Robust security means evolving from simply maintaining protection to being resilient against current and evolving threats. Cyber resilience is an organisational effort that demands accountability from everyone. Organisations need an integrated approach—with security built into every layer, from chip to cloud—to ensure people and data are protected wherever they work.
Microsoft has designed Surface devices to minimise the risk of threats against firmware, operating systems, and cloud applications. With Zero Trust built in from the ground up, this means security and IT decision-makers can feel confident investing resources in strategies and technologies to prevent attacks in the future rather than constantly defending against the onslaught of attacks aimed at them today.
Old devices can’t protect against new threats
Microsoft Surface devices are designed to facilitate basic security hygiene measures, with every layer maintained by Microsoft—from the firmware to the operating system, to the cloud. Surface devices, Windows 11, and Microsoft 365* help achieve organisational resilience with a Zero Trust approach to security and risk management that doesn’t sacrifice innovation or productivity. Companies that own Surface can experience up to 34% fewer security incidents, reducing time spent on security incident response.1 Surface device users also experience up to 20% fewer security breaches.2
Remote management made simple and secure
Surface Management Portal is built into Microsoft Intune,* a cloud-based endpoint management solution designed to address the challenges of managing and configuring users, apps, and devices at scale. Microsoft Intune handles mobile application management (MAM) and mobile device management (MDM).
Windows Update manages roll-out and update of firmware, software, and drivers. End-to-end protection ensures that only approved content is installed.
The ability to manage device security remotely can mean huge time savings for your IT team, reducing the possibility of firmware or ransomware attacks, and remediating problems before they get too far.
Working alongside Intune, Windows Autopilot saves more time by streamlining secure remote deployment and preconfiguring new devices with the required security settings and policies.
Security that’s built into the hardware
Our security approach begins with hardware. Surface protects data through encryption as the device boots. A Trusted Platform Module 2.0 (TPM 2.0) acts as a secure vault for storing passwords, PINs, and certificates, protecting hardware from tampering and restricting access to authorised individuals. At every stage of the boot cycle, firmware code is inspected for authenticity to ensure the system doesn’t execute any malicious code.
At startup, password-less, secure sign-in with Windows Hello for Business offers the highest level of biometric security, with infrared camera sensors to enhance facial recognition. Biometric sign-in is the most difficult to replicate, ensuring only authorised users can access the device.
We design many Surface devices with removable SSDs** to provide an extra layer of protection for sensitive data stored on the device.
Firmware that’s locked down
Surface devices proactively block threats by eliminating a key external access point to firmware through the Unified Extensible Firmware Interface (UEFI). The Microsoft-built UEFI is managed through Microsoft Intune* admin center. With no reliance on third-party source code, risk at the firmware level is minimised and access that hackers could eventually exploit is eliminated.
The Microsoft UEFI and Device Firmware Configuration Interface (DFCI) allows for more granular control of firmware through Microsoft Intune. DFCI reduces the attack surface by disabling unnecessary hardware components, and removes dependency on the local UEFI (BIOS) password. DFCI provides the ability to lock down boot options to prevent users from booting into another OS, while security updates running in the background provide ongoing, up-to-date protection against the latest threats
Security out of the box with Windows 11
Surface devices with Windows 11 include a new set of hardware security features enabled right out of the box. These features are designed to build a foundation even stronger and more resilient to attacks: virtualisation-based security (VBS), and Hypervisor-enforced Code Integrity (HVCI, also known as memory integrity). These work in tandem to provide better protection against common and sophisticated malware. VBS performs sensitive security operations in an isolated environment by checking code executions before they start, preventing malware from making its way to the system memory.
If a threat gains access to system resources, the HVCI can limit and contain the malware’s effects.
We ship Surface devices with Windows 11 from the factory with security features enabled. That helps security and business leaders normalise security-centric behaviors within your organisation, satisfying the need for accountability across your teams.
Even before signing in with a variety of biometric options to avoid passwords and PINs, Secure Boot helps ensure firmware is as genuine as it was when it left the factory. Together, Secure Boot and Trusted Boot prevent malware and corrupted components from loading during startup.
After start-up, BitLocker encryption helps render data inaccessible even on lost, stolen, or inappropriately decommissioned devices.
Want to learn more about how Surface, Windows 11, and Microsoft 365 work together to form an integrated, cyber resilient solution designed by Microsoft? Book a Consultation with our Specialists today!