Windows 10 Secured-core PCs
Microsoft works closely with OEM partners to help ensure that all certified Windows systems deliver a secure operating environment. Windows integrates closely with the hardware to deliver protections that take advantage of available hardware capabilities:
- Baseline Windows security – recommended baseline for all individual systems that provides foundational system integrity protections. Leverages TPM 2.0 for a hardware root of trust, secure boot and BitLocker drive encryption.
- Virtualization-based security enabled – leverages virtualization capabilities from hardware and the hypervisor to provide additional protection for critical subsystems and data.
- Secured-core – recommended for the most sensitive systems and industries like financial, healthcare, and government agencies. Builds on the previous layers and leverages advanced processor capabilities to provide protection from firmware attacks.
Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that features deeply integrated hardware, firmware and software to ensure enhanced security for devices, identities and data.
Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.
For general purpose laptops, tablets, 2-in-1’s, mobile workstations, and desktops, Microsoft recommends using Security baselines for optimal configuration. For more info, see Windows security baselines.
Baseline Windows security is supported by Secure Boot, Bitlocker device encryption, Microsoft Defender, Windows Hello and a TPM 2.0 chip to provide a hardware root of trust for the OS platform. These features are designed to secure general purpose modern devices. If you are a decision maker purchasing new devices, your devices should meet the baseline Windows security requirements.
In addition, Windows 10 in S mode provides an additional layer of security with flexibility. S mode is a configuration that’s available on all Windows editions. By ensuring only trusted applications are run on the system, S mode keeps the Windows experience fast and secured. This comes with some cost in terms of compatibility, but Intune also allows customers to install applications on an S mode system, while maintaining the S mode protections against running non-trusted applications.
What makes a Secured-core PC
|Benefit||Feature||Hardware/Firmware requirement||Baseline Windows Security||Secured-core PCs|
|Create a hardware backed root of trust||Trusted Platform Module 2.0 (TPM)||Meet the latest Microsoft requirements for the Trusted Computing Group (TCG) specification||V||V|
|Dynamic Root of Trust for Measurement (DRTM)||Enabled on device (via Secure Launch)||V|
|System Management Mode (SMM)||Enabled on device (via System Guard)||V|
|Secure Boot||Secure Boot is enabled in the BIOS by default.||V||V|
|Memory Access Protection||The device supports Memory Access Protection (Kernel DMA Protection)||V|
|Ensure strong code integrity||Hypervisor Code Integrity (HVCI)||Enabled on device||V|
|Provide advanced identity verification and protection||Windows Hello||If device supports Windows Hello, then those implementations must be capable of Enhanced sign-in. “Capable” means:
|Protect critical data if a device is lost, stolen or confiscated||BitLocker encryption||BitLocker can leverage the TPM2.0 to encrypt and protect data”||V||V|
*Possible on some devices