What do Microsoft’s highly secure Windows 10 device standards tell us?

This week, Microsoft spelled out the hardware specifications it thinks PC makers should adopt to ensure their Windows computers are “highly secure”.

These days, it’s common to see security baked in at a lower level than just the operating system and apps, and that means doing it in a mixture of hardware tightly integrated with secure firmware.

According to Microsoft, a secure PC should be built around a seventh-generation 64-bit Intel or AMD processor or later (Skylake or A-Series/Athlon onwards), and have at least 8GB of RAM.

At first it looks as if this might be something to do with hardware virtualisation (also in the specification) but is really more tied up with the code and memory-protection mechanisms built into these chips under the banner of Virtualisation Based Security (VBS).

And it doesn’t stop with the processor, because the system’s other chipsets need to support specific types of memory and virtualisation management, too.

Unsurprisingly, systems must ship with a TCG v2.0 Trusted Platform Module (TPM) and implement verified boot using something like Intel’s Boot Guard.

Critically, what used to be called BIOS firmware must meet the latest standards from UEFI 2.4 or later, and be able to resist tampering while supporting updating.

I’ll spare you the rest of the specification’s gory detail and skip to the ‘what it all means’ bit…

The first thing that it shows is that securing PCs is increasingly a job that’s done (or at least begun) in the first few seconds after it’s turned on, when the system checks to see that important software hasn’t been interfered with.

This isn’t brand new, of course, but it is increasingly central to defending PCs, not simply the main UEFI layer and its various functions but also any add-on firmware that might be present in the computer (remember the Thunderstrike attack against Macs back in 2015?). Firmware also needs to be managed securely when vulnerabilities are exposed.

Secondly, we learn something about the future, specifically how things like Mode Based Execution Control (MBEC) might soon be used to boost Windows Defender Application Guard (WDAG), a Hyper‑V virtualization isolation layer used by, among other things, the Edge browser.

This is only available for enterprise customers today but Microsoft’s document hints that this will change at some point to include everyone.

Which brings us to the version of Windows that fully enables WDAG, namely Windows 10 version 1709, Fall Creators Update (released in mid-October), the Windows version that Microsoft’s new specification assumes as a sort of reference year zero.

Is all this a lot to ask?

If you don’t have a PC that meets these requirements – and almost everyone who bought a PC or laptop before last year won’t – it might seem so.

There will also be cynics who suspect that PC companies will use it to harry people into upgrading their PCs more often.

Then there are convenient exceptions such as the strange beast that is Windows 10 S, the cut-down Chromebook-like-but-not-quite computer, that isn’t required to meet the specification because, frankly, it can’t.

Nonetheless, corporate buyers will pay close attention to the new document and it could even end up buried inside compliance regimens.

If that happens, Microsoft’s specification will end up being a two-minute read with two-decade implications.