Research Hub > How Microsoft Surface Devices Keep You Secure and Productive

September 20, 2023

Article
6 min

How Microsoft Surface Devices Keep You Secure and Productive

Microsoft Surface devices can help minimize the risk of threats against firmware, operating systems and cloud applications.

CDW Expert CDW Expert
What's Inside

Computing devices, such as Microsoft Surface, provide more flexible hardware solutions and cloud technologies that lend themselves to modern work environments and allow employees to remain productive, communicative and secure in any location.

Traditional desktops, laptops and tablets issued by many organizations to end users often rely on overlapping and complementary security solutions to protect the equipment against security breaches and potential regulatory consequences. However, it creates an environment of technology sprawl, stretching IT resources thin and hampering efforts to consolidate end users on the same platforms and software.

Microsoft Surface devices minimize threat risks against firmware, operating systems and cloud applications through built-in, zero-trust security features and offer IT decision-makers the assurance they are investing in resources, strategies and technologies designed to prevent future attacks.

How Microsoft provides zero trust at every layer

Microsoft Surface devices provide basic security hygiene measures at every layer maintained by Microsoft, from the firmware to the operating system to the cloud. The combination of Surface devices, Windows 11 and Microsoft 365 provide organizational resilience with a zero-trust approach to security and risk management.

Windows 11 and Surface devices can reduce approximately 60 percent of malware through the combined use of Windows Hello, device encryption, virtualization-based security (VBS), hypervisor-enforced code integrity (HVCI) and secure boot functions.

Surface devices feature Unified Extensible Firmware Interface (UEFI) that replaces the standard basic input/output system (BIOS) with new features that include faster startup and improved security. Threats to Surface devices are proactively blocked by eliminating external access points to firmware through the application of UEFI.

Microsoft UEFI and Device Firmware Configuration Interface (DFCI) provide granular control and management of firmware through the Microsoft Intune administration centre. While most original equipment manufacturers purchase UEFI from third parties or outsource the firmware code writing, Microsoft builds and maintains its own UEFI coding.

DFCI enables IT administrators to remotely disable specific hardware components and prevent end users from accessing them. For example, if it’s necessary to protect sensitive information in highly secure areas, you can disable the camera, and if you don't want users booting from USB drives, you can activate a lockdown boot option that prevents users from changing UEFI settings or booting into another operating system. Security upgrades that run in the background provide ongoing, up-to-date protection against the latest threats.

According to IDC, companies that use Surface devices can experience up to 34 percent fewer security incidents, and reduce time spent on security incident response. Forrester research reveals Surface device users also experience up to 20 percent fewer security breaches.

Hard-wired data protection through TPM 2.0

Microsoft’s security approach begins with hardware. Surface protects data through encryption as the device boots.  

All certified Windows 11 systems include the Trust Platform Mobile (TPM) 2.0 chip that is either integrated into a PC motherboard or added separately into the CPU. Its purpose is to help protect encryption keys, user credentials and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data.

Providing “chip-to-cloud” security, TPM 2.0 is a critical building block for Windows Hello and BitLocker to help customers protect their identities and data. TPM 2.0 acts as a secure vault for storing passwords, PINs and certificates, protecting hardware from tampering and restricting access only to authorized individuals. At every stage of the boot cycle, firmware code is inspected for authenticity to ensure the system doesn't execute any malicious code.​

Thwarting malware with Windows 11

Surface devices with Windows 11 support hardware security features enabled right out of the box. These features build a stronger foundation that’s more resilient to attacks. VBS and HVCI, also known as memory integrity, work in tandem to provide better protection against common and sophisticated malware. VBS performs sensitive security operations in an isolated environment by checking code executions and preventing malware from making its way to the system memory.

If a threat gains access to system resources, HVCI can limit and contain the malware's effects. Surface devices are shipped with Windows 11 from the factory with security features enabled. That helps security and business leaders normalize security-centric behaviours within their organization, satisfying the need for accountability across teams.​

Even before signing in with a variety of biometric options to avoid passwords and PINs, a security feature called Secure Boot helps ensure firmware is as genuine as it was when it left the factory. Together, Secure Boot and Trusted Boot – a feature that prevents corrupted components from loading during the boot-up process in Windows 11 – ensures malware and corrupted components don’t load during startup.​

5 benefits of Microsoft Surface for business

The Forrester report – Maximizing Your ROI from Microsoft 365 Enterprise with Microsoft Surface – highlights the benefits of Surface through interviews conducted with six customers and a survey of hundreds more across seven countries, all with experience using Microsoft 365. Interviews and survey data reveal important benefits gained by customers who invested in Microsoft 365-powered Surface devices, including:

  • Enhanced employee productivity. By standardizing hardware, software and cloud solutions, many organizations boosted productivity across pools of users provisioned with Microsoft 365-powered Surface devices.
  • Improved workforce collaboration and teamwork. A total of 86 percent of survey respondents said Microsoft 365-powered Surface devices helped employees be more collaborative.
  • Increased security with reduced costs. Improvements in enterprise security reduced both the number of security breaches and their breach remediation costs, without impacting workforce productivity or employee experiences.
  • More efficient device-related IT operations. Organizations saved money by reducing or eliminating redundant third-party technologies, infrastructure and IT support.
  • Better employee experiences. This was achieved by a lesser need for IT involvement throughout device deployment to end of life.

Why CDW and Microsoft

CDW is the #1 World Wide Surface Authorized Device Reseller with dedicated teams that support Microsoft customers. Our offerings and specializations for supporting Windows & Surface devices include:

  • A robust Microsoft security practice

  • In-house management of Surface Autopilot requests without the need for third parties, giving Microsoft customers the confidence and assurance that their environments are secure and errors are minimized

  • CDW is one of only three solutions providers in North America to have achieved Microsoft Gold certification, recognizing our expertise and close partnership with Microsoft in delivering cutting-edge modern workplace, hardware and cloud solutions