How Secure is your Surface Device?

Keeping your computer secure helps you avoid malware and direct hacking attempts designed to steal your personal information. On Surface devices, users are spoilt with cloud-to-chip protection.

Security for business should be your top priority, especially in today’s digitally-driven world where cyber threats and data breaches are incredibly commonplace. Your business can combat these security threats by leveraging the right Microsoft tools and technology, such as its family of Surface devices. Microsoft Surface security features are robust and incredibly valuable to your business – here is a breakdown of a few major ones.

Covered In This Article:

Cloud-To-Chip Protection
Easy Deployment And Remote Connectivity
Integration With Microsoft 365
All-Round Protection With Surface

Cloud-To-Chip Protection

Why does the modern workplace need an integrated endpoint security solution? As organisations pivot to remote and hybrid work, they face increasingly sophisticated targeted attack vectors at the hardware layer of devices.

Achieve peace of mind with built-in, proactive defence. Security protections maintained by Microsoft are built into every layer of a Surface device. Surface works closely with Windows and the M365 security stack to ensure that the device not only meets every standard for a highly secured PC but is also capable of automatically receiving updates from the dynamic world of defensive security.

With Surface, it is a security standard to boot only within a trusted OS. This industry-standard feature ensures that every single step of the boot process is measured, signed and implemented in the intended order. See boot phases below:

Firmware was brought in house starting with Surface Pro 4 and Surface Book. This move enables complete control over what goes into every Surface device. The firmware is also kept current via Windows Update.

Zero-touch Deployment with Security Protocols in place

Reduce IT complexity and eliminate time-consuming re-imaging by shipping and deploying straight to employees. Surface is built for the Windows Autopilot experience.

Defend data with removable SSD

The removable SSD on Surface Pro X and Surface Laptop 4 streamlines data retention with advanced features like pre-boot DMA remapping protection.

Securely wipe all data when you re-deploy

When it’s time to re-deploy, you can remove sensitive data from a compatible Surface device with Microsoft Surface Data Eraser, a tool that boots easily from a USB stick.

Maintain Secure Control

Prevent employee-introduced vulnerabilities. Wherever they’re deployed, manage Surface devices through the cloud with just a few clicks.

Endpoint Protection

Surface is the only manufacturer to have DFCI1 enabled for modern cloud-based device management through Microsoft Endpoint Manager.

Easy Deployment And Remote Connectivity

The adoption of mass remote working during the Coronavirus crisis has helped to keep workers safe but it has also introduced further security challenges for businesses. As a result, the extra hardware security enhancements packaged with the Microsoft Surface devices are sure to be welcomed by firms and employees alike.

Keep data secure from a Surface device’s first deployment to its last, no matter how many times and under what circumstances it changes hands.

• Cloud-First Deployment and Management: Deploy and manage down to the firmware layer through the cloud with Microsoft Endpoint Manager13 and DFCI.6 Reduce IT complexity with Windows Autopilot.
• Windows Virtual Desktop: Meet complex business and security requirements with broad device redirection support, endpoint protection and Microsoft 365 virtualised in Azure.
• OneDrive for Business: Access and protect your business and school work with this intelligent files app. Share and collaborate from anywhere, on any device.
• Collaborate with Teams: Work better together. New integrations allow you to create shareable links, grant expiring access, and follow configured policies.

Windows Autopilot and Surface Devices

Windows Autopilot is a cloud-based deployment technology in Windows 10. You can use Windows Autopilot to remotely deploy and configure devices in a zero-touch process right out of the box. 

Traditionally, IT pros spend a lot of time building and customising images that will later be deployed to devices that already come with a perfectly good OS already installed on them. Windows Autopilot introduces a new zero-touch deployment approach using a collection of technologies to set up and configure Windows devices. This enables an IT department to configure/customise images with little to no infrastructure to manage and a process that is easy and simple. From the user’s perspective, it only takes a few simple steps to get Surface to a productive state. In fact, the only interaction required from the end-user is to connect to a network and to verify their credentials. Everything after that is fully automated. 

Windows Autopilot allows you to: 

• Automatically join devices to Azure Active Directory (Azure AD). 
• Auto-enroll devices into MDM services, such as Microsoft Intune (requires an Azure AD Premium subscription). 
• Restrict the Administrator account creation. Autopilot is the only way to have the first person who logs into Windows enter as a standard user. 
• Create and auto-assign devices to configuration groups based on device profiles. 
• Customise OOBE (Out of Box Experience) content and branding to meet organisational requirements. 
• Enable full device configuration with Intune. 
• Reset or restart devices remotely. 

Integration With Microsoft 365

The backbone of any business, Microsoft 365 provides solutions to empower users to work together more securely to improve mission outcomes. Fully integrated with the Windows ecosystem, Surface devices have access to everything Microsoft 365 has to offer. With tools like Microsoft Teams, you can transform how you collaborate and coordinate efforts within and across departments. 

The hub for teamwork in Microsoft 365, Teams helps users to: 

• Connect employees with stakeholders across departments in a shared workplace.

• Centralisecommunication and coordination to provide visibility, accountability, and keep initiatives moving forward. 

• Enable teams to access resources from virtually anywhere, so they can spend time on the tasks at hand.

• Do all this while helping to protect sensitive information your teams work with daily.

From viewing live transcriptions during Microsoft Teams Meetings and tracking changes in Microsoft Excel documents to discovering and securing unmanaged devices, Microsoft 365 is designed to enable the flexibility that hybrid work requires when using a hybrid device. Other highlights include the ability to transform Microsoft Word documents into beautiful PowerPoint presentations using AI, and expanded polling capabilities in Teams. 

All-Round Protection With Surface

Surface with Microsoft 365 provides unique protection at the front line. To provide a few illustrations of how devices may be vulnerable and how this new level of protection can support organisations and frontline workers. Here are a few commonplace examples:

Stolen Device

• Data on the hard drive is encrypted. Surface devices ship with BitLocker drive encryption enabled by default, so the data on the hard drive cannot be accessed without credentials or the encryption key. Even if the hard drive is removed from the device and inserted into a new device, it cannot be decrypted.
• USB booting is prevented because the organisation used Microsoft Endpoint Manager to proactively turn off the ability to boot from USB through the firmware-level control that the Surface device offers.
• There is zero access to data even if the SSD is removed. If a Surface’s removable SSD is tampered with, the device will shut off power, erasing any residual data in its memory. Since the device is cloud-managed, the organisation can remote wipe all the machine’s contents.

Malicious Intent

• A Zero Trust approach means that even if a device is authenticated, the current user profile can only access data and content they have permissions for. The retail establishment assumes that a breach is always possible and maintains strict controls over data access. Conditional access capabilities in Microsoft 365 prevent data leakage from both internal and external actors.
• Any unusual behavior on the device is automatically detected and remediated with Microsoft Defender for Endpoint, which analyses signals from the device to recognise any abnormal behavior, like an uncommon executable running on the device. As part of the remediation path, the device is automatically quarantined from the network until the situation is resolved.

Unsecure Network Connection

• Instead of worrying about encrypting data that could be shared on a public network, the organisation takes a proactive approach to having a guaranteed secure connection, especially for employees in the field, by equipping frontline workers with LTE-enabled devices. The entire Surface 2-in-1 portfolio (Surface Pro 7+ and Surface Pro X) has LTE available.
• Any websites, cloud resources, or internal networks not explicitly defined as “trusted” are contained with Microsoft Defender Application Guard. These untrusted sites or files are opened in a virtualised container – essentially a separate PC within the existing PC – to isolate those potentially harmful sites or files from the rest of the device.

Microsoft Surface security features include a built-in firewall, an anti-malware solution, and automatic updates. This means your business will have access to the newest Teams and Office 365 security features on their Surface devices – as soon as they are rolled out.

These Microsoft Surface security features can help to safeguard your business against cybersecurity threats and breaches, particularly when paired with other Microsoft software such as Teams and Office 365.

There’s no need to sacrifice speed or productivity for security – your business can still experience enhanced productivity, collaboration, and communication while still being secure. To learn more about Microsoft device security, or how your business can transform into a modern digital workplace built on an ecosystem of Microsoft Teams and the Microsoft 365 platform, contact Tarsus Distribution today.