Microsoft Encourages Windows 10 Based 'Highly Secure' PCs With These New Standards

Microsoft has published a new and official set of standards for consumers who want to ensure they have a "highly secure Windows 10" device. The new standards are for general purpose desktops, laptops, tablets, 2-in-1s, mobile workstations, and good old fashioned desktops. They are broken up into two categories—hardware and firmware—and apply to devices running the Fall Creators Update.

Windows 10

The hardware section consist of half a dozen sub-categories that read almost like a list of recommended requirements for a game. At the top of the list is the processor. In order to have a highly security Windows 10 device, Microsoft calls for a 7th generation Intel or AMD processor. Why not 6th generation chips? Dave Weston, the Windows Offensive Team and Windows Device Security manager, addressed the topic on Twitter saying that 7th generation processors have a security feature called 'mode based execution control' (MBEC). In short, this MBEC provides an extra layer of protection from malware attacks in a virtualized environment.
There is also a requirement that the processor architecture must support 64-bit instructions, as that is needed for virtualization-based security (VBS) features, which uses the Windows hypervisor. Beyond that, Microsoft's other hardware requirement categories include Virtualization, Trusted Platform Module (TPM), platform boot verification, and RAM (8GB or more). What is nice about the requirements is that Microsoft explains why certain components and features are needed (except for the amount of RAM).

As for the firmware, Microsoft requires the following:
  • Systems must have firmware that implements Unified Extension Firmware Interface (UEFI) version 2.4 or later.
  • Systems must have firmware that implements UEFI Class 2 or UEFI Class 3.
  • All drivers shipped inbox must be Hypervisor-based Code Integrity (HVCI) compliant.
  • System's firmware must support UEFI Secure Boot and must have UEFI Secure Boot enabled by default.
  • System's firmware must implement Secure MOR revision 2.
  • Systems must support the Windows UEFI Firmware Capsule Update specification.
It may seem like a somewhat daunting list, and in some respects it is. However, it does not mean that only expensive systems will meet the the requirements. None of the standards outlined are over the top.

The challenge for consumers who care about this will be digging into a product's specs to see if it meets Microsoft's new security standards. There does not appear to be any kind of marketing badge that Microsoft's hardware partners can use. That may change in time, but for now, it's up to the consumer to do their research.