The software giant’s Secured-core PC initiative first launched back in 2019 and so far Dell, Dynabook, Getac, HP, Lenovo, Fujitsu, Acer, Asus, Panasonic and Microsoft have created ultra-secure laptops designed to protect users against firmware level threats.
At the heart of the new Surface Laptop 4, is the Trusted Platform Module 2.0 (TPM) and a AMD Ryzen Mobile Processor with System Guard to boot securely while minimizing the impact of firmware vulnerabilities. The device’s TPM 2.0 chip does this by sandboxing firmware to protect critical subsystems and sensitive data.
On Secured-core PCs, Kernel Direct Memory Access Protection is also pre-enabled to help ensure that the system is protect against malicious and unintended Direct Memory Access (DMA) attacks such as Thunderspy. Meanwhile the TPM 2.0 chip serves as the hardware root-of-trust for the Surface Laptop 4 and can protect sensitive assets like BitLocker keys while also making the device ready for Zero Trust security.
According to Microsoft’s Security Signals report from March of this year, a vast majority of enterprise customers have experienced at least one firmware attack during the past two years. In a blog post, the Microsoft Security Team provided further insight as to why there has been an increase in firmware attacks recently, saying:
“Firmware, which lives below the operating system, is emerging as a primary target because it is where sensitive information like credentials and encryption keys are stored in memory. Many devices in the market today don’t offer visibility into that layer to ensure that attackers haven’t compromised a device prior to the boot process or at runtime bellow the kernel. And attackers have noticed.”
To address the growing number of firmware attacks, Microsoft has introduced its own Unified Extensible Firmware Interface (UEFI) to enable a secure and maintainable interface to manage firmware. Microsoft UEFI facilitates full transparency for its customers and was built using the open source project called Project Mu.
The software giant also built its own tools for managing and updating UEFI including Surface Enterprise Management Mode (SEMM). This can be used as either a stand-alone tool or integrated with Microsoft Endpoint Configuration Manager to manage the UEFI settings on a user’s Surface without having to hold Power button + Volume UP to boot straight into the UEFI.
While a release date has not yet been set for the new Surface Laptop 4 powered by AMD Ryzen Mobile Processors, the device joins the Surface Pro X as the second secured-core PC offering in the Surface portfolio.