Most of the last few years has seen Microsoft look for ways to tighten up the security of its OS. As of today, the company has deemed it fit to releases a set of guidelines to PC makers about how to build a highly secured Windows PC.
Microsoft’s standard for creating a highly secured PC
Here are the requirements:
Processor and RAM Requirement
Microsoft’s “highly secure” Windows 10 device standard applies to devices running Windows 10 Fall Creators Update with 7th Gen Intel (Core i3, i5, i7, i9-7x, M3-7xxx, and XeonE3-xxx) or AMD (A Series Ax-9xxx, E-Series Ex-9xxx, FX-9xxx) and 8GB as minimum system memory.
64 bit CPU compulsory
Although 32-bit CPUs for computers are almost nowhere to be seen in the market, Microsoft still explicitly mandates that the processor must support 64-bit instructions.
That’s because the Windows hypervisor only works with 64-bit chips. It’s needed to run VBS (Virtualization-based security) which powers various security features in Windows 10 such as Device Guard and Credential Guard.
TPM 2.0 required
A highly secure Windows 10 device must be running version 2.0 of the TPM (Trusted Platform Module) and meet Microsoft specifications for the Trustworthy Computing Group (TCG) specification. Further, it should have cryptographically signed platform boot which can be enabled via Intel Boot Guard in Verified Mode, AMD Hardware Verified Boot, or an OEM equivalent for the same.
What about the virtualization?
Virtualization requirements include that the system should have Intel VT-d, AND-Vi, or ARM64 SMMUs to support input-output memory management unit (IOMMU) device virtualization. And to enable support for VM extensions with SLAT (Second-Level Translation), the system should have Intel Vt-x with Extended Page Tables (EPT) or AMD-v with Rapid Virtualization Indexing (RVI).
The device should run UEFI 2.4
As a part of the firmware requirements for a highly secure Windows 10 device, Microsoft says the system should implement UEFI (Unified Extension Firmware Interface) 2.4 or above, the drivers must be HVCI (Hypervisor-based Code Integrity) compliant and support UEFI Firmware Capsule Update specification.
Now, meeting all of these requirements set forth by Microsoft might sound like a tough deal. But it seems, it isn’t as costly as one might assume. You can find Windows 10 PCs running 7th Gen Intel chips and 8 gigs of RAM for as low as $500. Even the laptop I bought last year fulfills almost all of the requirements mentioned above.
You shouldn’t worry about the geekier stuff such as the virtualization specs, TPM version, UEFI version, as it would be the PC makers who would have to make sure the devices stick to all the requirements.
Read the Microsoft document in detail using this link.