Why Surface can support a more robust cyber resiliency strategy

Posted by

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Robust security means evolving from simply maintaining protection to being resilient against current and evolving threats. Cyber resilience is an organizational effort that demands accountability from everyone. Organizations need an integrated approach—with security built into every layer from chip-to-cloud—to ensure people and data are protected wherever they work. ​


Microsoft has designed Surface devices to minimize the risk of threats against firmware, operating systems, and cloud applications. With Zero Trust built in from the ground up, this means security and IT decision-makers can feel confident in investing resources in strategies and technologies to prevent attacks in the future rather than constantly defending against the onslaught of attacks aimed at them today.


Old devices can’t protect against new threats

Microsoft Surface devices are designed to facilitate basic security hygiene measures with every layer maintained by Microsoft, from the firmware to the operating system to the cloud. Surface devices, Windows 11, and Microsoft 3651 help achieve organizational resilience with a Zero Trust approach to security and risk management that doesn’t sacrifice innovation or productivity. Companies that own Surface can experience up to 34% fewer security incidents, reducing time spent on security incident response.2 Surface device users also experience up to 20% fewer security breaches.3 



Remote management made simple and secure 

Surface Management Portal is built into Microsoft Intune1a cloud-based endpoint management solution designed to address the challenges of managing and configuring users, apps, and devices at scale. Microsoft Intune handles mobile application management (MAM) and mobile device management (MDM). 

Windows Update manages roll-out and update of firmware, software, and drivers. End-to-end protection ensures that only approved content is installed.  The ability to manage device security remotely can mean huge time savings for your IT team, reducing the possibility of firmware or ransomware attacks and remediating problems before they get too far. Working alongside Intune, Windows Autopilot saves more time by streamlining secure remote deployment and preconfiguring new devices with the required security settings and policies.


Security that’s built into the hardware 

Our security approach begins with hardware. Surface protects data through encryption as the device boots. A Trusted Platform Module 2.0 (TPM 2.0) acts as a secure vault for storing passwords, PINs, and certificates, protecting hardware from tampering, and restricting access to authorized individuals. At every stage of the boot cycle, firmware code is inspected for authenticity to ensure the system doesn't execute any malicious code.​


​At startup, password-less, secure sign-in with Windows Hello for Business offers the highest level of biometric security with infrared camera sensors to enhance facial recognition. Biometric sign-in is the most difficult to replicate, ensuring only authorized users can access the device. ​


​We design many Surface devices with removable SSDs4 to provide an extra layer of protection for sensitive data stored on the device.


Firmware that’s locked down 

Surface devices proactively block threats by eliminating a key external access point to firmware through the Unified Extensible Firmware Interface (UEFI). The Microsoft-built UEFI is managed through Microsoft Intune1admin center. With no reliance on third-party source code, risk at the firmware level is minimized and access that hackers could eventually exploit is eliminated.


The Microsoft UEFI and Device Firmware Configuration Interface (DFCI) allows for more granular control of firmware through Microsoft Intune. DFCI reduces the attack surface by disabling unnecessary ​hardware components and removes dependency on the local UEFI (BIOS) password. DFCI provides the ability to lock down boot options to prevent users from booting into another OS, while security updates running in the background provide ongoing, up-to-date protection against the latest threats.


Security out of the box with Windows 11 

Surface devices with Windows 11 include a new set of hardware security features enabled right out of the box. These features are designed to build a foundation even stronger and more resilient to attacks: virtualization-based security (VBS) and Hypervisor-enforced Code Integrity (HVCI), also known as memory integrity. These work in tandem to provide better protection against common and sophisticated malware. VBS performs sensitive security operations in an isolated environment by checking code executions before they start, preventing malware from making its way to the system memory.


If a threat gains access to system resources, the HVCI can limit and contain the malware's effects. ​


We ship Surface devices with Windows 11 from the factory with security features enabled. That helps security and business leaders normalize security-centric behaviors within your organization, satisfying the need for accountability across your teams. ​


Even before signing in with a variety of biometric options to avoid passwords and PINs, Secure Boot helps ensure firmware is as genuine as it was when it left the factory. Together, Secure Boot and Trusted Boot prevent malware and corrupted components from loading during startup.​


After start-up, BitLocker encryption helps render data inaccessible even on lost, stolen, or inappropriately decommissioned devices.


Want to learn more about how Surface, Windows 11, and Microsoft 365 work together to form an integrated, cyber resilient solution designed by Microsoft? Download the e-book Choose wisely: How device choice can make or break your cyber resilience plan.”



1. Software license required for some features. Sold separately.​ 

2. A Business Value White Paper, commissioned by Microsoft September 2022 | Doc. #US49453722 IDC Research Study conducted from surveys and interviews between December 2021–February 2022. All respondents were IT decision-makers at large organizations (250-5000+ employees) representing organizations from the United States, Australia, India, Spain, France, United Kingdom, New Zealand, and Germany. Cost & Savings findings based on average cost and time estimates provided directly by respondents; actual costs and savings may vary based on your specific Device Mix and deployment.​​ For the detailed study, click here.​​ 

3. A Forrester Total Economic Impact™ Study commissioned by Microsoft, Maximizing Your ROI from Microsoft 365 Enterprise with Microsoft Surface, Cost Savings and Business Benefits, July 2020. Results based on a composite organization with a Microsoft 365 Enterprise E5 license and standardized mix of Surface Book 3, and Surface Hub devices set up and configured using Windows Autopilot and onboarded to the Microsoft Defender ATP service. Based on a survey of 143 Global Microsoft 365 powered device users.

4. Customer Replaceable Units (CRUs) are components available for purchase through your Surface Commercial Authorized Device Reseller. Components can be replaced on-site by a skilled technician following Microsoft's Service Guide. Opening and/or repairing your device can present electric shock, fire and personal injury risks and other hazards. Use caution if undertaking do-it-yourself repairs. Device damage caused during repair will not be covered under Microsoft's Hardware Warranty or protection plans. Components will be available shortly after initial launch; timing of availability varies by component and market.​​

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.