Microsoft releases new requirements for a highly secure Windows 10 device

3 min. read

Published on November 7, 2017

published on November 7, 2017

Readers help support MSpoweruser. We may get a commission if you buy through our links.

Microsoft has now released new standards for a highly secure Windows 10 device. These standards are for applicable for all desktops, laptops, tablets, 2-in-1’s, mobile workstations, and desktops running Windows 10 version 1709, Fall Creators Update and above. In enterprise world, security is one of the top priorities while choosing new hardware. These new requirements from Microsoft will help organizations in choosing the right Windows 10 device for their employees. All the Windows enterprise security features will be enabled when your hardware meet or exceed these standards.

Below are the hardware requirements for a highly secure Windows 10 device.

Feature	Requirement	Details
Processor generation	Systems must be on the latest, certified silicon chip for the current release of Windows	Intel through 7th generation Processors (Intel i3/i5/i7/i9-7x), Core M3-7xxx and Xeon E3-xxxx and current Intel Atom, Celeron and Pentium Processors AMD through the 7th generation processors (A Series Ax-9xxx, E-Series Ex-9xxx, FX-9xxx)
Process architecture	Systems must have a processor that supports 64-bit instructions	Virtualization-based security (VBS) features require the Windows hypervisor, which is only supported on 64-bit IA processors, or ARM v8.2 CPUs
Virtualization	Systems must have a processor that supports Input-Output Memory Management Unit (IOMMU) device virtualization and all I/O devices must be protected by IOMMU/SMMU Systems must also have virtual machine extensions with second level address translation (SLAT) The presence of these hardware virtualization features must be unmasked and reported as supported by the system firmware, and these features must be available for the operating system to use	For IOMMU, the system must have Intel VT-d, AMD-Vi, or ARM64 SMMUs For SLAT, the system must have Intel Vt-x with Extended Page Tables (EPT), or AMD-v with Rapid Virtualization Indexing (RVI)
Trusted Platform Module (TPM)	Systems must have a Trusted Platform Module (TPM), version 2.0, and meet the latest Microsoft requirements for the Trustworthy Computing Group(TCG) specification	Intel (PTT), AMD, or discrete TPM from Infineon, STMicroelectronics, Nuvoton
Platform boot verification	Systems must implement cryptographically verified platform boot	Intel Boot Guard in Verified Boot mode, or AMD Hardware Verified Boot, or an OEM equivalent mode with similar functionality
RAM	Systems must have 8 gigabytes or more of system RAM

Below are the requirements for firmware that comes with the hardware.

Feature	Requirement	Details
Standard	Systems must have firmware that implements Unified Extension Firmware Interface (UEFI) version 2.4 or later	For more information, see United Extensible Firmware Interface (UEFI) firmware requirements and Unified Extensible Firmware Interface Forum specifications
Class	Systems must have firmware that implements UEFI Class 2 or UEFI Class 3	For more information, see Unified Extensible Firmware Interface Forum specifications
Code integrity	All drivers shipped inbox must be Hypervisor-based Code Integrity (HVCI) compliant	For more information, see the Enable virtualization-based isolation for Code Integrity section of Driver compatibility with Device Guard in Windows 10
Secure boot	System’s firmware must support UEFI Secure Boot and must have UEFI Secure Boot enabled by default	For more informaion, see UEFI firmware requirements and Secure Boot
Secure MOR	System’s firmware must implement Secure MOR revision 2	For more information, see Secure MOR implementation
Update mechanism	Systems must support the Windows UEFI Firmware Capsule Update specification	For more information, see Windows UEFI firmware update platform