Microsoft Partners with PC Makers on Secure-Core PCs

Posted on October 21, 2019 by Paul Thurrott in Hardware, Windows 10 with 10 Comments

Microsoft has partnered with Dell, Dynabook, HP, Lenovo, and Panasonic on a new class of so-called Secure-core PCs.

Microsoft has partnered with Dell, Dynabook, HP, Lenovo, and Panasonic on a new class of so-called Secure-core PCs with locked-down firmware. Dell, in particular, seems to have been an inspiration for the initiative, which provides new protections at the deepest layer of compatible PCs.

“Dell PCs are hands down the most secure devices in the industry because Dell starts at the foundation, embedding security directly into the PC, below the OS,” Dell VP Brett Hansen says. “Our partnership with Microsoft will further help provide customers with integrated security right out-of-the-box, keeping our customers more secure so they can focus on running their businesses better.”

According to Microsoft, Secure-core PCs are designed specifically for industries like financial services, government, and healthcare, and for workers who handle highly-sensitive intellectual property, or customer or personal data, or any others who are “higher value targets for nation-state attackers.” They include additional layers of security for the PC firmware in an effort to undermine more recent and effective hacks that operate outside of a running operating system.

“Secured-core PCs combine identity, virtualization, operating system, hardware, and firmware protection to add another layer of security underneath the operating system,” Microsoft’s David Weston explains. “Unlike software-only security solutions, Secured-core PCs are designed to prevent these kinds of attacks rather than simply detecting them … Secured-core PC devices are designed to provide [PCs] with uniform assurances around the integrity of the launched operating system and verifiable measurements of the operating system launch to help mitigate against threats taking aim at the firmware layer. These requirements enable customers to boot securely, protect the device from firmware vulnerabilities, shield the operating system from attacks, prevent unauthorized access to devices and data, and ensure that identity and domain credentials are protected.”

You can learn more about Secure-core PCs from the Microsoft website.

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (10)

10 responses to “Microsoft Partners with PC Makers on Secure-Core PCs”

  1. rickeveleigh

    First sentence has duplicated.

    also is it Secure-core or Secured-core?

  2. branpurn

    When the components are being made in CCP-controlled China by state-affiliated companies, you can't ever be certain the hardware the "secure core" firmware interfaces with hasn't been compromised to begin with.


    https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

  3. MikeGalos

    Great. When I was a Security Program Manager it was always frustrating having an unsecure level below us that we couldn't lock down.

    • MachineGunJohn

      Pretty hard to feel good about this when you can't really tell which devices are protected by it and which aren't. From what I've seen regarding this the Surface Pro X is but no mention of the Surface Pro 7 or the Surface laptop 3. Has MS really released these brand new devices without to capabilities required for secure core right before they announced it? That would seem highly lame but I find no other sensible reason why else there'd be no mention of them.


  4. justme

    <edit> Looks like your first sentence is in the article twice. </edit>


    Its interesting they mention healthcare, because this does nothing near-term for healthcare providers. The biggest issue you will see in healthcare is the fact that some very expensive medical devices run and rely on outdated and insecure operating systems. There is no way to update them without serious investment by the manufacturer largely due to drivers and proprietary software. Ask the NHS in the UK about that. Even if manufacturers would support a software upgrade, healthcare agencies simply dont have the money or cannot afford the down time required.

    • payton

      In reply to JustMe:

      I wouldn't say that it does nothing for healthcare. Secure workstations definitely are part of a good overall security strategy/system. But you are right that it doesn't address one of the biggest holes in healthcare's security. Probably nothing will be done about this until the providers of these insecure systems start seeing a serious financial impact as a result of it.

  5. codymesh

    who wants to guess if or not this locks Linux out of these laptops and that the Linux fans will be mad about it

  6. puudevascpor1973

    Microsoft says that malware delivered via firmware attack can be "hard to detect and difficult to remove [and] it could persist even across common cleanup procedures like an OS re-install or a hard drive replacement". Furthermore, firmware attacks can undermine security mechanisms like Secure Boot and other mitigations taken by the hypervisor or operating systemas it was mentioned in Microsoft Secure Mechanisms Manual. It means that we have to be more accurate with cleanup procedures to avoid malware injections..

Leave a Reply