Windows Server 2008 R2 Datacenter and Windows Server 2008 R2 for Itanium-Based Systems support both hot-add for processors, memory, and IO partition units, and hot-replace of such units on supporting hardware. Hot-add allows for increasing the resources available to a partition facing increasing resource demands. Hot-replace allows for supporting systems to swap-out partition units (memory and processor units only) in the event of hardware failure, while the system stays up and running, and providing services to users. All current editions of Windows Server support Hot Add of memory and processors, if the underlying system hardware and firmware supports that functionality.
- Inclusion of a Trusted Platform Module, version 2.0 or later. Note that systems equipped with Trusted Cryptographic Module (TCM) do NOT meet the requirements for this AQ.
- UEFI version 2.31c or higher firmware support
- IO Memory Management Unit (IOMMU)
- The server system provides a system power meter and system power budget capability in hardware
- The server system supports the new power metering and budgeting ACPI interface (ACPI V4.0) specification (Windows Server 2012 only)
- The server system enables control of processor performance states by the Operating System
The technical requirements are:
- The system must support for UEFI 2.3.1c or later, including Secure Boot and BitLocker support, and all the components in the system provided by the OEM (network adapters with or without PXE boot support, storage adapters, graphics chips or adapters, etc.) must also support Secure Boot.
- The UEFI configuration must support remote management out of the box.
- UEFI Data pages must be separate from Code pages and aligned at page level granularity. The same page may not contain both data (read or write) and executable Code.
- System and processors support IOMMU and require signed processor microcode updates.
- TPM 2.0 is fully supported.
- The platform implements the Microsoft defined Hardware Security Test Interface, see https://msdn.microsoft.com/en-us/library/windows/hardware/dn879006.aspx.
- Storage Class Memory (SCM)
- Direct Access Storage (DAS)
- Byte Addressable Storage (BAS)
- Persistent Memory (PM)
- Non-Volatile Memory (NVM)
Non-Volatile Memory can provide higher application and workload performance through improved storage latency and response times.
Windows Server 2016 and later versions, and Windows 10 Pro for Workstation, both support Non-Volatile (NV) Memory. Any Windows Server system listed in the Windows Server Catalog which has been awarded the “NV-DIMM Capable” Additional Qualification supports one of the implementations which Microsoft Windows can utilize. See these links for more information:
There are different physical implementations of Non-Volatile Memory. The system OEM can provide information on the specific implementation their system supports, what capabilities it provides, and so on. The details of the implementation are abstracted by the Device Specific Module (DSM) that the system OEM provides, and which the Windows operating system uses to manage the NV memory. The DSM provides a common basis of reporting device functions & capabilities, so that Windows can interact with various NV Memory implementations through the same mechanisms. Further, the DSM allows support for vendor-specific functionality, information on which the system vendor can provide.
- Not all functionality of the Windows file systems that do support NV Memory has been implemented or is possible. Examples includes; encryption, compression, etc.
- Not all 3rd Party File System and Storage Filter drivers, such as those for; Anti-Virus, Replication, Hierarchical Storage Management, Encryption, Compression, Monitor, Quota, etc., may work, or the filter driver vendor may be required to modify their product in order to work as expected.
Hardware root-of-trust: Trusted Platform Module 2.0 (TPM 2.0) come standard with Secured-core servers. TPM 2.0 provides a secure store for sensitive keys and data, such as measurements of the components loaded during boot. This hardware root-of-trust raises the protection provided by capabilities like BitLocker which uses the TPM 2.0 and facilitates creating attestation-based workflows that can be incorporated into zero-trust security strategies.
Firmware protection: There is a clear rise in security vulnerabilities being reported in the firmware space given the high privileges that firmware runs with and the relative opacity of what happens in firmware to traditional anti-virus solutions. Using processor support for Dynamic Root of Trust of Measurement (DRTM) technology, along with DMA protection, Secured-core systems isolate the security critical hypervisor from attacks such as this.
Virtualization-based security (VBS): Secured-core servers support VBS and hypervisor-based code integrity (HVCI). VBS and HVCI protects against this entire class of vulnerabilities given the isolation VBS provides between the privileged parts of the operating system such as the kernel and the rest of the system. VBS also provides additional capabilities that customers can enable like Credential Guard which better protects domain credentials.