Enhancing security and compliance with Microsoft Surface and Microsoft 365
Published Apr 26 2021 04:24 PM 4,235 Views

As frontline workers increasingly interact with workplace applications using mobile devices, tablets, or other mobile form factors, organizations face higher risks of these devices being lost, stolen, or temporarily misplaced. Earlier this year, Microsoft announced new licensing options for organizations with frontline workers to address these potential risks and other security threats, while also helping improve compliance capabilities.


With these offers, organizations using Microsoft Surface devices can better protect their devices and data against attacks or accidents. With security capabilities built into the firmware, operating system, and Microsoft 365, Microsoft has taken a comprehensive chip-to-cloud approach to help organizations deliver more protection for employees using Surface devices with Microsoft 365.


Surface with Microsoft 365 provides unique protection at the front line. To provide a few illustrations of how devices may be vulnerable and how this new level of protection can support organizations and frontline workers, here are a few commonplace examples:


  • Scenario 1: The device is stolen while it is momentarily unattended
  • Scenario 2: A malicious actor gains access to a device for a short time
  • Scenario 3: An employee accidentally visits a malicious website or unknowingly joins an unsecure Wi-Fi signal



Scenario 1: The device is stolen while it is momentarily unattended

A building inspector is on a job site and sets her Surface Pro 7+ down for a second while she checks a plumbing connection. Someone steals the device, hoping to find sensitive information or perhaps intending to sell the device to a highly capable hacker. The following protections built into Surface and in the cloud with Microsoft 365 help prevent a stolen device from compromising sensitive data:


  • Data on the hard drive is encrypted. Surface devices ship with BitLocker drive encryption enabled by default, so the data on the hard drive cannot be accessed without credentials or the encryption key. Even if the hard drive is removed from the device and inserted into a new device, it cannot be decrypted.
  • USB booting is prevented because the organization used Microsoft Endpoint Manager to proactively turned off the ability to boot from USB through the firmware-level control that the Surface device offers.
  • There is zero access to data even if the SSD is removed. If a Surface’s removable SSD is tampered with, the device will shut off power, erasing any residual data in its memory. Since the device is cloud-managed, the organization can remote wipe all the machine’s contents .

Scenario 2: A malicious actor gains access to a device for a short time

A retail employee is helping a customer in the store when they both hear a loud crash. Another customer has knocked over a display accidentally. The employee puts down their Surface Pro X and rushes over to help. Seeing the device was not locked, someone takes the device.  Later, they try to access data stored on the device. With Microsoft’s cloud security, the retail establishment’s data is protected.


  • A Zero Trust approach means that even if a device is authenticated, the current user profile can only access data and content they have permissions for. The retail establishment assumes that a breach is always possible and maintains strict controls over data access. Conditional access capabilities in Microsoft 365 prevent data leakage from both internal and external actors.
  • Any unusual behavior on the device is automatically detected and remediated with Microsoft Defender for Endpoint, which analyzes signals from the device to recognize any abnormal behavior, like an uncommon executable running on the device. As part of the remediation path, the device is automatically quarantined from the network until the situation is resolved.

Scenario 3: An employee accidentally visits a malicious website or unknowingly joins an unsecure Wi-Fi signal

An employee joins a public Wi-Fi network, which creates the potential for a malicious actor to collect sensitive information. Or maybe the employee accidentally clicks a link that installs malicious code on a device. Surface with Microsoft 365 can keep data secure in a few ways:


  • Instead of worrying about encrypting data that could be shared on a public network, the organization takes a proactive approach to having a guaranteed secure connection, especially for employees in the field, by equipping frontline workers with LTE-enabled devices. The entire Surface 2-in-1 portfolio (Surface Go 2, Surface Pro 7+, Surface Pro X) has LTE available.
  • Any websites, cloud resources, or internal networks not explicitly defined as “trusted” are contained with Microsoft Defender Application Guard. These untrusted sites or files are opened in a virtualized container – essentially a separate PC within the existing PC – to isolate those potentially harmful sites or files from the rest of the device.   

In addition to the ways that Surface with Microsoft 365 can help keep frontline devices secure, with cloud management and Windows Autopilot, Surface devices can also be shipped directly to a worker’s location without IT ever touching the device, saving time and effort. As frontline workers increasingly use devices in public spaces, the need to protect sensitive information at the front line has never been more important.


To learn more about Surface for Business visit Surface.com/Business or connect with your local commercial reseller.

Version history
Last update:
‎Apr 26 2021 04:28 PM
Updated by: