Fortifying the Future: Microsoft’s Security Innovations

Mike Shellenberger
Fortifying the Future: Microsoft’s Security Innovations

When someone says Microsoft Surface, what comes to mind? For most, it conjures the image of the iconic Surface Pro two-in-one device. With its recognizable kickstand, detachable keyboard and pen, there is no doubt the Surface Pro has left its mark on the industry with its trailblazing form factor. But, did you know that the Surface line is also leaving its mark as one of the most secure devices in the market, especially when coupled with Windows 11 Enterprise and Microsoft Intune?

Security is top of mind from the largest enterprises to the smallest startup companies. A solitary security breach event has the potential to inflict financial damage on an organization and tarnish its brand reputation. When compounded by the challenges of accommodating a remote or hybrid workforce, security assumes a position of utmost importance. Numerous security experts advocate for a multi-layered security strategy as the most effective defense against malicious attacks.

Properly configured security solutions at the data, platform, network, and device hardware levels will make it much more difficult for attackers to gain access to an environment, especially when complemented by user awareness training. Let’s dig into more detail on some of the most compelling technologies unique to Surface that help make these devices some of the most secure devices on the market… 

Unified Extensible Firmware Interface (UEFI)

UEFI is the next iteration of the necessary code to boot a computer’s hardware and operating system interface. It has replaced the system BIOS as a more secure, open standard. While many PC manufacturers choose to outsource the UEFI, Microsoft has invested in creating and maintaining their own UEFI in-house. Updates are distributed seamlessly via the Windows Update service to ensure devices are less vulnerable to firmware-based attacks which continue to become more prevalent. Many competitor devices choose to outsource their UEFI to a third party which means a single identified vulnerability could end up impacting many OEM’s devices. Outsourcing the code also leads to supply chain concerns regarding code integrity.  

Trusted Platform Module (TPM) 2.0

The Trusted Platform Module, or TPM for short, is a chipset embedded in the motherboard of a computer, designed to provide a secure storage area for keys, credentials, and other secrets used to protect users and devices. Examples include Windows Hello for Business credentials, BitLocker recovery keys, Azure Active Directory Credentials, and platform configuration registers. TPMs are so critical to device security, that Windows 11 now requires a TPM 2.0 chipset for it to install. TPM 2.0 is and has been the standard in all Surface for Business models for several years. 

Removable Solid-State Drives (SSD) 

When devices reach the end of their lifecycle, an organization might choose to recycle or properly dispose of the hardware. An important step in the offboarding of a device should be the proper wipe or removal of the hard drive from the device so an attacker cannot steal the hard drive and scrub it for sensitive data. Many Surface for Business models now include the ability for IT to easily remove the hard drive completely from the device, ensuring data never leaves the building. This step can even be performed before sending a device for warranty repair services if desired. 

Device Firmware Configuration Interface (DFCI)

Device Firmware Configuration Interface, or DFCI for short, allows the remote management of UEFI settings on a Surface device from Microsoft Intune. Organizations can choose to disable certain hardware components of a Surface device such as USB connections, cameras, wireless protocols, and microphones/speakers simply by creating a configuration policy and targeting the devices in Intune. A huge security advantage over competitive devices is the capability to lock the UEFI from local user access and prevent booting from external sources (other than the onboard hard drive) all from Microsoft Intune. This type of configuration ensures a device cannot be wiped and reloaded with a different operating system or booted to a live operating system.  

Surface Enterprise Management Mode (SEMM)

What if you aren’t using Intune already but you still want the ability to securely lock down the UEFI? Surface Enterprise Management Mode, or SEMM for short, provides the necessary tooling to secure and configure firmware and UEFI settings locally on a device while retaining the ability to unlock the device in the future, with the right certificate credentials. For air-gapped devices that cannot be managed by Intune, this is a great solution to secure the physical endpoint from attackers.  

Secured-core PC’s 

For general purpose computing, leveraging solutions such as Security Baseline Configurations in conjunction with Secure Boot, BitLocker device encryption, Microsoft Defender, Windows Hello and a TPM 2.0 chip is generally the most advisable guidance for securing this type of Windows endpoint. For scenarios where workers are handling mission critical data or highly sensitive information, Secured-core PC’s take security to the next level. In addition to the security controls previously mentioned, Secured-core PC’s build on that protection by leveraging advanced processor capabilities to provide protection against sophisticated firmware attacks. Many of the newer Surface for Business models, such as Surface Go 4, Surface Pro 9, Surface Laptop 5 are already secured-core PC’s and offer peace of mind from day one. 

Windows Hello for Business – Facial Recognition 

While Windows Hello for Business is not a unique capability of Microsoft Surface, Surface is one of the few hardware lines that come standard with built-in camera’s that support Windows Hello for Business facial recognition on almost every model. Windows Hello for Business allows an organization to migrate to password less authentication for the user sign-in process to Windows. Whether using facial recognition, thumbprints or another means of biometric authentication, Windows Hello for Business offers a more secure authentication into Windows while greatly improving the end users sign-in experience. Surface users simply look at their device to sign in and begin their day! 

Windows Update for Business – Device Firmware Updates 

Firmware attacks are becoming an increasingly popular attack method partially due to the cumbersome, manual process most organizations have in place for performing firmware updates. Disparate, OEM specific, manual tools for performing firmware updates is causing some organizations to only perform firmware updates when a device is brought to IT for servicing. The looming concern there is that not all devices are regularly serviced by IT so there may be many devices in the field that are out of date by years in firmware updates. 

Microsoft Surface devices receive all their firmware and driver updates via the Windows Update for Business service. This cloud-based service ensures devices receive updates regardless of their network location, on a time schedule that meets the organizations compliance requirements, with IT’s control. This is one of the driving reasons why Surface devices experience 34% fewer security incidents.  

Surface Management Portal 

For Surface devices managed by Intune, Microsoft provides a one-stop-shop Surface Management Portal, within the Intune administrative console, giving an organization access to everything they need to manage their Surface device fleet. Warranty coverage information for each device, a direct support ticketing solution for repairs/support, and access to Surface-specific tools are a few of the highlights the management portal provides.  

If your organization has a carbon emissions goal, the Surface Management Portal can even estimate and report the total carbon emissions from your Surface devices. 

These unique to Surface capabilities, alongside the many security features of Microsoft Intune and Windows 11 Enterprise, add up one of the most secure client computing environments in the market. As an authorized Surface Device partner, CDI is here to meet any needs you may have around Surface. Whether you are new to Surface and would like to demo/pilot a few devices, or you’re a seasoned Surface shop looking for an integrator that can not only sell you devices, but also provide technical consulting and/or managed services around Surface, CDI is here for you!  

What does CDI provide?

  • Surface Device Sales
  • Surface Device-as-a-Service Offerings
  • Accessory & Warranty Purchases
  • Drop Ship Provisioning (Windows Autopilot) Services
  • Cloud-Managed Surface Device Pilot Deployment
  • Customer Immersion Experience Workshops
  • Demo Surface Devices 

More on CDI and Microsoft

CDI Microsoft Services for Security

Why CDI for Microsoft

CDI Managed Microsoft

CDI Next Gen 365

Mike Shellenberger

Mike Shellenberger, Sr. Solutions Architect - Microsoft Endpoint

Mike assists CDI customers with strategy and solution implementations related to Microsoft technologies. His experience with productivity solutions such as Microsoft 365, and device lifecycle management software like Microsoft Configuration Manager and Intune, enables him to help customers overcome the challenges of a hybrid workforce. Mike’s main area of expertise is Microsoft endpoint technologies.