mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-18 11:53:37 +00:00
Added hardware requirements
This commit is contained in:
Chris Jackson
@ -23,6 +23,22 @@ ms.date: 04/05/2018
|
|||||||
Level 3 is the security configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described here.
|
Level 3 is the security configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described here.
|
||||||
A level 3 configuration should include all the configurations from level 5 and level 4 and add the following security policies, controls, and organizational behaviors.
|
A level 3 configuration should include all the configurations from level 5 and level 4 and add the following security policies, controls, and organizational behaviors.
|
||||||
|
|
||||||
|
## Hardware
|
||||||
|
|
||||||
|
Devices targeting Level 3 should support the following hardware features:
|
||||||
|
|
||||||
|
- [System Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows)
|
||||||
|
- [Modern Standby](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/modern-standby)
|
||||||
|
- [Discrete TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-recommendations)
|
||||||
|
- [Virtualization and HVCI Enabled](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs)
|
||||||
|
- [Drivers and Apps HVCI-Ready](https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/driver-compatibility-with-device-guard)
|
||||||
|
- [Windows Hello](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-biometric-requirements)
|
||||||
|
- [DMA I/O Protection](https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)
|
||||||
|
- [Trusted Platform Module (TPM) 2.0](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-tpm)
|
||||||
|
- [Bitlocker Drive Encryption](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker)
|
||||||
|
- [UEFI Secure Boot](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot)
|
||||||
|
- Drivers and Firmware Distributed through Windows Update
|
||||||
|
|
||||||
## Policies
|
## Policies
|
||||||
|
|
||||||
The policies enforced in level 3 implement strict security configuration and controls. They can have a potentially significant impact to users or to applications, enforcing a level of security commensurate with the risks facing targeted organizations. Microsoft recommends disciplined testing and deployment using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates).
|
The policies enforced in level 3 implement strict security configuration and controls. They can have a potentially significant impact to users or to applications, enforcing a level of security commensurate with the risks facing targeted organizations. Microsoft recommends disciplined testing and deployment using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates).
|
||||||
|
|||||||
@ -23,6 +23,19 @@ ms.date: 04/05/2018
|
|||||||
Level 4 is the security configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. While targeting high levels of security, these recommendations do not assume a large staff of highly skilled security practitioners, and therefore should be accessible to most enterprise organizations.
|
Level 4 is the security configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. While targeting high levels of security, these recommendations do not assume a large staff of highly skilled security practitioners, and therefore should be accessible to most enterprise organizations.
|
||||||
A level 4 configuration should include all the configurations from level 5 and add the following security policies, controls, and organizational behaviors.
|
A level 4 configuration should include all the configurations from level 5 and add the following security policies, controls, and organizational behaviors.
|
||||||
|
|
||||||
|
## Hardware
|
||||||
|
|
||||||
|
Devices targeting Level 4 should support the following hardware features:
|
||||||
|
|
||||||
|
- [Virtualization and HVCI Enabled](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs)
|
||||||
|
- [Drivers and Apps HVCI-Ready](https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/driver-compatibility-with-device-guard)
|
||||||
|
- [Windows Hello](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-biometric-requirements)
|
||||||
|
- [DMA I/O Protection](https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)
|
||||||
|
- [Trusted Platform Module (TPM) 2.0](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-tpm)
|
||||||
|
- [Bitlocker Drive Encryption](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker)
|
||||||
|
- [UEFI Secure Boot](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot)
|
||||||
|
- Drivers and Firmware Distributed through Windows Update
|
||||||
|
|
||||||
## Policies
|
## Policies
|
||||||
|
|
||||||
The policies enforced in level 4 implement more controls and a more sophisticated security
|
The policies enforced in level 4 implement more controls and a more sophisticated security
|
||||||
|
|||||||
@ -23,6 +23,15 @@ ms.date: 04/05/2018
|
|||||||
Level 5 is the minimum security configuration for an enterprise device.
|
Level 5 is the minimum security configuration for an enterprise device.
|
||||||
Microsoft recommends the following configuration for level 5 devices.
|
Microsoft recommends the following configuration for level 5 devices.
|
||||||
|
|
||||||
|
## Hardware
|
||||||
|
|
||||||
|
Devices targeting Level 5 should support the following hardware features:
|
||||||
|
|
||||||
|
- [Trusted Platform Module (TPM) 2.0](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-tpm)
|
||||||
|
- [Bitlocker Drive Encryption](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker)
|
||||||
|
- [UEFI Secure Boot](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot)
|
||||||
|
- Drivers and Firmware Distributed through Windows Update
|
||||||
|
|
||||||
## Policies
|
## Policies
|
||||||
|
|
||||||
The policies in level 5 enforce a reasonable security level while minimizing the impact to users or to applications.
|
The policies in level 5 enforce a reasonable security level while minimizing the impact to users or to applications.
|
||||||
|
|||||||
Reference in New Issue
Block a user