Microsoft Surface security: Keeping you protected
Industry analysts consistently name Microsoft as a leader in security, compliance, identity protection and endpoint management. At Surface, we take our role in endpoint security seriously and include a number of key features to protect you, your data and your enterprise.
Safety from start-up
As soon as you press the power button, custom firmware springs into action to ensure everything inside is safe and authenticated. This process ensures your computer starts up safely. It also checks essential parts like cameras, microphones and other connectors to make sure they’re working securely.
Why does it matter that we write this firmware and software ourselves? Let’s look at some examples that benefit our customers:
- Protecting against vendor vulnerabilities: Picture a scenario where a chip vendor identifies a flaw in its security protocols, and you’re concerned about the device’s security. At the OS level, Windows 11 dramatically reduces the attack surface by enabling advanced security tools and technologies by default, helping protect against phishing, malware, ransomware and other contemporary cyber threats. On Surface devices, customized firmware proactively limits the processor’s interaction with the system, confining it to essential functionalities and performance features. Adding security to every layer we implement — from chip to cloud — protects Surface devices with higher levels of resiliency against outside threats.
- Streamlining security improvements: Imagine there is a critical need for a security improvement that requires coordination across multiple firmware and driver updates. At Surface, the unified stack and the seamless integration with Windows Update mean we can create and deliver updates faster. We recently announced that we’re providing six years of firmware and driver support for all Surface devices released from 2021 onward. This ensures the longevity and adaptability of your Surface devices, safeguarding your investments over time.
- Enabling seamless and secure sign-in: Windows Hello enables passwordless sign-in using biometric or PIN verification, and because biometric credentials are tough to replicate and impossible to guess, they’re much more secure than passwords. The interplay between Surface hardware and Windows 11 offers enhanced protection to your biometric credentials while enabling a seamless Windows Hello Facial login experience. These enhanced protections use specialized hardware and software components to isolate and protect biometric credentials, offering protection against advanced threats to keep you secure and productive.
- Managing hardware access: Envision a situation where, as the CEO of an organization handling sensitive data, regulatory constraints mandate a highly secure workspace without cameras, microphones, Bluetooth, or the ability to boot from USB. Using Microsoft Intune or Surface tools, an IT admin can effectively control and deactivate these components at the firmware level. Once set, end users cannot change it, even if they attempt to access the firmware directly. However, if circumstances change — say a shift to remote work necessitates using cameras for team communication — an IT admin can remotely adjust these settings, bringing necessary components back online. This capability offers a seamless solution, ensuring device compliance and security while avoiding manual fixes such as applying tape or swapping out equipment.
The Secured core PC advantage
The breadth of choices, the proactive reduction of security risks and the ability to deliver timely, extended updates reflect our seamless use of Microsoft technologies. For the first time, we built all our PC devices as Secured core PCs, which means they integrate hardware, firmware and software defenses to protect against sophisticated cyber threats from the ground up. Additionally, our devices are manufactured in state-of-the-art, secure facilities, with every piece of code and component undergoing rigorous scrutiny. This ensures that when you power on your Surface device for the first time, it’s as secure as the moment it left our factory.
Secure by default
Surface Engineering integrates defense in depth across multiple layers, including hardware, firmware, software applications and identity, to provide a complete security solution for our customers. When we say there’s value in a built-in versus bolt-on approach, we mean that our teams think all day, every day, about how malicious actors could threaten your business and what we need to build into Windows and Surface to help keep you protected.
The future: RUST integration and beyond
An excellent example is how we’re rewriting the firmware and software responsible for your device security in RUST, a memory-safe programming language focusing on performance, safety and the ability to run multiple tasks simultaneously. RUST has been shown to reduce vulnerabilities by up to 70% — a game changer when writing safe systems software. We’re already seeing RUST starting to be integrated into Azure and the Windows kernel via Windows Insider preview builds. Surface is pioneering the RUST transition journey by building open-source platforms enabling RUST-based firmware and driver development by the broader ecosystem. We’re developing thoughtful solutions for security in an ever more AI-enabled world. And we’re creating pathways to share these innovations with the entire ecosystem of Windows PCs.
If you want to learn more about how Surface is leading PC security, making code available for audit and implementation, keep an eye out for upcoming deep dives into security and engineering on this blog at https://aka.ms/SurfaceITProBlog.