Page 1 of 2 12 LastLast
  1.    1 Week Ago #1
    Join Date : Oct 2013
    Posts : 25,179
    64-bit Windows 10 Pro build 17040

    Standards for a highly secure Windows 10 device


    These standards are for general purpose desktops, laptops, tablets, 2-in-1’s, mobile workstations, and desktops. This topic applies specifically and uniquely for Windows 10 version 1709, Fall Creators Update. Windows security features are enabled when you meet or exceed these standards and your device is able to provide a highly secure experience.

    Hardware

    Feature Requirement Details
    Processor generation Systems must be on the latest, certified silicon chip for the current release of Windows
    • Intel through 7th generation Processors (Intel i3/i5/i7/i9-7x), Core M3-7xxx and Xeon E3-xxxx and current Intel Atom, Celeron and Pentium Processors
    • AMD through the 7th generation processors (A Series Ax-9xxx, E-Series Ex-9xxx, FX-9xxx)
    Process architecture Systems must have a processor that supports 64-bit instructions Virtualization-based security (VBS) features require the Windows hypervisor, which is only supported on 64-bit IA processors, or ARM v8.2 CPUs
    Virtualization
    • Systems must have a processor that supports Input-Output Memory Management Unit (IOMMU) device virtualization and all I/O devices must be protected by IOMMU/SMMU
    • Systems must also have virtual machine extensions with second level address translation (SLAT)
    • The presence of these hardware virtualization features must be unmasked and reported as supported by the system firmware, and these features must be available for the operating system to use
    • For IOMMU, the system must have Intel VT-d, AMD-Vi, or ARM64 SMMUs
    • For SLAT, the system must have Intel Vt-x with Extended Page Tables (EPT), or AMD-v with Rapid Virtualization Indexing (RVI)
    Trusted Platform Module (TPM) Systems must have a Trusted Platform Module (TPM), version 2.0, and meet the latest Microsoft requirements for the Trustworthy Computing Group(TCG) specification Intel (PTT), AMD, or discrete TPM from Infineon, STMicroelectronics, Nuvoton
    Platform boot verification Systems must implement cryptographically verified platform boot Intel Boot Guard in Verified Boot mode, or AMD Hardware Verified Boot, or an OEM equivalent mode with similar functionality
    RAM Systems must have 8 gigabytes or more of system RAM

    Firmware

    Feature Requirement Details
    Standard Systems must have firmware that implements Unified Extension Firmware Interface (UEFI) version 2.4 or later For more information, see United Extensible Firmware Interface (UEFI) firmware requirements and Unified Extensible Firmware Interface Forum specifications
    Class Systems must have firmware that implements UEFI Class 2 or UEFI Class 3 For more information, see Unified Extensible Firmware Interface Forum specifications
    Code integrity All drivers shipped inbox must be Hypervisor-based Code Integrity (HVCI) compliant For more information, see the Enable virtualization-based isolation for Code Integrity section of Driver compatibility with Device Guard in Windows 10
    Secure boot System's firmware must support UEFI Secure Boot and must have UEFI Secure Boot enabled by default For more informaion, see UEFI firmware requirements and Secure Boot
    Secure MOR System's firmware must implement Secure MOR revision 2 For more information, see Secure MOR implementation
    Update mechanism Systems must support the Windows UEFI Firmware Capsule Update specification For more information, see Windows UEFI firmware update platform

    Source: Standards for a highly secure Windows 10 device | Microsoft Docs
    Last edited by Brink; 5 Days Ago at 15:03.
      My ComputersSystem Spec
  2.    1 Week Ago #2
    Join Date : Mar 2017
    Posts : 5,688
    64-bit Windows 10 Pro

    This is akin the The Motor Vehicle Department of any State telling a person applying for a drivers license must purchase a Ferrari
      My ComputerSystem Spec
  3.    1 Week Ago #3
    Join Date : Jun 2015
    UK
    Posts : 2,077
    Windows 10 Home x64 (Laptop), Windows 10 Pro x64 (Desktop)

    I wonder how many PCs you can buy now meet these standards.
      My ComputersSystem Spec
  4.    1 Week Ago #4
    Join Date : Aug 2015
    México
    Posts : 212
    Windows 10 x64 Home 1703

    What's with that insane RAM requirement? How is that supposed to make your system secure?
    Is this the Twilight Zone or what? XD
      My ComputerSystem Spec
  5.    1 Week Ago #5
    Join Date : Feb 2015
    Bamberg Germany
    Posts : 17,547
    Win10 Pro, Win10 Pro N, Win10 Home, Win10 Pro Insider Fast Ring, Windows 8.1 Pro, Ubuntu

    Quote Originally Posted by FerchogtX View Post
    What's with that insane RAM requirement? How is that supposed to make your system secure?
    Is this the Twilight Zone or what? XD
    The virtualization technology(the main security portion) runs in RAM
    8 gigs, is not that much either.
    I upgraded the laptop I bought in 2011, to 8GB(added a 4GB SO-DIMM) about 1 week after I bought it.
      My ComputersSystem Spec
  6.    1 Week Ago #6
    Join Date : Jun 2014
    USA
    Posts : 1,570
    Windows 10 Pro x64

    Quote Originally Posted by Cliff S View Post
    The virtualization technology(the main security portion) runs in RAM
    8 gigs, is not that much either.
    I upgraded the laptop I bought in 2011, to 8GB(added a 4GB SO-DIMM) about 1 week after I bought it.
    Yeah, I'm not sure about the "insane RAM requirements" comment as 8gig is simply today's minimum. Heck when I bought my new laptop, I was looking past 8gig and instead got 16. Both my main and backup desktop systems run 32.

    Anyway I've been arguing for a while now that Windows 10 should be run on more than 4gig of memory. Glad to have this article to further advance that idea.

    BTW I just need to install my TPM 2.0 module to complete the "Secure Windows" thing. Unfortunately my TPM module is an Infineon module which were flagged as having security issues - RSA Keys Generated by Infineon TPMs are Insecure - Windows 10 Forums
      My ComputersSystem Spec
  7.    1 Week Ago #7
    Join Date : Aug 2015
    México
    Posts : 212
    Windows 10 x64 Home 1703

    Ok... so I gotta understand, from what you say that, the 8 gigs are needed because of the virtualization technologies, and that directly means running VM's so you don't risk your main system?
    If that's the case, now it makes complete sense to me. Still I feel the average Joe (as you say sometimes, peeps) will ever need past 6 Gigs of RAM as they know very little about virtualization and Virtual Machines...

    Returning to the RAM, It doesn't affect me, I mean, I have 16 Gigs in my laptop, so running a 2 Gig RAM Windows 7 or 8.1 in a VM is meaningless... still I had to rely in a bios mods forum to learn to use a tool for Insyde Bios and enable AMD-V to make it a better experience. Why Acer disabled this in my new laptop model, while my old Aspire 4535 has it by default, is a mistery to me. And that reminds me there are laptop (or OEM desktop systems) that come with this technology disabled through the Bios, which is pure nonsense, is Microsoft aware of this unusual issue?

    Thanks for the answers anyway, I didn't think about those specifics XD
      My ComputerSystem Spec
  8.    5 Days Ago #8
    Join Date : Nov 2013
    Houston
    Posts : 2,092
    3-Win-7Prox64 2-Win10Prox64

    Hi,
    Secure boot must be enabled :/
    That alone is interesting to me seeing that alone might be another nail in win-7's coffin maybe maybe not :/
      My ComputersSystem Spec
  9.    5 Days Ago #9
    Join Date : Feb 2015
    Bamberg Germany
    Posts : 17,547
    Win10 Pro, Win10 Pro N, Win10 Home, Win10 Pro Insider Fast Ring, Windows 8.1 Pro, Ubuntu

    Quote Originally Posted by ThrashZone View Post
    Hi,
    Secure boot must be enabled :/
    That alone is interesting to me seeing that alone might be another nail in win-7's coffin maybe maybe not :/
    Um, no the user/owner can always go into BIOS and change it. Actually bring enabled has been that way from the beginning I believe,
      My ComputersSystem Spec
  10.    5 Days Ago #10
    Join Date : Jun 2014
    USA
    Posts : 1,570
    Windows 10 Pro x64

    Quote Originally Posted by Cliff S View Post
    Um, no the user/owner can always go into BIOS and change it. Actually bring enabled has been that way from the beginning I believe,
    Secure boot is not an automatic enabled process. At least not on store bought desktop motherboards. While most of today's laptops running Windows 10 (or 8/8.1) have it enabled in the UEFI BIOS by the laptop vendor (a security feature MS now requires of laptops?) and my Lenovo has it enabled, it's not something you may see automatically enabled on a store bought motherboard. I know none of my Gigabyte boards (Z87, Z170, Z270) had it enabled by default in the UEFI BIOS. You can check this by typing "confirm-SecureBootUEFI" (without quotes) in PowerShell (Admin). You'll either get True or False...

    Click image for larger version. 

Name:	PS Secureboot Enabled.PNG 
Views:	60 
Size:	8.7 KB 
ID:	163519

    There also some other parameters that needs to be met. And also that your GPU be UEFI BIOS compatible. This requires CSM to be disabled before secure boot can be enabled. Been there, did that - Fiji Bios Editing ( Fury / Fury X / Nano / Radeon Pro Duo ) - Page 90.

    Here's some good instructions on enabling Secure Boot, and how to check with PowerShell - Enabling UEFI Secure Boot with a Gigabyte BIOS Trackballer. They should work with any board, not just Gigabyte.
      My ComputersSystem Spec

 
Page 1 of 2 12 LastLast


Similar Threads
Thread Forum
Bringing 3D to everyone through open standards
Source: Bringing 3D to everyone through open standards | Building Apps for Windows
Windows 10 News
My Windows 10 installation is highly unstable.
My Win 10 installation which I did from the net is highly unstable. It freezes up constantly at different times after I reach the Desktop. I am unable to do anything with it. My games freeze up and exit, my internet freezes,... I'm really very...
Performance & Maintenance
Microsoft to Make the Windows 9 Start Menu Highly Customizable
More
Windows 10 News
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 12:50.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums