Surface Laptop 4 showcases Microsoft’s new approach to PC security

Microsoft is bringing advanced hardware security to more Surface devices with cloud firmware management to help enterprises deploy new PCs quickly.

Microsoft’s Surface Laptop 4 is the second Surface device that uses Secured-core to protect the firmware. This brings what used to be optional security features that you had to test and manage, and then built-in security designed for the industries most targeted by attackers, further into the mainstream. It’s also the first Secured-core PC available with an AMD processor (and the second AMD-powered Surface). 

More about cybersecurity

Firmware like UEFI is an increasingly popular target for cyber criminals for the same reason that banks attract unwanted attention: it’s where sensitive and valuable information, such as credentials and encryption keys, is stored. Secured-core protects the firmware by having the CPU run its own checks to confirm that UEFI is telling the truth when it says it hasn’t been tampered with during the boot-up process. 

SEE: Identity theft protection policy (TechRepublic Premium)

Surface Laptop 4 also protects against malicious peripherals that try to extract information from memory using Direct Memory Access (DMA) by turning on Kernel DMA Protection, as well as other Windows security features like Virtualisation Based Security (VBS) and Hypervisor-enforced Code Integrity (HVCI). 

Turning on those hardware security features by default (the way Surface Pro 7+ for Business does) reduces the ways a PC can be attacked, which translates into fewer attacks on those devices, Mark Schreffler, senior program management director for Surface engineering, told TechRepublic. 

“We see the internal telemetry on this at Microsoft. If you’re shipping with enhanced hardware security on by default, those devices have less than half the number of malware and ransomware attacks on them in the wild. As an end user, you’re just safer every day.” 

Even better, users tend not to notice, Schreffler said. “The goal for me is security features for the end users, and I almost want them to be unaware of this unless you’re an IT department making a purchasing decision. 

“People always worry about security features: what’s it going to do to my battery life, is performance going to tank?”  

But when Microsoft started turning on enhanced hardware security by default a year ago with Surface Book 3, “The beauty of it was, nobody noticed,” Schreffler said. 

Secured-core PCs apply the security best practices of isolation and minimal trust to the firmware layer that underpins Windows.  

” data-credit=”Image: Microsoft”>microsoft-secured-core-pcs.jpg

Secured-core PCs apply the security best practices of isolation and minimal trust to the firmware layer that underpins Windows.  

Image: Microsoft

Delivering secure devices 

IT departments will care about the way the business version of Surface Laptop 4 is easier to deploy and manage remotely. They can manage and update UEFI though Surface Enterprise Management Mode and Microsoft Endpoint Configuration Manager, instead of physically booting into UEFI on the device. If there are UEFI features employees won’t need, they can turn those off remotely for security. 

With recent Surface models (Surface Laptop Go, Surface Laptop 3 and 4, Surface Book 3 and Surface Pro 7, Pro 7+ and Pro X), they can also manage UEFI through the cloud with Intune through the Device Firmware Configuration Interface (DFCI). Add in Autopilot and Windows 10 Cloud Config, and organisations can be confident that devices are secure and managed as soon as they emerge from the box, to help them move to a zero-trust approach with endpoints. 

“The goal is that a commercial customer orders a machine from Surface or from any OEM out there, it’s shipped directly from the factory to the end user. It’s shipped with an image that the user can then enrol. The device has to be secure, it has to hook up to the management chain,” said Schreffler. “We’ve lit that up on Surface: we have our Autopilot feature, we have Intune management for UEFI on the devices. And the device is secure out of the box — you don’t have to turn security features on, it ships that way. You don’t have to have the IT department involved in the middle of that or worse, the end user trying to figure out how to set up their device securely.

“Hybrid workspaces are in the news right now. The cost for an IT department to intercept devices in between, manage them and set them up, and then ship them back out to their users: that’s a pretty high cost from a business perspective, and it’s quite honestly slow as well when you have to get devices out to a team that might be spread all over the place.” 

SEE: Security Awareness and Training policy (TechRepublic Premium)

Home PCs aren’t going to be enrolled in corporate endpoint management systems in the same way, so they don’t need the DFCI  cloud management features of business Surface devices. And the consumer version of Surface Laptop 4 doesn’t have the same tamper-proofing on the security hardware itself, Schreffler explained. 

“UEFI on our commercial SKUs has the management interface built into it; that’s not there on the consumer SKUs because they’re not managed by Intune environments, they’re not managed by corporate enterprises. We have discrete TPM and some physical protection on the device for more advanced attack vectors. We’re not as concerned about nation-state attacks on your home machine, but we do have customers that are concerned about that attack vector and they need advanced physical hardening. As we build more advanced security features in our commercial SKU, you’ll see a lot more of that physical tampering protection from advanced attackers — people that are doing things that a normal person doesn’t do when they find a device on a bus.” 

Attempting to physically break into or electronically confuse security modules (witness the ways security researchers have been investigating Apple’s new AirTags) is still an advanced attack — not because the techniques aren’t known, but because they don’t scale the way software and firmware attacks do, said Schreffler. 

“The knowledge of what it takes to do that is more widespread. I would still say that the time you have to dedicate to do that is pretty extensive. In the consumer industry we’re just not seeing that because the return on investment is low. It’s an attack on one device at a time; if you have ten devices you have to make that investment of time on each one individually. There’s no economies of scale in those attacks.” 

So attackers will target banks and organisations where what’s on the PC might be worth millions, but they won’t spend similar time and effort individually attacking consumer machines with a much lower payout. 

From business to mainstream 

With Surface, Microsoft has to balance succeeding in hardware with not alienating PC OEMs; CEO Satya Nadella has always talked about Surface as being there to establish new categories, and one of those categories might be mainstream hardware security.  

The first Secured-core PC was the Surface Pro X, but it was quickly followed by PCs from OEMs like Dell, HP and Panasonic. According to Schreffler, one of the goals of the Surface engineering team is “to build features and technologies to raise the bar for the PC industry — I want people, when they think of PCs, to think of security.” 

“We worked with the Windows team and we also worked closely with AMD to make sure we can bring this technology into the broad portfolio. While Surface Laptop 4 was the first AMD device launched with Secured-core, now other OEMs are also enabled,” Schreffler added. 

It’s a little easier for Microsoft, not just because the Surface team can work directly with the Windows, Azure and Intune teams, but because Microsoft can take an end-to-end approach: it designs the hardware, builds its own firmware and can manage it through the cloud and update it directly via Windows Update. “We have this advantage of everything being in-house and not a lot of third parties involved in our supply chain or any of the actual manufacturing of the device,” Schreffler pointed out. “And as we discover new technologies or ways of doing things, we can then cascade that out to the OEM ecosystem and where appropriate, they can pick those things up.” 

The next round of Surface announcements will come later this year. While some industries will always need a higher level of security, more security features from business devices will show up in hardware for consumers for the holiday season, Megan Solar, director of Surface marketing, told TechRepublic. 

“It’s our mission to make enterprise security for everyone. You shouldn’t have to pay more and buy specialised PCs just to get secure features.” 

The impact of phishing and ransomware on enterprises and their customers has been very obvious recently. Part of the problem is that choosing more secure PCs has had to be a conscious decision to pay more for premium devices and to enable the security features on them (usually after extensive application compatibility testing because of concerns about what might break). 

“We want to change that conversation to: ‘hey, if you’re a normal user, you’re protected’,” said Schreffler. “If you want to manage your corporate environment, if you want physical protection, if you want advanced hardware protection, there’s a commercial SKU for you that has that. But for everybody else, go surf whatever sites you want and with Edge and the security features, you’re fine.

“We’re really trying to make it easy for users. Very few people understand this space, and quite honestly, it’s not our goal to educate — it’s our goal to just make their lives work.” 

Also see