Aside from manufacturing custom silicon for its Surface Pro X and Surface Laptop AMD driven devices, the company is also pushing forward its custom Secured-core PC architecture this year as well.
Microsoft is stepping out beyond software solutions to partner with many of its PC OEMs to provide a triple layer of hardware, firmware, and software to protect devices typically used with government, financial services and healthcare sectors.
The essence of Secured-core PC lies in hardware-based security components. Trusted platform chips enable virtualization-based security that creates a secure hardware isolated kernel that prevents access to other critical parts of the hardware or software, all working together.
The entire process also makes use of Windows Defender System Guard through a series of System Integrity checks during boot up.
According to Microsoft,
This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements are used to determine the integrity of the deviceâ€™s firmware, hardware configuration state, and Windows boot-related components.
This ensures protection from unsigned malware, one of the primary vectors for major attacks. Once Windows has started and is running securely and a user signs in with Windows Hello,
Credential Guard ensures that identity and domain credentials are isolated and protected in a virtualization-based secure kernel thereby blocking credential theft attack techniques and tools used in many targeted attacks.
Even malware running in the operating system with administrative privileges will not be able to extract authentication tokens.
To have a look at the hardware and partnering companies, Microsoft has a list of devices for sale with Secure-core here, which include Dell, HP, Dynabook, Lenovo and even Microsoft’s upcoming Surface Pro X.