Microsoft has released new guidelines for a highly secure Windows 10 device that are really quite pushing the standards and also your wallet. The setup supports the latest CPUs that are certified for Windows 10 such as 7th gen Intel Kaby Lake or AMD 7th gen processors. As you can imagine, most computers are running older generations and would be almost impossible for any company to fully comply. Interestingly enough, Microsoft’s own Surface Pro 4 comes only with 6th gen CPU. I guess you have to reach deeper and go for the latest and greatest Surface Pro.
Why such strict guidelines?
One of the reasons is memory protection and technology called IOMMU or Input Output Memory Management Unit. It sounds complicated but basically there is a memory management unit which helps with communication between devices and memory. This additional layer protects against malicious applications that attempts to access memory directly and gain unauthorised access. Direct memory access used previously could be exploited by just addressing parts of memory that normally store certain sensitive data, like credentials. With IOMMU, this is physically impossible.
Basically if you have the latest PC with enough grunt, Windows 10 Pro with enabled Bitlockler®, you should be fine.
Next one is TPM version 2.0 which has been finalised and published in September of 2016. The latest version brings security improvements, support for newer standards and UEFI only boot which rules out majority of Windows 7 systems. Interestingly, the recommendations also mention a minimum of 8GB of RAM which majority of recently purchased hardware will most likely have, mainly when even your smartphone has at least 3GB to work with.
To sum up:
- Latest CPU
- UEFI 2.4 and later (secure boot)
- Enabled virtualisation (usually off by default)
- TPM v2.0 or later
- 8GB of RAM
- All drivers must be HVCI compliant
Securing Windows 10 got less challenging with forced automatic updates and more options to play with as using modern technologies and solutions to protect against malicious attacks. It is still recommended to get a professional assistance to make sure the settings are not only implemented but correctly implemented.