Standards for a highly secure Windows 10 device
These standards are for general purpose laptops, tablets, 2-in-1’s, mobile workstations, and desktops. This topic applies specifically and uniquely for Windows 10 version 1709, Fall Creators Update. Windows security features are enabled when you meet or exceed these standards and your device is able to provide a highly secure experience.
Beyond the hardware and firmware configurations outlined below, Microsoft recommends running Windows 10 S for security and performance. Windows 10 S allows safeguards such as only running apps that are verified from Windows Store, and it uses the most secure browser--Microsoft Edge--by default.
|Processor generation||Systems must be on the latest, certified silicon chip for the current release of Windows||
|Process architecture||Systems must have a processor that supports 64-bit instructions||Virtualization-based security (VBS) features require the Windows hypervisor, which is only supported on 64-bit IA processors, or ARM v8.2 CPUs|
|Trusted Platform Module (TPM)||Systems must have a Trusted Platform Module (TPM), version 2.0, and meet the latest Microsoft requirements for the Trusted Computing Group(TCG) specification||Intel (PTT), AMD, or discrete TPM from Infineon, STMicroelectronics, Nuvoton|
|Platform boot verification||Systems must implement cryptographically verified platform boot||Intel Boot Guard in Verified Boot mode, or AMD Hardware Verified Boot, or an OEM equivalent mode with similar functionality|
|RAM||Systems must have 8 gigabytes or more of system RAM|
|Standard||Systems must have firmware that implements Unified Extension Firmware Interface (UEFI) version 2.4 or later||For more information, see United Extensible Firmware Interface (UEFI) firmware requirements and Unified Extensible Firmware Interface Forum specifications|
|Class||Systems must have firmware that implements UEFI Class 2 or UEFI Class 3||For more information, see Unified Extensible Firmware Interface Forum specifications|
|Code integrity||All drivers shipped inbox must be Hypervisor-based Code Integrity (HVCI) compliant||For more information, see the Enable virtualization-based isolation for Code Integrity section of Driver compatibility with Device Guard in Windows 10|
|Secure boot||System's firmware must support UEFI Secure Boot and must have UEFI Secure Boot enabled by default||For more informaion, see UEFI firmware requirements and Secure Boot|
|Secure MOR||System's firmware must implement Secure MOR revision 2||For more information, see Secure MOR implementation|
|Update mechanism||Systems must support the Windows UEFI Firmware Capsule Update specification||For more information, see Windows UEFI firmware update platform|