Before building Windows 10 workstations, you need to be sure that you have a strong hardware configuration that can support advanced Windows security features.
Recommended BIOS configuration for secure Windows 10 devices
Below are some of the firmware configurations that will support the optimal security configuration for Windows 10:
- Intel virtualization for Direct IO or AMD-vi – enabled
- Intel virtualization extensions or AMD-v – enabled
- Trusted Platform Module 2.0 – enabled
- Unified Extensible Firmware Interface – enabled
- Compatibility Support Module (Legacy ROMS) – disabled
- Secure Boot – enabled
- Unified Extensible Firmware Interface network stack – enabled
Recommended Disk configuration to support Bit Locker encryption
The “UEFI/GPT-based hard drive partitions” document can be found here.
The default UEFI partitions created by SCCM are:
- Disk Type – GUID Partition Table (GPT)
- EFI System Partition – 500 MB fixed size FAT32 file system
- Microsoft® reserved partition (MSR) – 128 MB fixed size
- Primary partition – 99% of remaining space on disk. NTFS file system
- Recovery partition – 100% of remaining space on disk. NTFS file system
Again, these configurations will help ensure that your hardware configuration can support advanced security features for Windows 10. In our next blog we will go over the task sequence details to convert machines from BIOS to UEFI mode. In the meantime, if you need assistance with Windows 10 deployment or have further questions, contact us at firstname.lastname@example.org. We are happy to help!