Yesterday, Microsoft released new standards that consumers should follow in order to have a highly secure Windows 10 device. These standards include the type of hardware that should be included in the system and the features of the firmware.
Hardware Standards
The hardware standards are broken up into 6 categories, which are processor generation, processor architecture, virtualization, trusted platform modules (TPM), platform boot verification, and RAM.
For processor generation, Microsoft recommends that users use Intel & AMD 7th Generation processors. When questioning these requirements, Windows Offensive Security Team and Windows Device Security manager Dave Weston stated that the 7th generation CPUs contained Mode based execution control (MBEC), which provides further kernel security.
MBEC is important for VBS
— Dave dwizzzle Weston (@dwizzzleMSFT) November 6, 2017
The processor architecture requirement is to have a 64-bit processor so that Windows can take advantage of VBS, or Virtualization-based security, which uses the Windows hypervisor. The hypervisor is only supported on 64-bit processors.
Virtualization, as mentioned above, is an important component of the Windows Security framework. Highly secured Windows 10 devices should support Intel VT-d, AMD-Vi, or ARM64 SMMUs in order to take advantage of Input-Output Memory Management Unit (IOMMU) device virtualization. To use Second Layer Address Translation, or SLAT, processors should support Intel Vt-x with Extended Page Tables (EPT) or AMD-v with Rapid Virtualization Indexing (RVI).
Another recommended component is a Trusted Platform Module, or TPM — a hardware module that is either integrated into a computer chipset or can be purchased as a separate module for supported motherboards that handles the secure generation of cryptographic keys, their storage, a secure random number generator, and hardware authentication. A good article on TPM and its importance to Windows 10 can be found here.
In addition, Microsoft recommends platform boot verification, which is a feature that prevents the computer from loading a firmware that was not designed by the system manufacturer. This prevents attackers from uploading a maliicous or compromised firmware to the computer. You can use Intel Boot Guard in Verified Boot mode or AMD Hardware Verified Boot to achieve this.
Finally, we have memory, which is recommended to be at a minimum of 8GB. I am unsure why this is a security requirement, rather than just a performance requirement for Windows.
Firmware Standards
A computer's firmware is also expected to meet certain requirements to be a highly secure computer. These requirements are:
- Systems must have firmware that implements Unified Extensible Firmware Interface (UEFI) version 2.4 or later.
- Systems must have firmware that implements UEFI Class 2 or UEFI Class 3.
- All drivers shipped inbox must be Hypervisor-based Code Integrity (HVCI) compliant.
- System's firmware must support UEFI Secure Boot and must have UEFI Secure Boot enabled by default.
- System's firmware must implement Secure MOR revision 2.
- Systems must support the Windows UEFI Firmware Capsule Update specification.
Meeting these standards is not that expensive
After seeing the above requirements, you may be thinking that a computer that meets these standard would be costly. Surprisingly, it's not as bad as I expected. For example, this ASUS P-Series P2540UA-AB51 appears to meet all of the requirements listed above and does so for $499 USD. I am sure if I searched harder, I could find even cheaper machines.
Unfortunately, many consumer based computers would not be 100% compliant with the above requirements, simply because many do not include a TPM module. To resolve this, consumers have two options when it comes to a TPM.
They can either buy a system with an AMD Ryzen processor, which includes a firmware based TPM implementation called fTPM. This must be enabled in the BIOS, though, for it to work. Unfortunately, some articles indicate that a firmware based solution is not as secure as a stand-alone, or discrete, TPM.
If you are not using an AMD Ryzen processor and choose to use Intel, then you would need to buy a system whose motherboard contains a TPM socket. You can then purchase a discrete TPM and insert it into the socket in order to add this feature to the computer.
Updated 11/7/17: Updated to include more information about Trusted Platform Modules (TPM) and fixed a incorrect word.
Comments
Occasional - 6 years ago
If it stays at basically saying "If you want the best level of security... match these criteria..." that's fine. It would also be fine is an enterprise moved to replace any PCs not up to this (and could also insist that partners connecting to their network do so). It would not be Ok if MS doesn't acknowledge and support viable systems that fall short of this standard.
Yes, the 8GB memory has me wondering, too. One possible reason is like a job posting saying applicants need a CS degree - it's an easy way to cut the number of applicants, even if they will lose some wheat with the chaff. People may not know if their PC has a TPM, but they probably know how much RAM they have.
WeatherDave - 6 years ago
Good article, but your point here:
"For those looking for a consumer based computer, you should look for ones whose motherboards contain a TPM socket that you use to install a TPM module."
Um, for an Intel motherboard, this is correct. However AMD processors include a fTPM implimentation (based on ARM's TrustZone) which provides TPM 2.0 for the OS. Nothing extra to buy. Works quite well with Secure Boot.
Lawrence Abrams - 6 years ago
Updated with more info. Looks like it ships with it disabled in the BIOS though.
Exnor - 6 years ago
Isn't UEFI Unified Extensible Firmware Interface and not Unified "Extension" .... I mean it's on the official standard page....
Lawrence Abrams - 6 years ago
Fixed. Thanks
DustinF00 - 6 years ago
I have been trying to understand where MBEC is even listed in being supported in Intel CPUs in the ARK site at Intel - doesnt seem to be something Intel specifically calls out.
Knat - 6 years ago
I've heard of all the hardware stuff but the firmware stuff is all jargon to me. :(
Also I thought Windows Home version didn't even support virtualization? I must be confused somehow. Maybe by "consumer" they mean "people who buy computers even for a company".
The memory I'm going to guess is to try to prevent some kind of memory overload exploit. One time when my new computer died, manufacturer said to reset the battery (and told me how) and were pretty surprised my Windows password still worked after. There were some pretty iffy entries in my Event logs at that time.