to get 4K resoltution with Edge on Windows, you need to activate VBS (Virtualization-based Security) and Secure Boot. In that config, DRM keys are stored in a trusted application in secure world, and Edge from normal world ask the TA to decrypt the stream.

Server side Netflix has nothing to do, just send out the encrypted stream if asked by a client.

if asked specifically by a proven Windows client with VBS and secure boot enabled? or could the same method be implemented on any OS?

The entire graphics chain needs MS signed drivers, so no.

(Netflix do the same thing on MacOS with Apple signed drivers, backed up by hardware based security.)

thanks for the info

Edge supports Microsoft's PlayReady DRM and Safari supports Apple's FairPlay DRM, both of which are stronger than Widevine.

are each of those tied to their implementors? or can they be used on any supported OS and hardware like widevine can?

All of them have varying levels of secure implementation, and services will usually only send high resolution content to devices that can demonstrate (with signed keys) the more secure options.

Including Widevine. Widevine Level 3 is a software based solution that can be used on a variety of platforms, but the space for Widevine Level 1 requires OS and hardware integration (which doesn't include Windows for example, but is available for Android if the OEM does the requisite work).

it's a shame. really don't understand the thinking behind it. it's easy for them to detect and ban shared accounts, but it's also easy enough to rip a decrypted stream, even if it is only at 1x rate. not sure why they bother. I suppose their recompense for piracy comes from those manufacturers willing to pay them for signed keys in exchange for hassle-free compatibility