Surface security overview

As cyber threats evolve, strategies to combat them must evolve as well. Microsoft Surface adopts a proactive, "Zero Trust" approach to addressing emerging threats by embedding advanced security features at every level by default—from hardware to cloud services, from product conception to decommission—ensuring Surface devices remain highly secure, adaptable, and resilient throughout the entirety of their lifecycle.

Chip to cloud security is central to the Surface strategy. We deliver strong platform protections with powerful Windows 11 security capabilities enabled by default. As we move towards an AI-enabled future, Surface helps organizations strengthen their security posture across hardware, OS, data, apps, and identity with a foundation of built-in protection.

Secured Surface supply chain

To help ensure that Surface devices are "secure by design, secure by default, and secure in deployment," Microsoft applies rigorous security controls across the entire product lifecycle. These controls cover both physical hardware and software components. Surface devices undergo strict security reviews starting from conception, moving through design, development, production, delivery, and maintenance. These comprehensive security reviews support a seamless chain of trust throughout the device lifecycle.

At the manufacturing level, Microsoft conducts regular supplier audits to prevent potential threats like ransomware, phishing, and malware. Moreover, Surface devices also benefit from Customs-Trade Partnership Against Terrorism (C-TPAT) and Transported Asset Protection Association (TAPA) security programs, which further protect global trade and support secure logistics for shipping Surface devices worldwide.

For software, Microsoft developed the Secure Development Lifecycle (SDL) and applied this framework across all products to proactively adapt to the changing threat landscape and regulatory demands such as US Executive Order 14028 (“Improving the Nation’s Cybersecurity”). Additionally, Microsoft and its suppliers must digitally sign software components, use secure channels and protocols for communication, and provide timely and regular updates to Surface devices to address any potential issues. Lastly, Surface UEFI development partners with Microsoft’s open-source Project Mu to deliver a fully Microsoft-owned Unified Extensible Firmware Interface (UEFI) stack for every Surface device, which reduces reliance on non-Microsoft firmware providers, providing transparency and protection for the lowest and most sensitive levels of your device.

By owning both hardware design and firmware development, Microsoft minimizes supply chain risks, allowing for prompt responses to any potential vulnerabilities. With these proactive practices, Surface devices are designed to meet the highest standards for both digital and physical supply chain security. This unified, in-house approach enhances the security of Surface devices before they even leave the factory.

Microsoft designed & built components

Microsoft designs and maintains Surface devices to offer customers comprehensive control, proactive protection, and peace of mind in any work environment. Surface devices come equipped with Microsoft’s leading security features to protect you from sophisticated attacks and to simplify device management.

Built-in Surface security

From the moment you press the power button to the time you shut down your device, Surface delivers leading-edge, built-in security throughout every stage of its lifecycle.

Every Surface device running Windows 11 out of the box uses a Trusted Platform Module (TPM) 2.0 that helps ensure platform integrity by preventing tampering and managing cryptographic keys for various secure operations. The TPM supports the Hardware Root of Trust, a dedicated module that helps create a hardware-based security boundary to ensure the device boots in a trusted state. Together, the TPM and Root of Trust function as a secured anchor for integrated encryption and secure operations, establishing the security foundation for BitLocker, Virtualization-Based Security (VBS), Memory Integrity/HVCI, Enhanced Sign-In Security (ESS) for Windows Hello for Business, and other secure operations.

Through the virtualization and integrity checks provided by VBS and HVCI respectively, the device’s kernel is hosted separately from the operating system for a Secured Kernel, meaning even if the operating system is compromised, the kernel is still protected. Plus Kernel DMA Protection helps safeguard device memory from direct memory access (DMA) drive-by attacks by securing the kernel against external peripherals gaining unauthorized access to memory.

To support the integrity of device bootup at power-on, Secure Boot uses the device’s Root of Trust to prevent unauthorized firmware from running at boot time. Enabled by Microsoft-built UEFI and TPM 2.0, it helps ensure that only authorized firmware runs before the OS loads. This firmware must originate from Microsoft, its Independent Hardware Vendors (IHVs), or approved open-source repositories and remain unmodified during transit and provisioning onto the device. This process safeguards the integrity of the firmware at each stage of the boot sequence—from pressing the power button to launching the OS. As part of System Guard Secure Launch, Surface devices also protect bootup using Dynamic Root of Trust Measurement (DRTM) or Firmware Attack Surface Reduction (FASR),1 which both establish a hardware-based root of trust designed to ensure the integrity of the boot process and defend against firmware-level attacks.

Many of these out-of-box security features form the foundation of Secured-Core PC (SCPC), which integrates hardware, firmware, and virtualization to protect devices from various threats, including malware, physical possession issues (like loss or theft), and access attacks. SCPC helps protect data even if a device is compromised.

Since late 2021, every Surface device running Windows 11 is a Secured-Core PC, with the highest level of protection enabled out-of-the-box. The following security features are a subset of those features enabled by default for all SCPC Surface devices:

Feature Description Learn More
Trusted Platform Module (TPM) 2.0 A secure cryptoprocessor to ensure platform integrity by providing security mechanisms to prevent tampering and generate and manage cryptographic keys for functions like unlocking the system drive, disk encryption, measuring the boot process, and biometric authentication. Trusted Platform Module Technology Overview
Hardware Root of Trust Helps establish a trusted boot state by applying the device’s TPM and root-of-trust measurement capabilities to mitigate firmware vulnerabilities. It creates a hardware-based security boundary, isolating system memory from the OS to protect critical services and sensitive data from OS vulnerabilities, supporting system integrity through attestation. Hardware root-of-trust
BitLocker Provides encryption to address threats of data theft or data exposure from lost, stolen, or insufficiently decommissioned devices. When enabled, BitLocker helps ensure that data remains inaccessible even if the device falls into unauthorized hands. BitLocker overview
Virtualization-Based Security (VBS) Uses hardware virtualization to create and isolate a secure region of memory from the regular operating system. Windows can use this "virtual secure mode" to host a number of security solutions, to protect secure operations from any potential vulnerabilities or exploits in the OS. Virtualization-based Security (VBS)
Memory Integrity

Also known as Hypervisor-Enforced Code Integrity (HVCI)
Helps maintain code integrity in the kernel, a highly privileged area of the operating system. It checks all kernel-mode drivers and binaries before execution and blocks unsigned drivers or system files from being loaded into memory. Operating within an isolated environment, it verifies kernel code integrity in accordance with the kernel signing policy. Enable virtualization-based protection of code integrity
Enhanced Sign-In Security (ESS) Uses VBS and TPM 2.0 for isolated and secure communication of biometrics for authentication to enable Windows Hello with biometric passwordless sign-in. Windows Hello Enhanced Sign-in Security
Windows Hello for Business Allows passwordless sign-in using two-factor authentication based on secure biometrics (ESS) or PIN and device-specific credentials tied to your enterprise identity. This method of authentication offers elevated security and convenience for users. How Windows Hello for Business works
Secured Kernel Operates within a virtualized environment to protect from the Windows OS by ensuring all code integrity policy checks pass. Uses VBS and HVCI for an isolated environment for kernel protection from potential OS vulnerabilities. Secured kernel
Kernel DMA Protection Protects against external peripherals from gaining unauthorized access to memory. Helps protect against drive-by DMA attacks. Kernel DMA Protection
Microsoft-Built UEFI Firmware that configures the device and boots the OS developed jointly by Microsoft and Surface. Provides firmware runtime services and, with Microsoft Intune, significantly improves control over hardware via cloud-based or on-premises management. Surface UEFI: Evolution in boot, security & device management to build an industry leading secure PC



Manage Surface UEFI settings
Secure Boot Ensures a device boots only trusted software by checking the signature of each piece of boot software before passing to the next boot stage. This process establishes signature-enforced handoffs between the UEFI, bootloader, kernel, and application environments to block malware attacks or other potential threats in the boot sequence. Secure Boot
Dynamic Root of Trust Measurement (DRTM) Boots device from untrusted into trusted state by forcing CPUs down a known and measured code path for a dynamically established hardware root of trust during runtime to support system integrity. Force firmware code to be measured and attested by Secure Launch on Windows 10
Firmware Attack Surface Reduction (FASR) Establishes a certified boot path that minimizes the firmware's exposure to potential attacks by limiting executable code in the firmware environment. Firmware Attack Surface Reduction (FASR)

Surface commercial security advantage

Remote management

IT admins can remotely manage Surface devices. Microsoft Intune admin center with Intune and Windows Autopilot enables full remote management of Surface devices from the Azure Cloud, delivering fully configured devices to users upon startup. Wipe and retire features enable IT to quickly repurpose a device for a new remote user or wipe a device that's been stolen. These capabilities enable rapid and secure responses, allowing remote removal of all company data and reconfiguration of a Surface as an entirely new device.

As part of Microsoft Intune, Device Firmware Configuration Interface (DFCI) allows cloud-based management of firmware settings including remote disabling of hardware and locking of UEFI settings. As a similar alternative, Surface Enterprise Management Mode (SEMM) is another management solution to secure and manage firmware settings within an organization.

Responsive security

In a rapidly evolving digital age, the ability to react quickly and proactively is paramount. Microsoft Defender for Endpoint offers AI-driven, real-time protection against advanced threats, helping protect sensitive data and communications. Organizations benefit from the power of Windows Update for Business by using a Microsoft-maintained stack of both firmware and OS applications. This service keeps systems current with the latest security protections and allows for IT management of already commissioned devices.

Feature Description Learn More
Microsoft Intune A cloud-based endpoint management solution that helps organizations manage user access, apps, and devices, ensuring secure access to corporate resources. It supports the Zero Trust security model by enforcing device compliance, integrating with defense services, and protecting identity and app data. Microsoft Intune securely manages identities, manages apps, and manages devices
Windows Autopilot Enables cloud-based setup and preconfiguration of new devices to prepare them for productive use and minimize strain to IT administrators. It can also be used to reset, repurpose, or recover devices to simplify the Windows device lifecycle. Overview of Windows Autopilot
Device Firmware Configuration Interface (DFCI) Allows for remote management of UEFI settings on devices enrolled in Windows Autopilot and managed via Microsoft Intune. It enables remote control of firmware settings, disabling of hardware components, and enforcing authorized configurations to strengthen device security. Manage DFCI on Surface devices
Surface Enterprise Management Mode (SEMM) Enables centralized enterprise management of UEFI firmware settings across on-premises, hybrid, and cloud environments. Allows IT administrators to prepare UEFI configuration settings and install them on Surface devices. Get started with Surface Enterprise Management Mode
Microsoft Defender for Endpoint Enterprise-grade security platform that detects, prevents, and responds to sophisticated threats. Provides robust AI-driven endpoint security for managed Surface devices. Microsoft Defender for Endpoint
Windows Update for Business Enables IT admins to keep their organization's Windows client devices always up to date with the latest security updates and Windows features by directly connecting these systems to the Windows Update service. What is Windows Update for Business?

Scaling security

As the threat landscape evolves, Surface is starting to adopt more security features in select devices. These features have yet to be integrated across the entire portfolio of Surface products, but are scaling across different product lines over the next few years. Here are some security features that are product specific:

Feature Description Learn More
Memory Safety Expansion Programming language, Rust, ensures certain memory safety guarantees that can reduce up to 70% of vulnerabilities in comparison to traditional C code. Targeted components within Surface software and firmware are being translated into Rust, beginning with portions of the UEFI and Microcontroller Unit (MCU) stacks, as well as creating a driver framework for Rust driver development. Rust support for UEFI development through Project Mu



Open-source Rust driver development platform
Microsoft Pluton Security Processor Microsoft Pluton Security Processor is a secure cryptoprocessor built into the CPU for security at the device core. Microsoft Pluton security processor
Microsoft Pluton TPM Microsoft Pluton supports TPM 2.0 for a silicon root of trust to protect sensitive information and encryption keys. It also supports ingestion of security enhancements via Windows Updates. Microsoft Pluton as Trusted Platform Module
Copilot+ PC PCs with built-in neural processing units (NPU) that accelerate artificial intelligence (AI) experiences and operations within the device. Learn more about Copilot+ PCs and Windows 11 PCs from Surface

While these security features scale, more Surface devices will integrate them as default into their products. For instance, Copilot+ PCs, new Windows PCs with built-in neural processing units (NPU) that accelerate artificial intelligence (AI) experiences and operations within the device, contain the Microsoft Pluton Processor enabled by default in addition to the full suite of Surface security features described on this page.

References

The FASR feature is exclusive to Intel-designed Surface products. FASR does not apply to Surface products designed with Qualcomm (QC) or AMD processors.