You may have heard that Microsoft has made Windows 10 more secure than any of its predecessors, packing it with security goodies. What you might not know is that some of these vaunted security features aren’t available out of the box or they require additional hardware -- you may not be getting the level of security you bargained for.
Features such as Credential Guard are available for only certain editions of Windows 10, while the advanced biometrics promised by Windows Hello require a hefty investment in third-party hardware. Windows 10 may be the most secure Windows operating system to date, but the security-savvy organization -- and individual user -- needs to keep the following hardware and Windows 10 edition requirements in mind in order to unlock the necessary features to achieve optimum security.
Note: Presently, there are four desktop editions of Windows 10 -- Home, Pro, Enterprise, and Education -- along with multiple versions of each, offering varying levels of beta and preview software. InfoWorld’s Woody Leonard breaks down which version of Windows 10 to use. The following Windows 10 security guide focuses on standard Windows 10 installations -- not Insider Previews or Long Term Servicing Branch -- and includes Anniversary Update where relevant.
The right hardware
Windows 10 casts a wide net, with minimum hardware requirements that are undemanding. As long as you have the following, you’re good to upgrade from Win7/8.1 to Win10: 1GHz or faster processor, 2GB of memory (for Anniversary Update), 16GB (for 32-bit OS) or 20GB (64-bit OS) disk space, a DirectX 9 graphic card or later with WDDM 1.0 driver, and an 800-by-600-resolution (7-inch or larger screens) display. That describes pretty much any computer from the past decade.
But don’t expect your baseline machine to be fully secure, as the above minimum requirements won’t support many of the cryptography-based capabilities in Windows 10. Win10’s cryptography features require Trusted Platform Module 2.0, which provides a secure storage area for cryptographic keys and is used to encrypt passwords, authenticate smartcards, secure media playback to prevent piracy, protect VMs, and secure hardware and software updates against tampering, among other functions.
Modern AMD and Intel processors (Intel Management Engine, Intel Converged Security Engine, AMD Security Processor) already support TPM 2.0, so most machines bought in the past few years have the necessary chip. Intel’s vPro remote management service, for example, uses TPM to authorize remote PC repairs. But it’s worth verifying whether TPM 2.0 exists on any system you upgrade, especially given that Anniversary Update requires TPM 2.0 support in the firmware or as a separate physical chip. A new PC, or systems installing Windows 10 from scratch, must have TPM 2.0 from the get-go, which means having an endorsement key (EK) certificate preprovisioned by the hardware vendor as it is shipped. Alternatively, the device can be configured to retrieve the certificate and store it in TPM the first time it boots up.
Sign up for CIO Asia eNewsletters.