Surface delivers built-in security from chip to cloud
Published May 17 2022 05:59 PM 6,560 Views

When the Covid-19 pandemic upended the workplace beyond the traditional corporate network, many employees had to rely on older personal laptops with outdated technology. With phishing attacks reaching new heights,1 many IT departments could not install endpoint protection quickly enough.


As a Microsoft Cloud Endpoint Technical Specialist, I was fortunate to be able to help many customers strengthen their overall security posture. No matter their size or complexity, I like to start out with a high-level approach:


  • Embrace a Zero Trust security model that prevents access to the corporate network until safety and integrity are proven.
  • Equip employees with modern devices like Surface for Business that enable hybrid productivity without compromising security.

As attacks have increased in scope and sophistication, so have our security measures. Microsoft has a clear vision for how to help and protect our customers now and in the future. Read on to see how Surface is meeting this challenge.




Microsoft security at every level

Every layer of Surface, from chip to cloud, is maintained by Microsoft, giving you ultimate control, proactive protection, and peace of mind wherever and however work gets done.2


  • Proactively block threats with security that's always up to date, down to the boot and firmware level. Microsoft-built UEFI3 enables IT to manage firmware through Microsoft Endpoint Manager4 so you can reduce risk at the firmware level. Our cloud-managed Device Firmware Configuration Interface (DFCI)5 adds another layer of visibility and control to help customers better manage their enterprise, especially when employees are remote and not directly on your network.
  • Quickly and easily encrypt your data, enabling access only by authorized individuals, with a Trusted Platform Module (TPM) 2.0. TPM 2.0 implements a secure and sandboxed environment for storing passwords, PINs and certificates. All Surface for Business devices have a TPM 2.0 chip. 
  • Quickly respond to global threats and get automatic updates at scale with Microsoft 365 Defender.6 Natively coordinates detection, prevention, investigation and response across endpoints, identities, email and applications to provide integrated protection against sophisticated attacks.

Supply chain security

Surface products are designed and built with supply chain security in mind. Surface takes an end-to-end approach to supply chain security by incorporating industry-standard security controls and risk management methods when designing, developing, manufacturing, deploying and maintaining Surface products.


  • Security procedures minimize risk during assembly and in packaging. From firmware to the operating system and hardware components, Surface devices are manufactured in facilities that adhere to industry-standard digital and physical security guidelines.
  • Supplier security is continuously evaluated and monitored. We constantly assess and manage security in our critical supplier base by publishing and auditing requirements that mandate security controls and procedures to minimize supply chain risk.
  • Security-focused logistics and distribution deliver Surface devices to Microsoft resellers. We actively track and manage our shipments from the point of origin to the distributor. We continue to update our supply chain to be more and more secure. 

Surface enables powerful Windows security by default

The new set of hardware security requirements with Windows 11 is designed to build a foundation that is even stronger and more resilient to attacks.


  • Surface enables Windows 11 security features from the factory. Virtualization-based security (VBS) and Hypervisor Code Integrity (HVCI) help protect against common and sophisticated malware by performing sensitive security operations in an isolated environment. 
  • Reduce reliance on passwords with biometric authentication. Logging on is secure, personal and convenient with either Windows Hello or Fingerprint ID7 on select keyboard models. 
  • BitLocker​ encryption protects your business information even on lost or stolen devices. With BitLocker encryption backed by Microsoft, you can focus on your business, knowing that your information is secured.

Ultimate control with remote device management

We want to give commercial organizations the freedom to work anywhere while retaining the control they need to stay secure with streamlined device management and protection from Microsoft.


  • Experience seamless device management through Surface Management Portal that enables IT to monitor Surface devices, including their health and status. You can now view all Surface devices in a single location with quick access to warranty, support requests and device health information.
  • Respond to threats quickly by rolling out firmware and software patches via Windows Update. Surface works closely with Windows and the Microsoft 365 Teams to ensure that the Surface family devices not only meet every standard for a highly secured PC but can also automatically receive updates.
  • Ensure highly classified data remains protected from spying, keeping your environment secure. Surface can be managed at the firmware level via DFCI, a feature unique to Surface devices. Turn off capabilities like the camera for devices in highly protected areas (the equivalent of physically removing the camera). 
  • Securely deploy and manage devices with Microsoft Intune. Streamline and secure your deployment through Windows Autopilot8 without going through multiple device interception points. Within Endpoint Manager, our Microsoft security team has created security baselines that provide IT admins with templates of recommended policy settings for quick deployment to Windows 10 and Windows 11 devices.

Enable zero trust for the endpoints

One advantage that stands out for me is that Microsoft maintains the entire stack — from the hardware, operating system, security, and management layers.  Because security is built-in instead of bolted on, you don't need multiple add-ons. With Windows, it's all built right into the OS. And with Endpoint Manager, you can simply activate these built-in agents on the OS.


Staying ahead of the game

Finally, it's worth saying that data protection is not just the responsibility of IT admins or security specialists. It's essential that in our hybrid environment, every person is aware of threats and doing their best to protect themselves and others, especially from phishing attacks.


When you're ahead of the game, you can't be gamed.




1. See Windows Experience blog

2. Some features and functionality require paid subscription and/or qualifying volume license

3. Surface Go and Surface Go 2 use a third-party UEFI and do not support DFCI

4. Microsoft Endpoint Manager requires paid subscription or qualifying volume license

5. Microsoft Intune and Microsoft Endpoint Manager require qualifying volume license and/or subscriptions

6. Microsoft 365 Defender requires paid subscription or qualifying volume license

7. Finger Print ID and biometric data available on select models

8. Requires Azure Active Directory Premium for automatic MDM enrollment and custom company branding



Learn more



Version history
Last update:
‎Aug 15 2022 01:22 PM
Updated by: