the meantime, it is clear that virtualization is an important component for a safely possible Windows system. Therefore, the processor must also support Input Output Memory Management Unit (IOMMU) Device Virtualization and Second Layer Address Translation (SLAT).
A Trusted Platform Module (version 2.0) is also recommended. That is a hardware module for performing encryption processes, such as encrypting the hard drive with Windows Bitlocker. The module is sometimes integrated into the chipset, but can also be purchased separately and installed on a compatible motherboard.
Finally, Microsoft recommends that you choose a boot authentication device, such as Intel Boot Guard or AMD Hardware Verified Boot, and a minimum of 8GB of RAM.
On the firmware side, there are a number of requirements for the Unified Extension Firmware Interface (UEFI). The firmware must be on UEFI version 2.4 or higher and implement UEFI Class 2 or Class 3. In addition, UEFI Secure Boot must be enabled by default and Secure MOR revision 2 must be implemented.
All included drivers must be Hypervisor-based Code Integrity (HVCI) compliant and the system must also support the Windows UEFI Firmware Capsule Update specification.
How difficult is it to find a device that meets all of these requirements? Fortunately, if you buy a new machine, you’re welcome. The biggest challenge will be to find a Trusted Platform Module device. This module is easier to find in business computers than in consumer devices.