Microsoft

Systems

Dynamic Partitioning (DP) Some high-end highly-scalable server systems contain partition units of memory, processors, and IO which can be grouped together by the server's management console into partitions. Each partition is, in effect, an independent server, and the system is capable of hosting several such partitions, each running an independent operating system. Such servers are referred to as partitionable. Some partitionable servers are dynamically partitionable, which means partition units can be re-assigned to various partitions without requiring a system shutdown.

Windows Server 2008 R2 Datacenter and Windows Server 2008 R2 for Itanium-Based Systems support both hot-add for processors, memory, and IO partition units, and hot-replace of such units on supporting hardware. Hot-add allows for increasing the resources available to a partition facing increasing resource demands. Hot-replace allows for supporting systems to swap-out partition units (memory and processor units only) in the event of hardware failure, while the system stays up and running, and providing services to users. All current editions of Windows Server support Hot Add of memory and processors, if the underlying system hardware and firmware supports that functionality.
Enhanced Platform Integrity This is sometimes referred to as "Assurance". A system that has this Additional Qualification supports all the hardware and firmware technologies required to support a higher level of security. Those technologies are:
  • Inclusion of a Trusted Platform Module, version 2.0 or later. Note that systems equipped with Trusted Cryptographic Module (TCM) do NOT meet the requirements for this AQ.
  • UEFI version 2.31c or higher firmware support
  • SecureBoot
  • IO Memory Management Unit (IOMMU)
Enhanced Power Management The Enhanced Power Management feature identifies servers which support the next generation power management technology available with Windows Server 2008 R2 and later versions of the Windows Server operating system. The software infrastructure and management interfaces in Windows Server 2008 R2 and later versions of the Windows Server operating system that help improve the power efficiency of the server platform and enable remote monitoring of power consumption and remote control of the power profile. There are three major requirements for a system to qualify for this Additional Feature;
  1. The server system provides a system power meter and system power budget capability in hardware
  2. The server system supports the new power metering and budgeting ACPI interface (ACPI V4.0) specification (Windows Server 2012 only)
  3. The server system enables control of processor performance states by the Operating System
These features in Windows Server 2008 R2 and later versions will provide cost-savings associated with reducing power consumption on each server. They will also help with capacity planning by making power consumption and power budget information available to administrators. This helps enable more efficient allocation of power and cooling infrastructure in the data center. System Center Operations Manager (SCOM) provides a Management Pack that takes advantage of all of these new features in Windows Server. Any server that qualifies for the Enhanced Power Management qualifier has native support for the features in this Management Pack.
Fault Tolerance (FT) Fault tolerant hardware contains redundant components such as extra power supplies, fans, and even memory and processors which can take over in the event of a hardware failure. These features can help improve the server reliability.
Hardware Assurance Windows Server systems that are awarded the Hardware Assurance Additional Qualification include the critical hardware and firmware features needed to support the most important Security features of Windows Server, starting with Windows Server 2016. The server systems are UEFI-based, with a minimum UEFI version of 2.3.1c, and additionally support both Secure Boot and BitLocker. The system supports Hyper-V virtualization and includes IOMMU that allows hardware assisted protection of processes memory and input/output. Finally, the server system must also include support for TPM2.0 that further protects the operating system, drivers, applications and user information.

The technical requirements are:
  • The system must support for UEFI 2.3.1c or later, including Secure Boot and BitLocker support, and all the components in the system provided by the OEM (network adapters with or without PXE boot support, storage adapters, graphics chips or adapters, etc.) must also support Secure Boot.
  • The UEFI configuration must support remote management out of the box.
  • UEFI Data pages must be separate from Code pages and aligned at page level granularity. The same page may not contain both data (read or write) and executable Code.
  • System and processors support IOMMU and require signed processor microcode updates.
  • TPM 2.0 is fully supported.
  • The platform implements the Microsoft defined Hardware Security Test Interface, see https://msdn.microsoft.com/en-us/library/windows/hardware/dn879006.aspx.
NV-DIMM-N Capable and NV-DIMM-I Capable Non-Volatile Memory used in computers is known by several phrases, acronyms and brand names.Examples of phrases and acronyms:
  • Storage Class Memory (SCM)
  • Direct Access Storage (DAS)
  • Byte Addressable Storage (BAS)
  • Persistent Memory (PM)
  • Non-Volatile Memory (NVM)

Non-Volatile Memory can provide higher application and workload performance through improved storage latency and response times.

Windows Server 2016 and later versions, and Windows 10 Pro for Workstation, both support Non-Volatile (NV) Memory. Any Windows Server system listed in the Windows Server Catalog which has been awarded the “NV-DIMM Capable” Additional Qualification supports one of the implementations which Microsoft Windows can utilize. See these links for more information:
https://docs.microsoft.com/en-us/windows/desktop/persistent-memory-programming-in-windows---nvml-integration https://www.microsoft.com/en-us/microsoft-365/blog/2017/08/10/microsoft-announces-windows-10-pro-workstations

There are different physical implementations of Non-Volatile Memory. The system OEM can provide information on the specific implementation their system supports, what capabilities it provides, and so on. The details of the implementation are abstracted by the Device Specific Module (DSM) that the system OEM provides, and which the Windows operating system uses to manage the NV memory. The DSM provides a common basis of reporting device functions & capabilities, so that Windows can interact with various NV Memory implementations through the same mechanisms. Further, the DSM allows support for vendor-specific functionality, information on which the system vendor can provide.

Notes:
  • Not all Windows file systems may support NV Memory. See this link for more information
  • Not all functionality of the Windows file systems that do support NV Memory has been implemented or is possible. Examples includes; encryption, compression, etc.
  • Not all 3rd Party File System and Storage Filter drivers, such as those for; Anti-Virus, Replication, Hierarchical Storage Management, Encryption, Compression, Monitor, Quota, etc., may work, or the filter driver vendor may be required to modify their product in order to work as expected.
Secured-core Server The Secured-core functionality spans the following areas:

Hardware root-of-trust: Trusted Platform Module 2.0 (TPM 2.0) come standard with Secured-core servers. TPM 2.0 provides a secure store for sensitive keys and data, such as measurements of the components loaded during boot. This hardware root-of-trust raises the protection provided by capabilities like BitLocker which uses the TPM 2.0 and facilitates creating attestation-based workflows that can be incorporated into zero-trust security strategies.

Firmware protection: There is a clear rise in security vulnerabilities being reported in the firmware space given the high privileges that firmware runs with and the relative opacity of what happens in firmware to traditional anti-virus solutions. Using processor support for Dynamic Root of Trust of Measurement (DRTM) technology, along with DMA protection, Secured-core systems isolate the security critical hypervisor from attacks such as this.

Virtualization-based security (VBS): Secured-core servers support VBS and hypervisor-based code integrity (HVCI). VBS and HVCI protects against this entire class of vulnerabilities given the isolation VBS provides between the privileged parts of the operating system such as the kernel and the rest of the system. VBS also provides additional capabilities that customers can enable like Credential Guard which better protects domain credentials.

Merchandise pictures and descriptions are provided by the manufacturers of the merchandise. Microsoft makes no representations or warranties regarding the merchandise, manufacturers or compatibility of the merchandise depicted or described. Check system requirements before you purchase any merchandise or download any software described on this site. Use of all software is governed by the end user license agreement, if any, which accompanies or is included with the software.
Feedback