Yesterday, Microsoft released new standards that consumers should follow in order to have a highly secure Windows 10 device. These standards include the type of hardware that should be included in the system and the features of the firmware.
The hardware standards are broken up into 6 categories, which are processor generation, processor architecture, virtualization, trusted platform modules (TPM), platform boot verification, and RAM.
For processor generation, Microsoft recommends that users use Intel & AMD 7th Generation processors. When questioning these requirements, Windows Offensive Security Team and Windows Device Security manager Dave Weston stated that the 7th generation CPUs contained Mode based execution control (MBEC), which provides further kernel security.
MBEC is important for VBS— Dave dwizzzle Weston (@dwizzzleMSFT) November 6, 2017
The processor architecture requirement is to have a 64-bit processor so that Windows can take advantage of VBS, or Virtualization-based security, which uses the Windows hypervisor. The hypervisor is only supported on 64-bit processors.
Virtualization, as mentioned above, is an important component of the Windows Security framework. Highly secured Windows 10 devices should support Intel VT-d, AMD-Vi, or ARM64 SMMUs in order to take advantage of Input-Output Memory Management Unit (IOMMU) device virtualization. To use Second Layer Address Translation, or SLAT, processors should support Intel Vt-x with Extended Page Tables (EPT) or AMD-v with Rapid Virtualization Indexing (RVI).
Another recommended component is a Trusted Platform Module, or TPM — a hardware module that is either integrated into a computer chipset or can be purchased as a separate module for supported motherboards that handles the secure generation of cryptographic keys, their storage, a secure random number generator, and hardware authentication. A good article on TPM and its importance to Windows 10 can be found here.
In addition, Microsoft recommends platform boot verification, which is a feature that prevents the computer from loading a firmware that was not designed by the system manufacturer. This prevents attackers from uploading a maliicous or compromised firmware to the computer. You can use Intel Boot Guard in Verified Boot mode or AMD Hardware Verified Boot to achieve this.
Finally, we have memory, which is recommended to be at a minimum of 8GB. I am unsure why this is a security requirement, rather than just a performance requirement for Windows.
A computer's firmware is also expected to meet certain requirements to be a highly secure computer. These requirements are:
After seeing the above requirements, you may be thinking that a computer that meets these standard would be costly. Surprisingly, it's not as bad as I expected. For example, this ASUS P-Series P2540UA-AB51 appears to meet all of the requirements listed above and does so for $499 USD. I am sure if I searched harder, I could find even cheaper machines.
Unfortunately, many consumer based computers would not be 100% compliant with the above requirements, simply because many do not include a TPM module. To resolve this, consumers have two options when it comes to a TPM.
They can either buy a system with an AMD Ryzen processor, which includes a firmware based TPM implementation called fTPM. This must be enabled in the BIOS, though, for it to work. Unfortunately, some articles indicate that a firmware based solution is not as secure as a stand-alone, or discrete, TPM.
If you are not using an AMD Ryzen processor and choose to use Intel, then you would need to buy a system whose motherboard contains a TPM socket. You can then purchase a discrete TPM and insert it into the socket in order to add this feature to the computer.
Updated 11/7/17: Updated to include more information about Trusted Platform Modules (TPM) and fixed a incorrect word.