In part 2 of my Ignite 2022 recap series, I’ll be sharing my notes from the Ask the Experts: Behind the scenes tips and tricks for IT Pros with Microsoft Surface Engineering, session. I love that most of the sessions were recorded so I can go back to listen to them again if I missed something. The digital backpack is also a great idea as there were so many sessions I wanted to attend but had scheduling conflicts. Now I can spend the next few weeks catching up on all the great content I missed!
Lots of great notes from the Surface ask the experts session! Starting with the Intel chipset now meeting the criteria for secured-core PC’s. AMD chips have had this designation for a little while now and the Surface Laptop Go 2 for Business got the designation back in the Spring of 2022. As of this moment, the Laptop Go 2 for Business device as well as the Surface Laptop 4 for Business are showing as qualified on Microsoft’s find a device site. So, what is a secured core PC and why would I need one? While Microsoft has built in foundational security solutions to such as security baselines, hardware root of trust, secure boot, BitLocker drive encryption and various virtualization-based security options to Windows 10/11, there are still circumstances where customers have such highly sensitive computing requirements that additional defenses against firmware-based attacks is necessary.
The most notable capability of a secured-core PC is that these devices are shipped with enabled protections that can only be switched off by authorized specialist from the respective chip vendors. Since all operations involved in the boot process are authenticated with isolated, locked, cryptographic hashes, sophisticated firmware-based malware attacks are not possible due to the malware’s inability to obtain the necessary authentication tokens. There is also something called Virtual Secure Mode (VSM) with secured-core enabled PC’s that adds additional protections to Windows Credential Guard, Device Guard and vTPM. It’s worth reading up on, however the security baselines should be enough to protect “most” users in an enterprise setting, according to Microsoft. The good news is whether you absolutely need it or not, the new Surface Laptop 5, Surface Studio 2 and Surface Pro 9 announced on Wednesday, October 12 will ship with secure boot enabled by default and all the new Surface devices for business will meet the secured-core PC criteria.
Continuing on with security related notes, I learned that the Device Firmware Configuration Interface (DFCI), used to manage UEFI settings on Microsoft Surface devices, is not just 1’s and 0’s data in the UEFI. For instance, when you make a DFCI configuration policy in Intune to disable the device camera for example, the device is instructed to flip analog switch(es) on the circuit board that removes data and/or power rendering it impossible to access from the host operating system. The settings persist in isolated storage so not even an OS reload will re-enable the camera. I think this is a pretty awesome differentiator for the Surface lineup and is yet another great innovation from Microsoft to make the Surface devices unparalleled, premium endpoints for security-conscious enterprises.
Another amazing advancement to the Surface lineup from a security perspective, is the Microsoft Pluton security processor that comes with the new Surface Pro 9 SQ3 based, Qualcomm processor. For those not yet familiar, Microsoft Pluton provides enhanced, secure processing by collocating the trusted platform module (TPM) with the CPU itself so there is no bus between the two devices to physically exploit. Here’s a security architecture overview diagram from Microsoft doc’s to visually explain:
While we are on the topic of the new SQ3 processor, check out the advancements Microsoft has made with the NPU (neural processing unit) that allows for AI effects such as native background blur on video calls, eye contact, automatic framing, enhanced voice clarity and voice focus. More on this from the upcoming blog post from attending Panos Panay’s keynote presentation, but here’s a sneak peek at the incredible live demo: Demo: The New A.I. Features in Windows 11: Voice Focus, Auto-Framing, More | Microsoft Ignite 2022
A new feature known as Voice Clarity will be available on the Surface Studio 2 devices. Through studio mic’s on the device, voice clarity will use advanced audio processing to help your voice come across clearer on calls and recordings. More info on how Voice Clarity works along with a demo video can be found here: https://techcommunity.microsoft.com/t5/surface-it-pro-blog/meet-voice-clarity/ba-p/1419014
A lot of questions were asked around recommended practices and where the Surface team see’s the most issues supporting Surface endpoints. The number one issue seems to be supporting customers who require custom imaging of endpoints and the additional hassles that come along with supporting that deployment model. The recommended way of deploying Surface devices would be to use Windows Autopilot along with the factory image to get devices up and running quickly and efficiently. Windows Autopilot provisioned Surface devices is the most utilized deployment methodology, and for that reason it’s the most stable and trustworthy. For those who cannot use a factory image due to compliance issues or internal company policy, make sure you are incorporating the necessary chipset drivers and GPIO drivers specifically for the Surface device you are deploying. It seems there is a common issue with customers forgetting to put the chipset drivers into not only their custom images, but also any recovery images they might use. This can be problematic when a device comes out of the imaging process as these devices are not USB and won’t automatically be recognized by Windows with an applicable driver installed. It is also highly recommended to deploy the Surface Management App and related Surface Management Extension. This software allows the Surface app to talk to all accessories and provides control of settings as well as information about the device and related accessories.
Another question came up about the best way to handle updating Surface devices that have sat on a shelf for some time awaiting deployment. While there are a number of ways to handle this, an example was given that depending on how far out of date the devices may be, downloading the latest Surface recovery image from Microsoft and leveraging it to re-image endpoints may be a more viable option. Again, the Surface “factory” recovery image is only an option for organizations that do not have compliance requirements or policies that dictate using a custom in-house developed images, but this methodology could prove to be quicker and a better user experience than waiting for feature updates to come down from Microsoft Updates during the user-driven device deployment process. If you’re just trying to apply the latest firmware and drivers for the Surface device, remember Microsoft publishes these as bundled MSI files on the Surface support site here: https://learn.microsoft.com/en-us/surface/manage-surface-driver-and-firmware-updates#download-msi-files You can then leverage Powershell or WinPE to update the software on devices.
That wraps up my notes from this particular session. In Part 3, I will cover my takeaways from a Surface Hub 2S session and an “Ask the Experts” session on Microsoft Entra identity. Thanks for reading!