Microsoft has published a new standard for creating a very secure Windows 10 machine.
It’s possible to find a cheap laptop that meets all Microsoft’s requirements for a highly secure Windows 10 device, but many consumer products probably won’t measure up. Image: ZDNet/Microsoft
Microsoft has released a new document explaining the minimum hardware and firmware requirements to create a “highly secure” Windows 10 device.
If you’ve got a Surface Pro 4, which has a sixth-generation Intel processor, it doesn’t meet Microsoft’s newly published standard.
“Systems must be on the latest, certified silicon chip for the current release of Windows,” Microsoft notes on the issue of processor generations.
These chips includes Intel’s seventh-generation Intel Core i3, i5, i7, i9, M3, and Xeon processors, as well as current Intel Atom, Celeron and Pentium processors.
The processor must have a 64-bit architecture, since Windows 10’s virtualization-based security (VBS) requires the Windows hypervisor and this only works on 64-bit processors or ARM v8.2 CPUs.
Several important Windows 10 security features that help defend against advanced attackers rely on VBS, such as Windows Defender Credential Guard, Windows Defender Device Guard, and Hypervisor-Enforced Code Integrity (HVCI).
Microsoft has also laid out minimum requirements to support virtualization. The processor needs to have Intel VT-d, AMD-Vi or ARM64 SMMUs to handle the required Input-Output Memory Management Unit (IOMMU) device virtualization.
To support virtual-machine extensions with second-level address translation (SLAT), the system needs Intel Vt-x with Extended Page Tables (EPT), or AMD-v with Rapid Virtualization Indexing (RVI).
The Windows 10 device also needs Intel PTT, AMD, or a discrete Trusted Platform Module from Infineon, STMicroelectronics, or Nouvoton to support the requirement for Trusted Platform Module version 2.0.
Microsoft demands that systems implement cryptographically verified platform boot. This requires Intel Boot Guard in Verified Boot mode, or AMD Hardware Verified Boot, or an equivalent solution developed by an OEM.
Finally, the system needs to have at least 8GB of RAM. Microsoft doesn’t explain why this is required.
As noted by BleepingComputer’s founder, Lawrence Abrahams, it is possible to find a cheap laptop that meets all these hardware requirements, such as ASUS P-Series P2540UA-AB51, which is available for $500 on Amazon. However, many consumer products probably won’t meet all these requirements.
Microsoft has laid out a number of firmware requirements too, including a stipulation that the firmware implements Unified Extension Firmware Interface (UEFI) version 2.4 or later, that all drivers comply with the HVCI, and that systems support the Windows UEFI Firmware Capsule Update specification.