This week, Microsoft spelled out the hardware specifications it thinks PC makers should adopt to ensure their Windows computers are “highly secure”.
These days, it’s common to see security baked in at a lower level than just the operating system and apps, and that means doing it in a mixture of hardware tightly integrated with secure firmware.
According to Microsoft, a secure PC should be built around a seventh-generation 64-bit Intel or AMD processor or later (Skylake or A-Series/Athlon onwards), and have at least 8GB of RAM.
At first it looks as if this might be something to do with hardware virtualisation (also in the specification) but is really more tied up with the code and memory-protection mechanisms built into these chips under the banner of Virtualisation Based Security (VBS).
And it doesn’t stop with the processor, because the system’s other chipsets need to support specific types of memory and virtualisation management, too.
Unsurprisingly, systems must ship with a TCG v2.0 Trusted Platform Module (TPM) and implement verified boot using something like Intel’s Boot Guard.
Critically, what used to be called BIOS firmware must meet the latest standards from UEFI 2.4 or later, and be able to resist tampering while supporting updating.
I’ll spare you the rest of the specification’s gory detail and skip to the ‘what it all means’ bit…
The first thing that it shows is that securing PCs is increasingly a job that’s done (or at least begun) in the first few seconds after it’s turned on, when the system checks to see that important software hasn’t been interfered with.
This isn’t brand new, of course, but it is increasingly central to defending PCs, not simply the main UEFI layer and its various functions but also any add-on firmware that might be present in the computer (remember the Thunderstrike attack against Macs back in 2015?). Firmware also needs to be managed securely when vulnerabilities are exposed.
Secondly, we learn something about the future, specifically how things like Mode Based Execution Control (MBEC) might soon be used to boost Windows Defender Application Guard (WDAG), a Hyper‑V virtualization isolation layer used by, among other things, the Edge browser.
This is only available for enterprise customers today but Microsoft’s document hints that this will change at some point to include everyone.
Which brings us to the version of Windows that fully enables WDAG, namely Windows 10 version 1709, Fall Creators Update (released in mid-October), the Windows version that Microsoft’s new specification assumes as a sort of reference year zero.
Is all this a lot to ask?
If you don’t have a PC that meets these requirements – and almost everyone who bought a PC or laptop before last year won’t – it might seem so.
There will also be cynics who suspect that PC companies will use it to harry people into upgrading their PCs more often.
Then there are convenient exceptions such as the strange beast that is Windows 10 S, the cut-down Chromebook-like-but-not-quite computer, that isn’t required to meet the specification because, frankly, it can’t.
Nonetheless, corporate buyers will pay close attention to the new document and it could even end up buried inside compliance regimens.
If that happens, Microsoft’s specification will end up being a two-minute read with two-decade implications.
Michael Marohn
I like the concept of approaching computer security from every different angle possible. However, I am always wary of a company’s hidden agenda to ensure that it’s products are favored, while also along for the potential scapegoat scenario when a piece of hardware fails to do it’s function. It will be interesting to see how this type of technology will be adapted and applied to the different markets since PCs are not the only devices subject to compromise.
James
These standards sound like it will make life difficult for anyone wanting to remove Windows and install Linux. So it does sound like it is improving the security… of profits for Microsoft.
David M
As I was reading the article, I thought about the same thing. I would like to hear from computer experts if this is true or not. Up to now, Microsoft has done all it can to prevent Linux from being sold installed on a computer. I use Linux, and have converted others to do the same. I’m sure Microsoft is aware of the potential of losing business. I have found that once a person uses Linux for a while, I get the same response, “Why didn’t I switch before?”
Paul Ducklin
Every Windows laptop I’ve seen recently permits you to unlock your bootup firmware and to update it with code of your own, for example to install Linux or OpenBSD.
Microsoft already had a good go at building a generation of Windows computers for which you couldn’t install your own bootup firmware or replacement operating system (remember the fuss over Secure Boot at first? remember Windows RT?)…
…but the market wouldn’t accept it.
Times may have changed – after all, both Google and Apple successfully sell devices (e.g. Chromebooks and iPads) that are firmware-locked so you are stuck with their operating system and can’t switch to another.
If Google can sell computers that deliberately prevent you installing Linux or Windows, maybe Microsoft feels it should be allowed to lock you out from installing ChromeOS or Linux? (Let’s hope it dorsn’t happen…but it’s not as though there isn’t a precedent set by Microsoft’s competitors.)
jkwilborn
Microsoft losing business to the Linux world? You see lots of Linux on servers but little in the consumer industry. The company my wife works for just spent over 2 million for Microsoft products this year alone. Largest company in the world, worry about Linux? I highly doubt it.
When Linux comes up with something that may even come close to Power Point it will help. All of industry industry seems to use it and there is no Linux substitute. Some applications (applying for some legal information or other data from state or federal government) requires you use a Microsoft product for submission. Microsoft is not worried about Linux, most users don’t care and don’t want to learn another OS, especially if there is not equivalent Linux replacement. I’m speaking more in the business world area. Business uses what it knows and works with, which is generally Microsoft. People working for these companies generally buy what they use at work.
Since there’s such a high number of Linux servers (things doing the actual work…:) I doubt that any hardware will be made that will not support a Linux installation and last long enough to make an impact in the industry.
Mark Stockley
I think we have to start looking for another explanation. There have been perfectly usable Linux distributions, and substitutes for powerpoint, for a while now.
I think that once a technology reaches a certain penetration it becomes almost impossible to dislodge by competing with it on its own terms. If you want to beat an embedded technology then, more often than not, you have to make it obsolete rather than trying to match it or being slightly better.
You can no more dislodge Microsoft from offices around the world than you can be a better Facebook than Facebook, be a better text search than Google Search or overtake x86 instructions for desktop chips. Snapchat might make Facebook obsolete though, as users decide to network *differently*, Alexa might eventually make Google searches obsolete as users use the web differently and mobile device chips might see off x86 as computing changes.
Interestingly, the Windows/Linux situation is reversed on phones. Try as they might, Microsoft can’t dislodge Linux from the world’s phones, even with an arguably better product.
IT Guy
Hardware security like TPM Chip?????
ATXXTA
Maybe they should recommend to disable Intel ME completly since their own Surface laptops are vurnable to the latest Intel ME exploit and all they say is “You should look out for an update of intel” While its Microsoft that should push this update.