Skip to main content

Improve security for BYOD with modern Windows devices

Applies to: Windows 8, Windows 8.1

When businesses look at Windows 8/8.1 devices, a lot of words come to mind, words like mobility, tablets, touch, long battery life, and choice. Another word that sets these new devices apart from their predecessors is security. The improvements in Windows 8/8.1 devices around security aren’t just incremental, they’re monumental. These devices don’t just offer improved security that you should consider having, they offer the security capabilities that you need to address today’s modern threats.

Trustworthy hardware is a key investment area for Microsoft and that continues with the release of Windows 8.1. Often in a Bring Your Own Device (BYOD) scenario, if an employee buys a new computer, it can be hit-or-miss as to whether the device will have all the tools baked in that an IT department needs to secure the data on the device. With Windows 8.1, we take away the guesswork by making sure that the latest security technologies are available in all Windows 8/8.1 certified devices. Now let’s talk about a couple of the key hardware components that you’ll find in these new devices.

Universal Extensible Firmware Interface (UEFI)

BIOS recently celebrated its 30th anniversary, but over the decades it hasn’t evolved with the rest of the industry. The BIOS typically found in Windows 7 certified devices runs in 16-bit mode, has a maximum of 1MB of addressable space, and only works on Intel’s x86 architectures.

Universal Extensible Firmware Interface is modern-day replacement for BIOS and it offers an architecture independent solution that provides both device initialization and, unlike BIOS, advanced operation. As a result the pre-OS boot environment can offer a rich user experience, device access, and even applications.

From a security perspective, UEFI plays a critical role in Windows 8.1 client security. Its most important attribute is its Secure Boot feature which prevents malicious software from starting before the intended operating system. In other words, low level malware such as bootkits, which can potentially bypass and hide from Windows and your antimalware solution, are effectively unable to start. Secure Boot doesn’t just provide a defense that makes it hard for bootkits to penetrate and persist on a device, it provides an architectural solution that eliminates the attack vector that bootkits depend on altogether. It’s a complete solution that gives Windows and the rest of its defenses a secure root of trust to start from. It’s a game changer!

Trusted Platform Module (TPM)

Trusted Platform Module is a hardware security device or chip that provides a number of crypto functions, including securely storing keys and performing cryptographic measurements. It’s a great tool that is widely present in the enterprise; however, it has been an optional and rarely added feature of consumer-class devices. That’s about to change.

The latest iteration of TPM (TPM 2.0) is required for all InstantGo (formerly Connected Standby) devices, which will ensure that modern devices are ready for BYOD scenarios. And, in Windows 8.1, we expand on the strategy behind TPM with features such as key attestation, which allows IT to ensure that private keys are safely provisioned and bound to hardware instead of being compromised by malware. In addition, we’ve made improvements in our virtual smartcard management technology to enable Windows Store apps to set up and manage virtual smartcards on devices, even those that are not managed.

Our intent is to make TPM 2.0 a certification requirement for all Windows devices by January 2015; however, we’re already seeing TPM starting to appear in broader range of consumer devices. You can expect to see TPM move from tablets into other consumer device form factors in 2014. This will really help IT departments gain confidence that the device their employees are bringing into work are fully capable of complying with corporate security policies.


Security continues to be a top priority for Microsoft, from secure development practices and hardware to addressing emerging vulnerabilities and collaborating with others in the industry to protect our customers. As part of this commitment, I’m excited for businesses and end users alike to experience the added security measures that we’re introducing at the hardware level in modern Windows devices. For more information on the topics discussed above, read Securing the Windows 8 Boot Process.

If you already have a Windows 8 certified device, you’re already prepared to take full advantage of the security capabilities that Windows 8.1 has to offer. If you’re running previous generation hardware, Windows 8.1 will offer improved security over Windows 7; however, you’ll need to look at modern Windows 8/8.1 certified devices if you want to take full advantage of Windows 8.1 security. With these you’ll get the best experience from a security perspective while gaining benefits like increased mobility, touch, and battery life.

Additional resources

About the author

Chris Hallum photoChris Hallum is a Senior Product Manager focusing on Windows Client Security for commercial business scenarios. He has been at Microsoft for fifteen years and has worked in a number of engineering roles as a Program Manager within the Server and Tools Division (for example, Windows Scripting, System Center Operations Manager, Microsoft BitLocker Administration and Monitoring). Chris moved into Product Management role in 2011 and he now manages the security features within the Windows Client operating system (i.e. malware resistance, data protection, and identity and access control).