Standards for a highly secure Windows 10 device

Page 1 of 2 12 LastLast
    Standards for a highly secure Windows 10 device

    Standards for a highly secure Windows 10 device


    Last Updated: 12 Nov 2017 at 15:03

    These standards are for general purpose desktops, laptops, tablets, 2-in-1’s, mobile workstations, and desktops. This topic applies specifically and uniquely for Windows 10 version 1709, Fall Creators Update. Windows security features are enabled when you meet or exceed these standards and your device is able to provide a highly secure experience.

    Hardware

    Feature Requirement Details
    Processor generation Systems must be on the latest, certified silicon chip for the current release of Windows
    • Intel through 7th generation Processors (Intel i3/i5/i7/i9-7x), Core M3-7xxx and Xeon E3-xxxx and current Intel Atom, Celeron and Pentium Processors
    • AMD through the 7th generation processors (A Series Ax-9xxx, E-Series Ex-9xxx, FX-9xxx)
    Process architecture Systems must have a processor that supports 64-bit instructions Virtualization-based security (VBS) features require the Windows hypervisor, which is only supported on 64-bit IA processors, or ARM v8.2 CPUs
    Virtualization
    • Systems must have a processor that supports Input-Output Memory Management Unit (IOMMU) device virtualization and all I/O devices must be protected by IOMMU/SMMU
    • Systems must also have virtual machine extensions with second level address translation (SLAT)
    • The presence of these hardware virtualization features must be unmasked and reported as supported by the system firmware, and these features must be available for the operating system to use
    • For IOMMU, the system must have Intel VT-d, AMD-Vi, or ARM64 SMMUs
    • For SLAT, the system must have Intel Vt-x with Extended Page Tables (EPT), or AMD-v with Rapid Virtualization Indexing (RVI)
    Trusted Platform Module (TPM) Systems must have a Trusted Platform Module (TPM), version 2.0, and meet the latest Microsoft requirements for the Trustworthy Computing Group(TCG) specification Intel (PTT), AMD, or discrete TPM from Infineon, STMicroelectronics, Nuvoton
    Platform boot verification Systems must implement cryptographically verified platform boot Intel Boot Guard in Verified Boot mode, or AMD Hardware Verified Boot, or an OEM equivalent mode with similar functionality
    RAM Systems must have 8 gigabytes or more of system RAM

    Firmware

    Feature Requirement Details
    Standard Systems must have firmware that implements Unified Extension Firmware Interface (UEFI) version 2.4 or later For more information, see United Extensible Firmware Interface (UEFI) firmware requirements and Unified Extensible Firmware Interface Forum specifications
    Class Systems must have firmware that implements UEFI Class 2 or UEFI Class 3 For more information, see Unified Extensible Firmware Interface Forum specifications
    Code integrity All drivers shipped inbox must be Hypervisor-based Code Integrity (HVCI) compliant For more information, see the Enable virtualization-based isolation for Code Integrity section of Driver compatibility with Device Guard in Windows 10
    Secure boot System's firmware must support UEFI Secure Boot and must have UEFI Secure Boot enabled by default For more informaion, see UEFI firmware requirements and Secure Boot
    Secure MOR System's firmware must implement Secure MOR revision 2 For more information, see Secure MOR implementation
    Update mechanism Systems must support the Windows UEFI Firmware Capsule Update specification For more information, see Windows UEFI firmware update platform

    Source: Standards for a highly secure Windows 10 device | Microsoft Docs
    Brink's Avatar Posted By: Brink
    07 Nov 2017


  1. Josey Wales
    Posts : 26,445
    Windows 11 Pro 22631.3447
       New #1

    This is akin the The Motor Vehicle Department of any State telling a person applying for a drivers license must purchase a Ferrari :)
      My Computer
    Quote Quote

  3. Steve C
    Posts : 7,901
    Windows 11 Pro 64 bit
       New #2

    I wonder how many PCs you can buy now meet these standards.
      My Computers
    Quote Quote

  4. FerchogtX
    Posts : 369
    Windows 10 x64 Pro 22H2
       New #3

    What's with that insane RAM requirement? How is that supposed to make your system secure?
    Is this the Twilight Zone or what? XD
      My Computer
    Quote Quote

  6. Cliff S
    Posts : 27,181
    Win11 Pro, Win10 Pro N, Win10 Home, Windows 8.1 Pro, Ubuntu
       New #4

    FerchogtX said:
    What's with that insane RAM requirement? How is that supposed to make your system secure?
    Is this the Twilight Zone or what? XD
    The virtualization technology(the main security portion) runs in RAM
    8 gigs, is not that much either.
    I upgraded the laptop I bought in 2011, to 8GB(added a 4GB SO-DIMM) about 1 week after I bought it.
      My Computers
    Quote Quote

  7. sygnus21
    Posts : 5,899
    Win 11 Pro (x64) 22H2
       New #5

    Cliff S said:
    The virtualization technology(the main security portion) runs in RAM
    8 gigs, is not that much either.
    I upgraded the laptop I bought in 2011, to 8GB(added a 4GB SO-DIMM) about 1 week after I bought it.
    Yeah, I'm not sure about the "insane RAM requirements" comment as 8gig is simply today's minimum. Heck when I bought my new laptop, I was looking past 8gig and instead got 16. Both my main and backup desktop systems run 32.

    Anyway I've been arguing for a while now that Windows 10 should be run on more than 4gig of memory. Glad to have this article to further advance that idea.

    BTW I just need to install my TPM 2.0 module to complete the "Secure Windows" thing. Unfortunately my TPM module is an Infineon module which were flagged as having security issues - RSA Keys Generated by Infineon TPMs are Insecure - Windows 10 Forums
      My Computers
    Quote Quote

  8. FerchogtX
    Posts : 369
    Windows 10 x64 Pro 22H2
       New #6

    Ok... so I gotta understand, from what you say that, the 8 gigs are needed because of the virtualization technologies, and that directly means running VM's so you don't risk your main system?
    If that's the case, now it makes complete sense to me. Still I feel the average Joe (as you say sometimes, peeps) will ever need past 6 Gigs of RAM as they know very little about virtualization and Virtual Machines...

    Returning to the RAM, It doesn't affect me, I mean, I have 16 Gigs in my laptop, so running a 2 Gig RAM Windows 7 or 8.1 in a VM is meaningless... still I had to rely in a bios mods forum to learn to use a tool for Insyde Bios and enable AMD-V to make it a better experience. Why Acer disabled this in my new laptop model, while my old Aspire 4535 has it by default, is a mistery to me. And that reminds me there are laptop (or OEM desktop systems) that come with this technology disabled through the Bios, which is pure nonsense, is Microsoft aware of this unusual issue?

    Thanks for the answers anyway, I didn't think about those specifics XD
      My Computer
    Quote Quote

  9. ThrashZone
    Posts : 7,724
    3-Win-7Prox64 3-Win10Prox64 3-LinuxMint20.2
       New #7

    Hi,
    Secure boot must be enabled :/
    That alone is interesting to me seeing that alone might be another nail in win-7's coffin maybe maybe not :/
      My Computers
    Quote Quote

  10. Cliff S
    Posts : 27,181
    Win11 Pro, Win10 Pro N, Win10 Home, Windows 8.1 Pro, Ubuntu
       New #8

    ThrashZone said:
    Hi,
    Secure boot must be enabled :/
    That alone is interesting to me seeing that alone might be another nail in win-7's coffin maybe maybe not :/
    Um, no the user/owner can always go into BIOS and change it. Actually bring enabled has been that way from the beginning I believe,
      My Computers
    Quote Quote

  12. sygnus21
    Posts : 5,899
    Win 11 Pro (x64) 22H2
       New #9

    Cliff S said:
    Um, no the user/owner can always go into BIOS and change it. Actually bring enabled has been that way from the beginning I believe,
    Secure boot is not an automatic enabled process. At least not on store bought desktop motherboards. While most of today's laptops running Windows 10 (or 8/8.1) have it enabled in the UEFI BIOS by the laptop vendor (a security feature MS now requires of laptops?) and my Lenovo has it enabled, it's not something you may see automatically enabled on a store bought motherboard. I know none of my Gigabyte boards (Z87, Z170, Z270) had it enabled by default in the UEFI BIOS. You can check this by typing "confirm-SecureBootUEFI" (without quotes) in PowerShell (Admin). You'll either get True or False...

    Standards for a highly secure Windows 10 device-ps-secureboot-enabled.png

    There also some other parameters that needs to be met. And also that your GPU be UEFI BIOS compatible. This requires CSM to be disabled before secure boot can be enabled. Been there, did that - Fiji Bios Editing ( Fury / Fury X / Nano / Radeon Pro Duo ) - Page 90.

    Here's some good instructions on enabling Secure Boot, and how to check with PowerShell - Enabling UEFI Secure Boot with a Gigabyte BIOS Trackballer. They should work with any board, not just Gigabyte.
      My Computers
    Quote Quote

 

  Related Discussions
Source: https://blogs.windows.com/msedgedev/2020/09/17/styling-for-windows-high-contrast-with-new-standards-for-forced-colors/ How to Turn On or Off High Contrast Mode in Windows 10 1306628898336186370 1306629239127465984
My Win 10 installation which I did from the net is highly unstable. It freezes up constantly at different times after I reach the Desktop. I am unable to do anything with it. My games freeze up and exit, my internet freezes,... I'm really very...
More
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 19:15.
Find Us




Windows 10 Forums