A Microsoft employee explains that's because Thunderbolt has a direct memory access port, and an attacker with a specially crafted memory stick could put that into the device and gain access to all the data that's stored in memory, and Windows 10 wouldn't be able to stop an attacker accessing it.
SEE: 20 pro tips to make Windows 10 work the way you want (free PDF)
"So we don't believe, at this moment, that Thunderbolt can deliver the security that's really needed from the devices. That's why we've opted to integrate USB-C and USB 3 on our devices but have not integrated Thunderbolt on our devices," the unnamed Microsoft employee says.
This issue hasn't stopped other OEMs besides Apple – which co-develops Thunderbolt with Intel and uses it in all Macs – from adopting the Thunderbolt interface, including Dell, HP and Lenovo.
Microsoft also decided against allowing the Surface Laptop 3's to have upgradeable RAM, which is partly because it made the Surface Laptop 3's keyboard easy to remove to improve its serviceability.
The laptop features a keyboard cover that can be unfastened with a special but not uncommon screwdriver, allowing repairers to easily remove the whole cover to access and upgrade components like storage.
But on the Surface Laptop 3 memory cannot be upgraded. The employee states that a "skilled support engineer" can easily detach the keyboard to access the PC and the Trusted Platform Module (TPM) chip, which is soldered to the motherboard, along with the memory.
"If you would be able to physically take out the memory, what you can easily do as well is freeze the memory with liquid nitrogen, get the memory out, then put it in a specific reader," the employee says.
So, an attacker with a memory reader that costs a few dollars and physical access to the device, could gain access to all the data in the memory of a compromised device, including the BitLocker recovery keys.
"That's why on all Surface devices the memory is not physically upgradeable because of security, because we want to make sure the memory cannot be tampered with and that it cannot be taken out to be read. Because we see that on older devices that happens sometimes."
While Microsoft has steered clear of Thunderbolt for Surface devices, it has developed protections for OEMs that have integrated it in their hardware. Microsoft recently highlighted that Windows 10 gained kernel Direct Memory Access (KDP) protection for Thunderbolt 3 to protect against attacks requiring physical access.
This protection is available in Windows 10 Secure-core PCs, such as the Surface Pro X, which are designed to thwart firmware attacks. KDP can help block new ransomware attacks that rely on corrupting data within the kernel.
KDP allows makers of hardware drivers that run in the Windows kernel to cordon off select, sensitive kernel memory areas as read-only.
As MSPoweruser notes, KDP arrived in Windows 10 1803, which Microsoft released in 2019. That could mean somewhere down the line Microsoft could change its current policy on Surface memory upgrades and Thunderbolt.