Microsoft Surface: Secure by Design
Microsoft runs on trust. Trustworthy engineering and secure experiences from chip to cloud are central to the Surface strategy, with the strongest platform protections and powerful Windows 11 Pro security capabilities enabled by default. As we move towards an AI-enabled future, Microsoft Surface helps you strengthen your security posture across hardware, OS, data, apps and identity through a foundation of built-in protection.
Let’s delve into what this means for you and your Surface.
Security even before you power on
Your Surface device is built secure before you first unbox and power-on. We start by developing robust security controls and investing in industry-leading product development processes to strengthen our digital and physical supply chains. One of these processes includes auditing our suppliers regularly to detect and prevent potential threats such as ransomware, phishing and malware. This proactive approach mitigates risks when integrating supplier code and services, thus strengthening the security posture of our supply chain. This leads to Surface devices that are ‘secure by design, secure by default, and secure in deployment’. As early as product conception, Surface designs and delivers a tight trust boundary for out-of-the box security, so you can rest confident the device is in its most protected state upon arrival.
To learn more about how we approach the complexities of supply chain security, check out our recent post.
Security from the moment you power on
Surface devices come with the highest level of security from the beginning. Most of our latest devices1 have Secured-core PC features enabled by default. With a Surface PC, hardware, firmware, and software work together to protect your device, identity, and data from the first time you use it. Further, some of the most critical security operations are done in an isolated environment using Virtualization-based security, which is walled off from the risk of more advanced attacks.
When you power on your Surface device, Secure Boot safeguards the start-up process from malware and rootkits using a hardware root of trust. Surface devices’ root of trust checks signatures and measurements to ensure each stage is reliable and authentic before allowing the next phase of boot to proceed. Enabled by Unified Extensible Firmware Interface (UEFI) and Trusted Platform Module (TPM) 2.0, Secure Boot ensures that only code signed, measured, and properly implemented can execute during the boot process.
The embedded firmware (the software that runs on microcontrollers and low-level components) within a Surface device’s system also plays a key role in enabling a seamless, highly secure experience from the moment you turn on your device. For a deeper dive into how we’ve approached embedded firmware development, check out this blog.
Recently, we detailed our history with the Microsoft-built Surface UEFI. At a foundational level, Surface UEFI is the pre-boot system that brings your Surface to life when you power it on. Our UEFI is built on the open-source Project Mu code base. By constructing our own UEFI stack, we reduce reliance on third-party UEFI components, reducing our device attack surface. Plus, we’re developing key UEFI and firmware components using the RUST programming language, which provides industry-leading memory safety solutions. We also contribute our Surface UEFI innovations back into the Project Mu code base to bolster the broader ecosystem.
Protecting users and their data
It’s more critical than ever that your endpoints support safe access to your most important data and AI experiences. Surface devices protect users and data through a suite of integrated security measures. Built-in antivirus protection through Windows Security scans for malware in real time, preempting potential threats as soon as you use the OS.
Additionally, Surface devices support BitLocker encryption, which helps prevent unauthorized data access, especially on a lost or stolen device. We keep security protocols current by delivering the latest protections via Windows Update. These features are part of our proactive stance on security, supporting user trust and data integrity through timely updates.
Balancing user-friendly security with precise data access control is crucial for enabling AI-accelerated productivity and protecting your business. Our latest lineup of Surface devices come equipped with Windows Hello Enhanced Sign-In Security (ESS) enabled by default. This password-less solution offers advanced identity protection that supports a smooth log-in experience and adds another layer of security for accessing your data. ESS uses a TPM for hardware-based encryption to safely store user data and support biometric features like Windows Hello. ESS also uses virtualization to isolate the authentication process and its associated data, meaning your sensitive biometric information never leaves your device. This helps protect you from common replay, phishing, and spoofing attacks, password re-use and leaks. Other security features like passkeys also use Windows Hello to safely sign into websites and apps.
Providing ultimate control
Surface for Business devices offer enterprise-grade security and comprehensive control. Key features include Surface Enterprise Management Mode (SEMM) and Device Firmware Configuration Interface (DFCI)2 which allow granular control over hardware components. IT admins can remotely enable or disable features such as cameras and Bluetooth to meet the demands of a variety of workplace requirements. Additionally, with the new Surface IT Toolkit, it’s easier to securely erase data if the device is transferred or retired.
Management and deployment flexibility—including the ability to choose cloud-based or traditional methods—streamlines device setup, configuration, and management. IT admins can tailor firmware settings and security policies to their organization’s needs. Lastly, Surface enables secure decommissioning, including options for removable SSDs on supported devices or use of the Surface Data Eraser in the Surface IT Toolkit, making data inaccessible after a device leaves the organization.
Simply put, Surface prioritizes security, control, and peace of mind for enterprises, making it an excellent choice for those seeking reliable and protected technology.
Secure by design, secured by default
We like to think of our devices as more than just tools, but as trusted partners enabling productivity for our users. At Surface, we’re dedicated to keeping you, your identity and your data safe in this ever-evolving, AI-accelerated digital age, knowing that security and innovation go hand in hand from our initial development stages to deployment into your daily use. Whether in the office or at home, Surface devices offer unparalleled protection, adapting to your needs and safeguarding what’s important to you.
As we continue to innovate and enhance the security features of Surface devices, we invite you to stay informed and engaged. Be sure to review our previous blogs on Surface IT Pro Blog and don’t forget to keep an eye out for future blogs where we’ll share the latest advancements and insights on security.
1. For a full list of Secured-core PCs, please visit https://www.microsoft.com/windows/business/devices?col=securedcorepc
2. Software license required, sold separately.
Microsoft Tech Community – Latest Blogs –Read More