Surface hub security overview, Defense-in-depth security – Microsoft Surface Hub 2 SmCamera User Manual
Page 293
Surface Hub security overview
Article • 02/16/2023
Surface Hub provides a locked-down appliance-like experience with custom platform
firmware running the Windows 10 Team operating system. The resulting device takes
the traditional, "single-use" secure kiosk, "only run what you need" philosophy and
delivers a modern take on it. Built to support a rich collaborative user experience,
Surface Hub is protected against continually evolving security threats.
Built on Windows 10, Surface Hub delivers enterprise-grade modern security enabling IT
admins to enforce data protection with BitLocker, Trusted Platform Module 2.0 (TPM),
plus cloud-powered security with Windows Defender (also known as Microsoft
Defender).
Security protocols begin as soon as Surface Hub is turned on. Starting at the firmware
level, Surface Hub will only load the operating system and its components in response
to multiple security checks. Surface Hub employs a Defense in Depth strategy that
involves layering independent defensive sub-components to protect the whole of the
system in the event of partial failure. This industry practice has proven to be highly
effective in mitigating potential unilateral exploits and weaknesses in sub-components.
The modern Unified Extensible Firmware Interface (UEFI) is statically and securely
configured by Microsoft to only boot an authenticated Windows 10 Team operating
system from internal storage. Every line of code that runs on Surface Hub has its
signature verified before execution. Only applications signed by Microsoft, either as part
of the operating system or installed via the Microsoft Store, can run on the Surface Hub.
Code or apps not meeting these requirements are blocked.
Surface Hub security systems include the following:
Boot-time defenses.
Loads only trusted Surface Hub operating system
components.
Operating system defenses.
Protects against the execution of unintended or
malicious software or code.
User interface defenses.
Provides a user interface that's safe for end users,
preventing access to potentially risky activities such as running executables from
the command line.
Defense-in-depth security