Security Considerations and Requirements

The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a “clean” configuration. One use case for WPBT is to enable anti-theft software which is required to persist in case a device has been stolen, formatted, and reinstalled. In this scenario WPBT functionality provides the capability for the anti-theft software to reinstall itself into the operating system and continue to work as intended. This functionality is powerful and provides the capability for independent software vendors (ISV) and original equipment manufacturers (OEM) to have their solutions stick to the device indefinitely. Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions. In particular, WPBT solutions must not include malware (i.e., malicious software or unwanted software installed without adequate user consent).

To ensure the security profile of Windows users, Microsoft strongly recommends that WPBT only be used for critical functionality where persistence is a core requirement. Microsoft recommends that the following security best practices, processes, and engineering guidelines be followed to minimize exploitable conditions for Windows users. Microsoft recommends following security development lifecycle (SDL) practices to help minimize security risks and exposure. Please refer to the SDL site for more information.

The security guidance provided here is not intended as a cumulative or exhaustive list of security considerations but rather as a starting point for security best practices. Microsoft encourages OEMs and ISVs to go above and beyond these recommendations to provide as robust a security profile for Windows users as possible.

Continued servicing for WPBT publisher and client applications
The ability to update the WPBT publisher (firmware) as well as the OS side applications is critical and is the sole responsibility of the OEM or solution provider. OEMs and solution providers that leverage WPBT are expected to remediate security issues in a timely, holistic, and cumulative manner. It is critical that this remediation include updates to in-field devices and solutions. Update solutions must be secure end-to-end. This includes securing the update payload (signing), securing the update pipeline (encryption), and protections against rollback to insecure versions. For more information on firmware update mechanisms available from Microsoft please see the UEFI Firmware Update Platform document for more information. Some examples are as follows: