Monday, October 11, 2021

Microsoft Surface Devices - Chip to Cloud Secure - Part 1

Devices Built Secure for Hybrid Work


The last couple of years have produced the fastest digital transformation the world has ever seen.  In light of the pandemic, organizations around the world have had to adapt to the environment and quickly adopt new technologies.  With workers being forced to work from home, many employees were forced to work from their personal laptops.  Due to the chip shortages, many employees who were able to take their work devices with them have been relegated to using outdated devices.  Overnight, IT and Security teams lost their ability to protect their company's endpoints.  The Manufacturing industry, known for its heavy reliance on frontline workers, was hit particularly hard.  Many of these individuals were not given devices for work.


In light of these circumstances, Manufacturing companies have been tasked with providing secure devices to their users.  Microsoft Surface devices are able to meet this demand.


Microsoft’s mission is simple, yet remarkable:  To empower every person and every organization on the planet to achieve more.

People and organizations can only experience this form of empowerment when their data and systems are secure.  Therefore, our CEO, Satya Nadella, is steadfast in Microsoft’s commitment to security, as he has often stated that “security is our top priority, and we are committed to working with others across the industry to protect our customers.”


This responsibility falls on IT departments, who must embrace a holistic strategy for modern security which can adapt to the complexity of today’s business environment.


Microsoft has taken several steps to assist IT organizations in this endeavor.  Our Microsoft security research teams have analyzed cyber-attacks across thousands of organizations and have worked closely with other industry experts in order to develop the Microsoft Zero Trust framework.  To learn more about Microsoft’s proactive approach to security, click here.


Every feature of our Microsoft Surface devices has been designed in alignment with Microsoft’s Zero Trust architectural principles.  The Microsoft Surface devices are Chip-to-Cloud Secure.  We have specifically built-in advanced security at every layer: the hardware, the firmware, the operating system, and in the cloud.


Part one of this two part series will deep dive the hardware and firmware security features built into our Microsoft Surface Devices.


Cutting Edge Hardware Security:


  • Surface devices are shipped with Trusted Platform Module (TPM) 2.0 Technology
    • TPM plays an important role in enhancing security by combining hardware and software features.  TPM allows devices to securely generate cryptographic keys and to control their use.  By providing these capabilities, TPM enables devices to remotely prove that only authorized, expected, and secure code was used to boot the device.  While this is a groundbreaking accomplishment, TPM is also often used to combat phishing attacks.  To learn more about TPM, click here.
  • Surface devices have the hardware requirements to support BitLocker Drive Encryption
    • BitLocker can be used to encrypt all the user files and system files on an operating system.  This can protect against unauthorized access to the data on a stolen or lost computer.  To learn more about BitLocker Drive Encryption, click here.
  • Surface devices support Windows Hello for Business
    • The purpose of this feature is to provide users a secure, convenient alternative to passwords when logging into their devices.  With Windows Hello, users can say goodbye to remembering their passwords when logging into their devices.  Instead, they can simply sign-in using biometrics or a numeric PIN.
    • Historically, host environments would have to store each user’s password in some form.  This was necessary so the host environment could securely authenticate users.  Even if a host environment took several precautions and hashed, salted, or encrypted the stored passwords, attackers were still often able to prevail and compromise user data.  Windows Hello circumvents this issue altogether by storing the user’s unique biometric identifier or PIN on the hardware TPM chip of their device.  This provides peace of mind to users who understand that their PIN or biometric identifier is only stored locally on their device.  To learn more about Windows Hello for Business, click here.


Built-in Firmware Protections:


  • Surface Devices are designed to support a unique to Microsoft Surface Unified Extensible Firmware Interface (UEFI) which serves as the foundation for Trusted Boot
    • When a user starts a device that supports UEFI, their device is protected from malware from the moment the device is powered on until the PC’s anti-malware software runs.  As the machine boots, Trusted Boot will verify the integrity of every startup component’s digital signature.  If a component was altered by malware, Trusted Boot detects the corruption and will not load the modified software component in the startup process.  To learn more about Surface’s unique UEFI capabilities, click here.
  • Surface Devices allow IT to directly secure and manage firmware settings
    • The most secure method of disabling hardware components is to disable them at the firmware level.  Surface Enterprise Management Mode (SEMM) allows an IT team to specify and deploy firmware settings at scale, seamlessly across all their devices in an organization.
      • For organizations who are strictly on-premises:
        • SEMM allows your IT administrator to enable or disable certain hardware components on a device. (Camera, USB ports, Bluetooth, etc.). To learn more about SEMM for on-premises, click here.
      • For organizations who wish to leverage the cloud:
        • Device Firmware Configuration Interface (DFCI) profiles can be configured with security controls related to the device boot process and built-in peripherals. (Camera, USB ports, Bluetooth, etc.). To learn more about SEMM for the cloud, click here.
    • Only Microsoft Surface devices supports Device Firmware Configuration Interface (DFCI) profiles in Microsoft Endpoint Manager
      • DFCI profiles provide granular control of several security controls related to boot options and built-in peripherals. While SEMM remains a great option for customers who are not yet ready to adopt Microsoft Endpoint Manager. DFCI profiles streamlines and simplifies the process for provisioning, updating, and securing devices.
      • DFCI allows for zero touch provisioning of firmware and hardware security. Traditionally, an organization would purchase devices from an OEM Hardware provider for their employees. The laptops would be shipped to the organization’s IT team, who would be responsible for configuring firmware settings and security policies. Once properly configured, the devices would be shipped to the employee. With DFCI profiles, IT administrators are able to control and manage their UEFI settings from within Microsoft Endpoint Manager directly. This removes the need to manage this process from within one's on-premises environment. To learn more about DFCI on Microsoft Surface Devices, click here.


When it comes to endpoint security, Microsoft Surfaces devices reign supreme.  These devices benefit from one simple fact.  Every line of code in the hardware, the firmware, the operating system, and the cloud is owned and developed by Microsoft.  Our engineers control 100% of the code that will run on Surface devices.  This uniquely positions Microsoft to design an unparalleled, holistic approach to endpoint security.


Stay tuned for part two of this series on the security of Microsoft Surface devices.  The next blog post will deep dive into several security features in the operating system and in the cloud.



Posted at