L1 BIO 11.02.01 ISO A.7.7 CIS Hardware Security Requirements

Windows Hardware Requirements Design

πŸ“… 2025-10-30
β€’
⏱️ 6 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Windows hardware requirements voor moderne security Kenmerken: TPM 2.0, UEFI, veilige Boot, virtualization ondersteunen voor enterprise beveiligingscontroles.

Aanbeveling
IMPLEMENTEER HARDWARE REQUIREMENTS
Risico zonder
High
Risk Score
8/10
Implementatie
80u (tech: 40u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

Modern Windows security features vereisen specific hardware Mogelijkheden: (1) TPM 2.0 - REQUIRED voor BitLocker (hardware versleuteling), Windows Hello (biometric auth), credential Guard (credential isolation), Device Health Attestation, (2) UEFI + veilige Boot - REQUIRED voor boot integrity, rootkit bescherming, Windows Defender System Guard, (3) Virtualization (VT-x/AMD-V) - REQUIRED voor credential Guard, Device Guard/WDAC, Windows Sandbox, Application Guard, Hyper-V isolation features, (4) 8GB+ RAM - REQUIRED voor security features overhead (credential Guard, HVCI), (5) SSD opslag - Recommended voor BitLocker performance en Windows modern standby. Windows 11 REQUIRES: TPM 2.0, UEFI, veilige Boot - deze zijn MANDATORY, niet optional. voor organizations transitioning to Windows 11, hardware refresh required voor devices zonder deze features.

PowerShell Modules Vereist
Primary API: Microsoft Graph
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Minimum hardware requirements voor enterprise Windows security: CPU met TPM 2.0 (firmware of discrete chip), UEFI firmware (niet legacy BIOS), veilige Boot capable en ingeschakeld, CPU virtualization (Intel VT-x of AMD-V) ingeschakeld in BIOS, 8GB+ RAM (16GB recommended voor heavy security workloads), 256GB+ SSD opslag, Windows 11: alle boven MANDATORY. Voor procurement: Specify security hardware requirements. Voor existing fleet: Inventory current hardware, plan refresh voor non-compliant devices.

Vereisten

Hardware requirements voor modern Windows security:

  1. TPM 2.0 (vertrouwde Platform Module) - firmware of discrete
  2. UEFI firmware (niet legacy BIOS)
  3. veilige Boot ondersteunen + ingeschakeld
  4. CPU virtualization (VT-x/AMD-V) + ingeschakeld
  5. 64-bit processor (x64 architecture)
  6. 8GB+ RAM minimum (16GB+ recommended)
  7. 256GB+ SSD opslag
  8. Voor Windows 11: boven features MANDATORY

Implementatie

Gebruik PowerShell-script windows-hardware.ps1 (functie Invoke-Monitoring) – Hardware capability inventory en compliance checking.

Hardware beoordeling en procurement:

  1. Inventory current fleet: TPM version, UEFI/BIOS, veilige Boot status
  2. Intune β†’ Devices β†’ alle devices β†’ Export hardware inventory
  3. PowerShell: Get-TPM, Get-SecureBootUEFI voor verification
  4. Identify non-compliant devices (legacy BIOS, geen TPM 2.0)
  5. Procurement Vereisten: Specify TPM 2.0, UEFI, veilige Boot voor alle nieuwe devices
  6. Hardware refresh planning voor non-compliant devices
  7. Budget allocation: Hardware upgrades waar feasible, replacements waar necessary

monitoring

Gebruik PowerShell-script windows-hardware.ps1 (functie Invoke-Monitoring) – Controleren.

Hardware compliance monitoring:

  1. Intune hardware inventory reports
  2. TPM version distribution (target: 100% TPM 2.0)
  3. veilige Boot ingeschakeld percentage (target: 100%)
  4. UEFI vs BIOS ratio (target: 100% UEFI)
  5. Track hardware refresh progress
  6. Windows 11 readiness beoordeling

Compliance en Auditing

  1. CIS Windows Benchmark - Hardware-based security requirements
  2. BIO 11.02 - Technical security measures (hardware security)
  3. ISO 27001:2022 A.7.7 - veilige areas (physical beveiligingscontroles)
  4. ISO 27001:2022 A.8.1 - User endpoint devices
  5. NIST SP 800-147 - BIOS bescherming Guidance (UEFI veilige Boot)
  6. Windows 11 minimum requirements compliance

Remediatie

Gebruik PowerShell-script windows-hardware.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Windows Hardware Requirements Design .DESCRIPTION Implementation for Windows Hardware Requirements Design .NOTES Filename: windows-hardware.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 Related JSON: content/design/endpoints/windows-hardware.json #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter()][switch]$WhatIf, [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert ) $ErrorActionPreference = 'Stop' $VerbosePreference = 'Continue' $PolicyName = "Windows Hardware Requirements Design" $BIOControl = "11.02" function Connect-RequiredServices { # Connection logic based on API } function Test-Compliance { Write-Verbose "Testing compliance for: $PolicyName..." $result = [PSCustomObject]@{ ScriptName = "windows-hardware" PolicyName = $PolicyName IsCompliant = $false TotalResources = 0 CompliantCount = 0 NonCompliantCount = 0 Details = @() Recommendations = @() } # Compliance check implementation # Based on: Design Document $result.Details += "Compliance check - implementation required based on control" $result.NonCompliantCount = 1 return $result } function Invoke-Remediation { Write-Host "`nApplying remediation for: $PolicyName..." -ForegroundColor Cyan # Remediation implementation Write-Host " Configuration applied" -ForegroundColor Green Write-Host "`n[OK] Remediation completed" -ForegroundColor Green } function Invoke-Monitoring { $result = Test-Compliance Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "Total: $($result.TotalResources)" -ForegroundColor White Write-Host "Compliant: $($result.CompliantCount)" -ForegroundColor Green $color = if ($result.NonCompliantCount -gt 0) { "Red" } else { "Green" } Write-Host "Non-compliant: $($result.NonCompliantCount)" -ForegroundColor $color return $result } function Invoke-Revert { Write-Host "Revert: Configuration revert not yet implemented" -ForegroundColor Yellow } try { Connect-RequiredServices if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow } else { Invoke-Remediation } } elseif ($Revert) { Invoke-Revert } else { $result = Test-Compliance if ($result.IsCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red } } } catch { Write-Error $_ }

Risico zonder implementatie

Risico zonder implementatie
High: Zonder proper hardware = security features UNAVAILABLE (no BitLocker zonder TPM, no Credential Guard zonder virtualization, no Secure Boot zonder UEFI). Windows 11 upgrade impossible. Rootkits bypass legacy BIOS. Data leak risk unencrypted devices. Het risico is KRITIEK - hardware foundation.

Management Samenvatting

Windows Hardware Requirements: TPM 2.0 (BitLocker, Credential Guard), UEFI (Secure Boot), Virtualization support (VBS, HVCI), 8GB+ RAM (Windows 11), SSD (performance). Windows 11 mandatory requirements. Kosten: €800-1500/device refresh. Activatie: Inventory fleet β†’ Plan hardware refresh β†’ Procurement specifications. Implementatie: 40-80 uur (fleet assessment + planning + budgeting). CRITICAL - hardware investment significant maar non-negotiable modern security. Multi-year lifecycle planning.