Surface for Business vs Consumer.

QUESTION: I run a small business and would like to know if there’s a difference between “Microsoft Surface” and “Surface for Business” devices?

ANSWER: Yes - indeed there are differences between the Surface devices you buy through retail channels (JB Hi-Fi, Harvey Norman etc.)and those you purchase through commercial channel partners (like Explore Digital). These differences include the following:

Surface (consumer)

  • Operating System: Windows 10 Home

  • Hardware:

    • TPM in firmware (not a physical TPM 2.0 chip)

  • Warranty

    • Standard 1 year Microsoft warranty (2 years in Australia)

  • Packaging:

    • Retail Surface boxes are shrink-wrapped and have a vacuum sealed lid.

Surface for Business

  • Operating System: Windows 10 Professional

  • Hardware:

    • Physical TPM 2.0 chip

    • Generally more variety of configurations when compared to consumer line of products - e.g. CPU models, SSD sizes, LTE/Non-LTE, REmovable SSD (on supported models)

  • Warranty

    • Same standard warranty, plus:

    • Advanced Exchange included with all Surface for Business devices - free of charge!

  • Additional Services and Support (optional add-ons)

    • Microsoft Extended Hardware Service

      • Increase coverage up to 3 or 4 years

      • Includes Mechanical breakdown, Advanced Exchange

      • Drive (SSD) Retention - as optional add-on for supported devices

    • Microsoft Complete for Business (an Insurance product)

      • Increase coverage up to 3 or 4 years

      • Includes all Microsoft Extended Hardware Service benefits plus:

        • Accidental Damage

      • Drive (SSD) Retention - as optional add-on for supported devices

    • Microsoft Complete for Business Plus

      • Increase coverage up to 3 or 4 years

      • Includes all Microsoft Complete for Business benefits plus:

        • Next Business Day Replacement

        • Drive (SSD) Retention (included)

  • Packaging:

  • Commercial Surface products have been redesigned to ease the deployment process

  • Increased sustainability through greater recycled content

 

QUESTION: Ok that’s great but it’s all a bit technical, what does that mean for my business?

ANSWER: We can break down the benefits of the above into a few categories, namely:

  • Operating System - Windows 10 Pro provides significant benefits not available in Windows 10 Home

  • Physical hardware - key differences available due to the physical differences of the device itself

  • Manageability - A combination of hardware and software provides for a vastly more manageable device

  • Usability & Support - differences in how the device is supported should you need help post-purchase

  • Manageability & Security - A combination of hardware and software provides for a vastly more manageable and secure device - delivered through a combination of hardware, software and services

Operating System

By using Windows 10/11 Professional instead of Home, it enables:

  • Zero Touch Deployment + Modern Management - deliver a new device directly to your staff (wherever they choose to work from) and have them power on the device, connect it to their wifi, enter their work credentials, and then sit back and watch the machine automatically set up everything over the wire through Windows Autopilot and Microsoft Endpoint Manager/Intune.

  • Empowering your People + Saving Time & Money! With Zero Touch Deployment and Modern Management, your IT team never need to touch the machine to set it up, and most ongoing management is automatically provided via Microsoft 365 services. This modern approach saves your business time/money and empowers your people to work more efficiently. Through automated approaches, they become productive soon after receiving their device - with immediate access to a secure device with all their settings, licensed apps, and access to data (appropriate for their role and location). No more waiting on the IT help desk - and all performed from where they choose to work!

  • Modern Management - enrol the device into Microsoft Intune to deploy security settings, apps and provide secure access to data

  • BitLocker device encryption + BitLocker To Go - a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

  • Azure Active Directory Join - Can join the device to a Domain

  • Domain Join + Group Policy - Can join the device to a Domain

  • Control over when and how to update devices through - deferred updates, Windows Update for Business

  • Easier ways to acquire, deploy, and configure business apps via - Microsoft Store for Business, Client Hyper-V, Remote Desktop

  • Remote Desktop - Allowing remote access to your Windows 10 Pro device

  • Other

    • Windows Defender Credential Guard - Isolate and harden key systems and user secrets. This makes an attack against user credentials much harder to perform.

    • Windows Defender Application Control - Harden computers against malware and prevent malicious code. This stops code that has not been previously ratified as secure from running.

    • Windows Defender Advanced Threat Protection (ATP) - Providing evergreen and updated malware protection, digital forensics (to identify the attack after the event). Running the agents in a separate memory space (discussed in the next point) reduces the risk of the Defender code itself being compromised.

    • Device encryption - Implementing BitLocker, and managing that through the TPM chip.

Usability & Support

  • Advanced Exchange - in the event of a diagnosed hardware issue with your device during the warranty period, this allows you to receive a replacement machine before sending back your Surface for Business device for repair.

  • Complete for Business - Enhances your included warranty by providing ????

  • SSD upgrade - potentially upgrade your disk space by swapping out the SSD (again only on supported models)

Manageability & Security

  • Physical TPM 2.0 chip - By using a physical TPM 2.0 chip in most of the Surface range, rather than a virtualised environment inside firmware, a more secure and sandboxed environment exists on the device for storing passwords, PIN numbers and certificates.

  • Bitlocker - By using a physical TPM 2.0 chip and the UEFI controls (see below), together with Windows 10 Professional, it allows a significantly improved and integrated encryption solution.

  • Removable SSD - Allows you (via a suitably Microsoft-authorised technician) to remove the SSD for secure data wiping/archiving before returning a device for repair under Advanced Exchange.

  • Windows Autopilot - ??

  • Intune management - deploy firmware updates, operating system and application patches automatically

  • Purpose Built UEFI w/TPM 2.0 - Microsoft’s unique Unified Extensible Firmware Interface (UEFI) is built by Microsoft, delivers automatic updates, and is consistent, minimising risk and maximising your control.

  • Device Firmware Configuration Interface (DCFI) - Remote firmware management with zero-touch device provisioning. This eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals (e.g. disable device camera via firmware on initial setup or later when required).

  • Secure Boot - Enabled by UEFI and TPM 2.0 - Only code signed, measured, and correctly implemented can execute on a Surface device.

  • Surface Data Eraser - Written in partnership with the US security services, this tool allows you to fully wipe and erase a Surface. US DoD approved.

 

Note

The above is provided as a general overview of the key differences between the consumer and business lines of Microsoft Surface devices. Specific software license subscriptions, Terms and Conditions apply and should be reviewed as part of your decision making process - Please refer to Microsoft’s site here for further information.