Over the last two and a half years during the development of Windows 10, Microsoft has continuously added and upgraded security features of the operating system as they have released each new feature update.
While these features benefit consumers with a system that is less vulnerable to attacks such as WannaCry and Petya, enterprise customers have seen even more in depth features added to secure the operating system and the data stored on these devices.
However, some of these new security features require certain types of hardware to fully take advantage of the capabilities.
Using this document at the Microsoft Hardware Development Center, here is a checklist of these key hardware specifications that will allow your business to fully use the security that is a standard part of Windows 10.
Note: These standards apply to the latest feature update for Windows 10, the Fall Creators Update, and the security features that are integrated into this release.
Central Processing Unit (CPU)
Intel (Through 7th Generation Processors)
- Intel i3/i5/i7/i9-7x
- Core M3-7xxx
- Xeon E3-xxxx
- Atom, Celeron, Pentium (Current)
AMD (Through 7th Generation Processors)
- A Series Ax-9xxx
- E Series Ex-9xxx
- FX Series (FX-9xxx)
- Virtualization based security requires Windows Hypervisor and that is only supported on 64-bit IA processors or ARM v8.2 CPUs
- System Processors have to support Input-Output Memory Management Unit (IOMMU) virtualization with all I/O devices protected by IOMMU/SMMU. Systems must have Intel VT-d, AMD-Vi, or ARM64 SMMUs.
- Must have virtual machine extensions with Second Level Address Translation (SLAT). Systems must have Intel Vt-x with Extended Page Tables (EPT), or AMD-v with Rapid Virtualization Indexing (RVI).
- These hardware virtualization features must be available to the operating system and reported to system firmware.
Trusted Platform Module (TPM)
- Systems must have TPM version 2.0 or higher. This includes Intel (PTT), AMD, or discrete TPM from Infineon, STMicroelectronics, and Nuvoton.
- The hardware must also comply with the Trustworthy Computing Group specification.
Platform Boot Verification
- Must utilize cryptographically verified platform boot. This includes Intel Boot Guard in Verified Boot mode, AMD Hardware Verified Boot, and any OEM equivalent mode with same functionality.
Random Access Memory (RAM)
- Minimum of 8 GB or higher required.
There are six areas that a systems firmware must comply to meet these security specifications and take advantage of the enhanced security features in the Windows 10 Fall Creators Update:
- Standard: Uses Unified Extension Firmware Interface (UEFI) version 2.4 or higher
- Class: Uses UEFI Class 2 or Class 3
- Code integrity: Inbox drivers are required to be Hypervisor-based Code Integrity (HVCI) compliant
- Secure Boot: Must support UEFI Secure Boot and have it enabled by default
- Secure MOR: Must use Secure MOR (Revision 2)
- Updates: Must support Windows UEFI Firmware Capsule Update specification
Just to clarify, these specifications go above and beyond the minimum hardware requirements to run the Windows 10 Fall Creators Update.
By insuring your new hardware has the above security specifications you will be able to implement the following security features as part of the Fall Creators Update:
- Windows Defender Application Control
- Windows Defender Antivirus
- Windows Defender Exploit Guard
- Windows Defender Application Guard
- Windows Defender System Guard
- Windows Defender Advanced Threat Protection
- Windows Defender Credential Guard
- Windows Defender Device Guard
- Windows Information Protection
- Windows Hello
- BitLocker and BitLocker To Go
You can learn more about the enterprise and business related security features for Windows 10 over at the Windows Security Center.