New Windows 10 Standards for Secure Devices

Earlier this week, Microsoft published an article detailing the new Windows 10 standards consumers should follow to have a secure device, specifically for the Fall Creators Update. The standards include both hardware and firmware features. According to Windows, certain security features are enabled if you meet or exceed the standards.

Hardware

  • Processor: Intel and AMD 7th generation processors are needed to enable Mode Based Execution Control (MBEC), which increases kernel security.
  • Process Architecture: Systems must be able to support 64-bit instructions in order to take advantage of Virtualization-based security (VBS), which is required by the Windows Hypervisor.
  • Virtualization: The system’s processor must support Input-Output Memory Management Unit (IOMMU) device virtualization. For IOMMU, Intel VT-d, AMD-Vi, or ARM64 SMMUs are required.
  • TPM: Systems should have a Trusted Platform Module (TPM) that meets the latest Trusted Computing Group (TCG) specifications.
  • Platform Boot Verification: A feature that ensures the computer will only load firmware designed by the manufacturer. Can be achieved by using Boot Guard in Verified Boot Mode or AMD Hardware Verified Boot.
  • RAM: 8GB or more is required.

Firmware

After doing a little bit of research, I was able to find a few affordable laptops that meet all the specifications besides the TPM. However, a TPM can be purchased separately.  Here are a couple of the affordable options I found:

Sources:
https://www.bleepingcomputer.com/news/security/microsoft-releases-standards-for-highly-secure-windows-10-devices/
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure