Windows 8.1 Security Feature Goes Missing
Microsoft is mum on the matter for the
moment, but some analysts are hopeful that a security feature originally
planned for Windows 8.1 — code-named “Provable PC Health’ — will some
day see the proverbial light of day.
At Microsoft’s TechEd conference back in June, Chris Hallam, senior
product manager for Windows client side, announced Provable PC Health,
referring to it as the “most interesting” among a slate of Windows 8.1 security enhancements which
also includes network behavior monitoring, for beefed-up anti-malware
protection, and built-in fingerprint reader secrurity, for instance.
Hallam told conference attendees that Provable PC Health will let
users remotely analyze “the security state of the device and its
integrity.” As Hallam saw it, Microsoft would use the feature to “warn
[users and] help them get their device back into a serviceable state.”
Later during the summer, Microsoft provided some further information —
describing Provable PC Health as combining a cloud service with a
“Secure Data Client” — in an article first published on the company’s
TechNet site on July 24 and then updated on August 21.
“The Secure Data Client periodically sends information, including
data about the state of the computer, to the cloud service. If an issue
is detected as the data is analyzed, the cloud service sends a message
to the cient service with remediation recommendations,” according to the
article, which is still posted on the site.
What Happened, Though?
But what ever happened to Provable PC Health? “Unfortunately, we have
nothing to share right now, but may have details in coming months.
We’ll keep you updated!” said a Microsoft spokesperson, in an email to
Notebook Review.
“I’ve done a few tests with Windows 8.1, but haven’t seen it activated anywhere,” wrote Andrew Snod
grass, an analyst with Directions on Microsoft, in another email
grass, an analyst with Directions on Microsoft, in another email
Microsoft has envisioned Provable PC Health as a free, optional
subsription service for “non-domain joined computers” (consumer PCs)
that “uses the Measured Boot data (which are stored securely in the TPM
during startup) to provide remote analysis of system health by checking
the boot metrics against a set of known values for the device,”
Snodgrass writes in a research report.
The report looks at how Windows 8.1 takes advantage of the TPM
(Trusted Platform Module) and UEFI (Unified Extensible Firmware
Interface) hardware components built into some PC hardware for improved
security.
“TPM is a hardware security device or chip that provides a number of
crypto functions, including securely storing keys and performing
cryptographic measurements. It’s a great tool for the enterprise, but
has been an optional piece of technology for consumer devices,” said
Dustin Ingalls, group manager at Microsoft for Windows Security and
Identity.
Yet if Provable PC Health isn’t available by now, why hasn’t the
world taken much notice? “That’s a good question. I suspect it’s because
Provable PC Health is a consumer service, so enterprises aren’t
affected by it. And low-level boot code and security aren’t very
glamorous,” Snodgrass told Notebook Review.
Will Provable PC Health ever come to pass? “I certain hope so. It
could be a vaulable tool for the consumer market that gives them a level
of security typically only seen in corporations,” the analyst
responded.
“More importantly, this could help with the security of BYOD that
affects most corporations. How nice it would be if the consumer device,
coming into the office, had a high level of protection and
self-correction.”
Could it be that Microsoft is holding off on the service until there are more consumer PCs out there with TPM components?
Where Are the TPM-Ready PCs?
“TPM 2.0 is required for all InstantGo (Connected Standby) devices
which will ensure modern devices are ready for BYOD scenarios. And in
Windows 8.1, we expand on the strategy behind TPM, with features such as
key attestation, which allows you to ensure your private (encryption)
key is safely bound to hardware instead of malware, and virtual
smartcard management WinRT APIs to enable Windows Store apps to set up
and manage virtual smartcards,” wrote Microsoft’s Ingalls, in a recent
blog post.
“We are working towards requiring TPM 2.0 on all devices by January
2015. This helps IT departments be confident that the device their
employees bring to work are fully capable of complying with corporate
security policies.”
According to Snodgrass, Microsoft hasn’t been planning for Provable
PC Health to provide remote attestation, although attestation is
available with Measured Boot on corporate domains.
Instead, the consumer security service would only provide
recommendations to users about how to solve identified security issues.
Many have argued that, with Windows 8, Microsoft jumped the gun on touch support before enough PCs were available.
Is the company now trying to avoid a similar mistake when it come to
TPM-enabled PCs? Or is the technology behind Provable PC Health simply
not quite ready for prime time yet? Who knows?
For his part, Snodgrass doesn’t view the omission of a planned
product feature as all that unusual. “There are numerous examples of
that type of behavior over the years from [other] high tech companies,”
the analyst maintained.
No comments:
Post a Comment