A Windows 8.1 Security Feature Goes Missing: Why?

by Reads (3,706)

Microsoft is mum on the matter for the moment, but some analysts are hopeful that a security feature originally planned for Windows 8.1 — code-named “Provable PC Health’ — will some day see the proverbial light of day.

At Microsoft’s TechEd conference back in June, Chris Hallam, senior product manager for Windows client side, announced Provable PC Health, referring to it as the “most interesting” among a slate of Windows 8.1 security enhancements which also includes network behavior monitoring, for beefed-up anti-malware protection, and built-in fingerprint reader secrurity, for instance.

Hallam told conference attendees that Provable PC Health will let users remotely analyze “the security state of the device and its integrity.” As Hallam saw it, Microsoft would use the feature to “warn [users and] help them get their device back into a serviceable state.”

Later during the summer, Microsoft provided some further information — describing Provable PC Health as combining a cloud service with a “Secure Data Client” — in an article first published on the company’s TechNet site on July 24 and then updated on August 21.

“The Secure Data Client periodically sends information, including data about the state of the computer, to the cloud service. If an issue is detected as the data is analyzed, the cloud service sends a message to the cient service with remediation recommendations,” according to the article, which is still posted on the site.

What Happened, Though?

But what ever happened to Provable PC Health? “Unfortunately, we have nothing to share right now, but may have details in coming months. We’ll keep you updated!” said a Microsoft spokesperson, in an email to Notebook Review.

“I’ve done a few tests with Windows 8.1, but haven’t seen it activated anywhere,” wrote Andrew Snodgrass, an analyst with Directions on Microsoft, in another email

Microsoft has envisioned Provable PC Health as a free, optional subsription service for “non-domain joined computers” (consumer PCs) that “uses the Measured Boot data (which are stored securely in the TPM during startup) to provide remote analysis of system health by checking the boot metrics against a set of known values for the device,” Snodgrass writes in a research report.

The report looks at how Windows 8.1 takes advantage of the TPM (Trusted Platform Module) and UEFI (Unified Extensible Firmware Interface) hardware components built into some PC hardware for improved security.

“TPM is a hardware security device or chip that provides a number of crypto functions, including securely storing keys and performing cryptographic measurements. It’s a great tool for the enterprise, but has been an optional piece of technology for consumer devices,” said Dustin Ingalls, group manager at Microsoft for Windows Security and Identity.

Yet if Provable PC Health isn’t available by now, why hasn’t the world taken much notice? “That’s a good question. I suspect it’s because Provable PC Health is a consumer service, so enterprises aren’t affected by it. And low-level boot code and security aren’t very glamorous,” Snodgrass told Notebook Review.

Will Provable PC Health ever come to pass? “I certain hope so. It could be a vaulable tool for the consumer market that gives them a level of security typically only seen in corporations,” the analyst responded.

“More importantly, this could help with the security of BYOD that affects most corporations. How nice it would be if the consumer device, coming into the office, had a high level of protection and self-correction.”

Could it be that Microsoft is holding off on the service until there are more consumer PCs out there with TPM components?

Where Are the TPM-Ready PCs?

“TPM 2.0 is required for all InstantGo (Connected Standby) devices which will ensure modern devices are ready for BYOD scenarios. And in Windows 8.1, we expand on the strategy behind TPM, with features such as key attestation, which allows you to ensure your private (encryption) key is safely bound to hardware instead of malware, and virtual smartcard management WinRT APIs to enable Windows Store apps to set up and manage virtual smartcards,” wrote Microsoft’s Ingalls, in a recent blog post.

“We are working towards requiring TPM 2.0 on all devices by January 2015. This helps IT departments be confident that the device their employees bring to work are fully capable of complying with corporate security policies.”

According to Snodgrass, Microsoft hasn’t been planning for Provable PC Health to provide remote attestation, although attestation is available with Measured Boot on corporate domains.

Instead, the consumer security service would only provide recommendations to users about how to solve identified security issues.

Many have argued that, with Windows 8, Microsoft jumped the gun on touch support before enough PCs were available.

Is the company now trying to avoid a similar mistake when it come to TPM-enabled PCs? Or is the technology behind Provable PC Health simply not quite ready for prime time yet? Who knows?

For his part, Snodgrass doesn’t view the omission of a planned product feature as all that unusual. “There are numerous examples of that type of behavior over the years from [other] high tech companies,” the analyst maintained.




All content posted on TechnologyGuide is granted to TechnologyGuide with electronic publishing rights in perpetuity, as all content posted on this site becomes a part of the community.