Are Windows 10 Secured-Core PCs the best way to provide a secure computer?

12

Hi everyone,

I’m looking for feedback from people that have actually used Secured-Core PCs. So far, what I have found is Microsoft’s marketing and documentation about it and news articles saying it exists. What I haven’t found yet is feedback from ethical hacker types confirming this stuff is worth it. In particular, are there features that only exist in a Secured-Core PC?

Has anyone actually used one of these computers in a secured business/enterprise environment? If so, is it your preferred way to provide a secured Windows 10 computer? Why do you feel it is or isn’t?

Are the two Microsoft Surface devices that are Secured-Core compliant (Surface Pro X and Surface Laptop 4 AMD chip) the best implementations of this since Microsoft also open-sources their BIOS/UEFI firmware?

If someone’s needs are cross platform, so they can work on Macs, Linux, Chrome OS, etc… – are any of those better?

My off the cuff guesses on ways to go here would be:

* Microsoft manufactured Secured-Core PC

* Other Secured-Core PCs

* Get an enterprise grade computer, like a Lenovo ThinkPad that has similar hardware as a Secured-Core PC, but fiddle with the firmware and Windows 10 settings to lock it down

* Get a Mac (is there evidence that the M1 processors are more securely designed than what Intel’s been doing the past few years and is the security posture of the current version of macOS better than Linux or Windows)

* Use Linux (assuming either on a ThinkPad or something designed specifically for Linux, like System76), Rarely used it, I’m not sure which distro would be appropriate for secure collaboration in a typical office/professional environment

* Maybe Chrome OS? Never used it, not sure if Alphabet/Google basically being an advertising company has caused them to misbehave on the engineering and architecture stuff required here

But, if you haven’t heard about it and want to learn more – here is Microsoft’s blog post describing what Secured-Core PCs are supposed to do:

https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/

Comments (12)

12 responses to “Are Windows 10 Secured-Core PCs the best way to provide a secure computer?”

  1. innitrichie

    Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.


    These security provisions are considered best-in-class, and are far more resilient than anything available on Apple's hobbyist platforms.


    I am delighted with the security benefits. I am very excited to see more Secure-core innovations in the years ahead. Trustworthy computing is what keeps me fully invested in Microsoft's rich enterprise-grade ecosystems.

    • pbsie

      I find this hard to believe, that you consider the M1 to be one of "Apple's Hobbyist Platforms." When in full security mode, iOS and iPadOS are extremely hard to compromise from the hardware root of trust...

      • bkkcanuck

        Not to mention once the ARM based industry starts using ARMv9 and realms... it will be even more secure...

      • bkkcanuck

        Oh, I forgot the fact that in the last few iterations of macOS (there are always security enhancements each iteration), the OS itself sits in a read-only secure signed 'partition' all to itself. The 'drivers' (kernel extensions) have been removed in favour of driverkit because of security. Basically, Apple is hardening even more the UNIX based kernel -- securitywise.

        • wright_is

          On the other hand, no OS can be 100% secure, especially if it is networked and doubly so, if it is connected to the network.

          I find the "Apple's hobbyist platforms" to be very flippant, but Apple's systems are no better and no worse than anybody elses, when they are properly locked down, they all still have faults that can be leveraged - as we regularly see in the news and at events like p4wn2own.

          • wright_is

            doubly so, if it is connected to the Internet... Damn the lack of edit!

          • bkkcanuck

            No, nothing not stored in a vault disconnected from any network can be 100% secure. Apple, like any OS used by consumers has to make concessions to usability over security from time to time... The difference is that every revision of macOS, Apple is making (sometimes breaking functionality) security upgrades to the OS to harden it more than average.

    • Paul Thurrott

      Come on. Apple's platforms are not "hobbyist." They are used by many millions of people. Billions, for iPhone.
  2. Robert-Hostetler

    @innitrichie - I'm not sure if you have actually implemented Secure-Core PCs vs. stating Microsoft's intent behind it.


    To everyone - Agreed that macOS/iOS is not hobbyist. I have prior experience being the primary global admin over one of the 500 largest M365 implementations, with over 10,000 of them being macOS users.


    So, I've seen with my own eyes Fortune 500 scaled and secured enterprise stuff on a Mac.


    I do acknowledge that Apple's hardware offerings are not the best choice for a variety of use cases. Which is why I was asking about both people that have to be on Windows vs. someone with more flexibility (such as everything they need to do can be done a web browser or the apps are cross-platform).


    I'm looking for real world utility here, not the equivalent of religious/political/sports people picking a side and then refusing to look at reality.


    However, the MacBook Air is the OG Ultrabook, which seems to be the most used form factor worldwide. Plus, ever since Apple stopped the butterfly keyboard nonsense and released the M1 chip, I've seen some of my M365 using clients buying MacBook Airs or Pros. I also believe that the Surface Laptop is Microsoft's way of ensuring there is a world class MacBook Air style Ultrabook that runs Windows. So, I'm open to recommending to folks going forward purchasing Secured-Core PC Surface Laptop 4 AMD for Windows and MacBook Air/Pro for macOS if the security postures are the best and let their application requirements choose Mac or Windows.


    @Paul - have you or your podcast/journalist friends found anything on this?


    Perhaps having someone form Microsoft's Windows Platform Security Team or David Weston (https://twitter.com/dwizzzleMSFT) on Windows Weekly would be a great episode to do so they can do a deeper discussion on this?

    • Robert-Hostetler

      meant to say 10,000 of the users on the Enterprise M365 tenant were using macOS (can't find a way to edit)

    • ringofvoid

      I'd be interested to hear more on this. My initial impression was that Secured-Core was a combination of improvements to the Secure Boot process and smart marketing of generic Windows security measures, but it sounds like there may be more too it. I would love to hear how it compares to similar efforts for other operating systems.

  3. Robert-Hostetler

    My initial impression was that it was more marketing driven too, but after seeing the David Weston presentations I could find on YouTube and seeing in the Windows security app that the best I can do with my ThinkPad E15 is Enhanced Hardware Security, I think there is more to it.


    The four levels of hardware security that Microsoft labels a device with are:

    1. Standard hardware security not supported
    2. Your device meets the requirements for standard hardware security
    3. Your device meets the requirements for enhanced hardware security
    4. Your device exceeds the requirements for enhanced hardware security (Note: In Windows 20H2 this message will say "Your device has all Secured-core PC features enabled")


    Microsoft describes each layer at: https://support.microsoft.com/en-us/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2#hardwarescore


    Secured-core PCs have an item beyond Enhanced Hardware Security - System Management Mode (SMM) protection.

Leave a Reply