A new list of hardware and firmware standards released by Microsoft outlines some lofty requirements for a Windows system to be considered highly secure.

For those in the enterprise this may require hardware and software upgrades, and companies that produce firmware will need to ensure compatibility with some of the more advanced features of Windows’ built-in security systems.

The list is very specific, at least on the hardware side. Those planning on buying one or more new Windows machines in the near future should pay close attention to the hardware requirements–they may mean the difference between security and exposure to threats.

Hardware requirements

Before we jump into hardware requirements it’s important to mention that this entire list of standards rests on one big qualification: The system needs to have the Windows 10 Fall Creators Update installed.

SEE: What is Windows 10 Fall Creators Update? Everything you need to know about Microsoft’s big upgrade (TechRepublic)

That should go without saying, though: A secure system is an up-to-date system.

What follows is a list of the hardware requirements, along with an explanation as to why Microsoft says they’re necessary.

  • An Intel processor of 7th generation or newer or an AMD processor of 7th generation or newer. These are required because they enable mode-based execution control (MBEC), which is an important part of the virtualization-based security (VBS) that Windows is now using.
  • A 64-bit processor. VBS requires the use of the Windows hypervisor, which only operates on 64-bit IA processors or ARM v8.2 CPUs.
  • Processors with advanced virtualization support. VBS is Microsoft’s new gold standard for Windows security. In order to operate it needs a processor capable of input-output memory management unit (IOMMU) virtualization, VM extensions with second level address translation (SLAT), and I/O device protection by IOMMU or system memory management unit (SMMU).
  • A trusted platform module (TPM) v. 2.0. TPMs are hardware-based cryptological processors that aid in system security. They can be integrated into system boards (like the Apple Secure Enclave) or plugged in, provided a TPM slot is available. Microsoft says Intel and AMD TPMs are supported, along with discrete units from Infineon, STMicroelectronics, and Nuvoton.
  • Platform boot verification. This prevents the loading, or booting, of any third-party firmware onto a device.
  • At least 8GB RAM. Microsoft didn’t explain why this is required.

Firmware requirements

In addition to the hardware required for a system to be considered highly secure, Microsoft released a list of firmware standards.

SEE: Windows Exploit Development Megaprimer (TechRepublic Academy)

Hardware developers and programmers need to be aware of these standards–being able to say a product meets Microsoft security standards could mean a lot, as cybersecurity continues to become more important.

  • Firmware must implement Unified Extension Firmware Interface (UEFI) v. 2.4 or later. UEFI is a BIOS and EFI replacement that properly interfaces with Windows 10 security features like Secure Boot, Windows Defender, and Device Guard.
  • Firmware must implement UEFI Class 2 or UEFI class 3. UEFI classes run from zero (only BIOS), to class three (pure UEFI). Class 2 indicates a system that runs UEFI by default, but can also boot into BIOS.
  • All shipped drivers must be compliant with Hypervisor-based Code Integrity. This ensures that kernel memory pages cannot be altered.
  • Systems must support UEFI secure boot and have it enabled by default. Secure boot checks for device firmware signing on bootup and prevents loading if the signature is invalid.
  • Firmware must implement memory overwrite request (MOR) v. 2.0 or higher. MOR prevents memory overwrites in BIOS, making it harder for malware to change the way a system boots.
  • Systems must use the UEFI Firmware Capsule Update specification. This allows Windows to process firmware updates just like it does Windows updates, meaning they come from a trusted source (Microsoft), preventing the installation of unsigned, malicious drivers and updates.

It’s worth noting that Lawrence Abrams of Bleeping Computer points out that there are cheap Windows machines available that meet the requirements but they may be rare, especially those with TPM slots.