Built secure
Security is a fundamental aspect of Microsoft's productivity foundation—ensuring innovative experiences with the peace of mind of device and data safety. We follow a zero-trust philosophy when it comes to security—meaning that no trust is assumed and everything is verified, from devices to the cloud, and every layer in between. These layers include:
- Cloud
- Identity and privacy
- Application
- Operating system
- Hardware (chip)
Microsoft Surface for Business devices embody the zero-trust philosophy from initial design to the end of its lifecycle. Surface is a hardware platform that is designed to deliver transformative experiences for Windows and Microsoft 365—enabling businesses to perform their best. With the combination of Surface hardware, Windows 11, and Microsoft 365 businesses are set up for success with:
- Efficient multitasking for multiple projects in Microsoft 365 applications
- AI-optimized workflows with Windows 11 and Copilot+ PC experiences
- Zero-trust cloud-delivered security
Every layer of the Surface manufacturing process works together to enable endpoint protection for business users—from design to manufacturing, hardware to firmware, and user experiences to IT management. Surface devices have advanced Windows 11 security features enabled by default and have deep integration with the Microsoft management ecosystem—simplifying the path to modern, secure productivity.
Throughout the entire Surface product lifecycle, stringent security controls are implemented. These include rigorous audits, robust infrastructure, and thorough traceability and accountability in the supply chain. Every Surface device is delivered with enterprise-ready compliance in mind. As part of the Microsoft United Compliance Framework (UCF), Surface devices adhere to requirements set forth by the NIST (National Institute of Standards and Technology), Cyber Executive Orders, and others.
Designed according to Zero-Trust principles
Surface devices are designed and built with the utmost care to protect against existing and emerging threats with a Zero Trust approach to security. The design of Surface devices follows four core principles of the Zero-Trust philosophy:
- Secure component design to minimize attack surfaces,
- Multiple layers of defense with least privilege access,
- Comprehensive threat mitigation through regular updates, and
- Security measures applied throughout the product lifecycle to ensure ongoing protection.
End-to-end secure supply chain
Surface devices use a Zero Trust approach throughout their supply chain, starting with trusted suppliers and continuing through assembly and delivery.
Microsoft maintains a detailed Software Bill of Materials (SBOM) for every product, regularly audits suppliers, and follows international safety standards like C-TPAT (Customs Trade Partnership Against Terrorism) and TAPA (Transported Asset Protection Association).
Key steps include:
- Secure device management.
- Early detection of software issues with tools like CodeQL.
- Continuous verification to prevent tampering and ensure integrity from start to finish.
Enterprise-ready compliance
Microsoft has unified its Surface supply chain security requirements, making management and auditing easier. To prevent software supply chain attacks, it uses a detailed Software Bill of Materials (SBOM) for transparency and quick vulnerability fixes.
Security is reinforced by regular scans, secret checks, and independent audits. Surface devices meet major compliance standards like NIST (National Institute of Standards and Technology), Cyber Executive Orders, and ISO (International Organization for Standardization), thanks to the Microsoft Unified Compliance Framework (UCF), which includes over 200 controls for managing device security.