To provide employees with a choice of work computers, Microsoft IT maintains a list of standard devices that meet our requirements for performance, user authentication, secure connectivity, and information security. Built to support Windows 10, standard configurations of Surface Book and Surface Pro 4 meet our device criteria for deployment. For ease of device management, we use standard tools and utilities that help us manage, configure, and protect Surface devices within the enterprise.


When it’s time for Microsoft employees to select a new work computer, Microsoft IT is committed to providing choices and great user experiences. Although Microsoft empowers employees to choose or bring their own devices for work, we maintain a Microsoft IT standard devices list—it includes devices that have passed our Microsoft IT client hardware certification to provide reliable hardware and out-of-the-box experience so that they can be immediately productive in our environment. Our certification process includes hardware testing, performance testing, peripheral compatibility, benchmarking, and hardware configurations. We require all of these to help ensure employee productivity, user authentication, secure connectivity, and information security. Our current standard devices list includes Microsoft Surface Pro 4 and Surface Book—and they have quickly become popular choices throughout the company.

Corporate client hardware standards and certification

Employees use our list of corporate standard devices to select a computer that will best meet their work needs in our environment. By maintaining a standard devices list, we give our employees choices, while maintaining control of our device inventory and making sure that IT administrators and support technicians are ready to support them.

We use a client hardware certification process to determine which devices can be included on the standard devices list. Client hardware certification helps to ensure that our devices offer the necessary level of performance in our environment, and that their configurations don’t add complexity to our device management processes. Certification also helps our support technicians respond to issues and hardware failure more quickly.

Microsoft IT client hardware certification focuses on functionality, durability, and workspace features—like multi-monitor support, higher quality keyboard, or a powered dock and global availability. To be certified and supported by Microsoft IT, devices must be thoroughly tested, and have specific drivers and software installed. Our goal is to provide the best user experiences with devices that are optimized for productivity and ease of use, and that enable support and global availability. As part of this goal, we also create productivity guides and troubleshooting guides for the certified devices.


We work directly with manufacturers to ensure that the devices we include on the standard devices list have the optimized hardware configuration that we require for certification. The required configuration includes Trusted Platform Module (TPM) chips for hardware-based authentication keys, Microsoft Device Guard, and biometric devices to sign in using Windows Hello for Business. We also need to ensure that peripherals work well enough to support other core business functions. For example, at Microsoft we rely on Skype for Business for meetings, telephony, and messaging, so audio and visual components are important. Surface Pro 4 and Surface Book met all of our hardware requirements out of the box.


When considering performance, we have categories that help us recommend devices for different types of employees. A developer typically requires a high-performance processor and more memory, whereas a business user might need mobility and the flexibility to convert to a tablet with ink capabilities. Surface Pro 4 and Surface Book are hybrid devices that offer both performance and portability.

We tested the computer configurations included on the standard devices list, including scenarios that measure battery performance and disk read/write times. The Surface devices consistently scored well on all our performance benchmark tests.


Special hardware like fingerprint scanners and TPM chips allow our employees to quickly sign in to high-security business areas on trusted devices. Surface Pro 4 and Surface Book are BitLocker-enabled and contain a TPM chip that allows local encryption keys and features like Device Guard and Credential Guard. They have biometric sign-in capabilities that are more secure than passwords alone and don’t require special hardware to meet security and compliance policies.

Service, warranties, and support

Device certification also depends on the manufacturer’s ability to meet procurement service-level agreements and provide adequate product warranties and support. The process we used is streamlined and is the same for all manufacturers that we work with, including Microsoft.

Maximizing productivity by requiring minimal user configuration

To maximize productivity, we configured the new device experience to require only minimal user configuration. We want to ensure a great user experience by creating an out-of-the-box experience that helps ensure that devices are ready for work when employees first turn them on. Most employees will only need to turn on their devices and sign in to get started. For existing employees who are receiving new devices, most of their data and user profiles are already in the cloud. After they sign in, their profiles, personalization settings, and preferences are available on the new device.

Creating a standard installation image

We use the Microsoft Deployment Toolkit to create the single installation package that is used for all standard devices, including Microsoft Surface devices. We release a monthly update of the Microsoft IT standard installation image to all of the Microsoft IT standard device manufacturers. The manufacturers install that image on the devices we order from them. Our devices arrive with the latest operating system, updates, drivers, applications, and mobile access (VPN) pre-installed.

Updating, supporting, and managing Surface devices

Driver and firmware updates for Surface devices are released in two ways:

  • Point updates. These updates are released for specific drivers or firmware revisions and provide the latest updates for specific components of the Surface device.
  • Cumulative updates. These updates provide comprehensive roundups of all the latest files for the Surface device running the version of Windows that is being updated.

We automatically keep Surface device drivers and firmware up to date with Windows Update. For other situations that require us to install drivers and firmware separately from Windows Update, the files are available for download in the Microsoft Download Center as a Windows Installer package (.msi files) that can be directly accessed by System Center Configuration Manager. System Center Configuration Manager makes it easy for us to quickly identify and install application updates on devices that are part of our network. We also use System Center Configuration Manager to manage the timing of installations and upgrades to avoid disrupting employee’s work.

Supporting Surface devices

Support for Surface devices is integrated with all our centralized technical support processes. Support staff are trained and given documentation to support both hardware and software globally (in countries/regions where Surface is available). To keep users productive, we have a service-level agreement with the Helpdesk that requires timely resolution of Surface-related support issues.

Management tools for Surface device

Enterprise management tools are available for Surface devices to make them easy for IT administrators to manage, configure, and protect in the enterprise environment.

Managing Surface UEFI update settings

Current and future generations of Surface devices, including Surface Pro 4 and Surface Book, use a Unified Extensible Firmware Interface (UEFI) engineered by Microsoft specifically for these devices. This firmware allows for significantly greater control of the device’s operation over firmware versions in earlier generation Surface devices, including the support for touch, mouse, and keyboard operation. By using the Surface UEFI settings, we can easily enable or disable internal devices or components, configure security to protect UEFI settings from being changed, and adjust the Surface device boot settings.

For more information about how we use UEFI, see Advanced UEFI security features for Surface Pro 3.

Configuring and protecting UEFI settings with Microsoft Surface Enterprise Management Mode

Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices—along with Surface UEFI, it helps us secure and manage firmware settings within the organization. Using SEMM, we can configure UEFI settings and install them on Surface devices to protect the configuration from unauthorized tampering or removal.

Erasing data from a Surface device using the Microsoft Surface Data Eraser

Sometimes a user might need to turn in a device so it can be reassigned to another user or be sent out for service. It’s company policy to erase all corporate data before it leaves an employee’s, or the company’s physical possession.

Because the hard drive can’t be removed, we have a separate process for retiring, or reallocating, Surface devices. Employees who need to decommission or turn in their Surface device can either use an internal tool or call the Helpdesk to arrange its return. Microsoft uses the Microsoft Surface Data Eraser tool. It gives IT pros secure options for erasing data from Surface devices—and it ensures that user data is completely erased to safeguard against loss of corporate data.

We use the Microsoft Surface Data Eraser when we’re reimaging devices that potentially have sensitive data stored on them. Other scenarios when we use the Microsoft Surface Data Eraser include:

  • Preparing a Surface device to be sent for repair.
  • Decommissioning a device to remove it from use.
  • Repurposing a Surface for use in a new department or by a new user.

For more information about the data wiping capabilities and practices Microsoft uses during the service process for Surface, see Microsoft Surface Data Eraser.

Resetting a device

Employees can reset any device that’s running Windows 10, including Surface devices. They can do this by selecting Reset this PC in the Settings app. Resetting a device lets employees choose to reset the device back to the corporate installation image, to a previous version of the operating system, or to a fresh installation of Windows 10. Resetting a device is recommended when an employee wants to simply undo changes that have caused a system’s performance to degrade over time or to clean up their system. After an employee resets the device to the corporate image, they can easily sign in to restore their cloud profile, preferences, and data—and quickly get back to work.


From an IT perspective, we used the same certification criteria, testing, and processes that we use for all original equipment manufacturers (OEMs) in our determination to include Surface Pro 4 and Surface Book on our standard devices list. They were built to leverage the capabilities of Windows 10 and offer high performance computing—and Microsoft provides tools and utilities that enhance our device management capabilities.

Employees across the company are adopting Surface Pro 4 and Surface Book as their primary work device. The combination of mobility and performance have quickly made these devices two of the most popular on our standard devices list.

For more information

Microsoft IT

Surface tools for IT

Advanced UEFI security features for Surface Pro 3

Microsoft Surface Data Eraser


© 2019 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

You might also be interested in

How Microsoft uses Dynamics 365 to manage Windows Update releases
June 21, 2019

How Microsoft uses Dynamics 365 to manage Windows Update releases

Read Article
Windows 10 improves security and data protection
June 18, 2019

Windows 10 improves security and data protection

Learn more
Speaking of security: Device health
June 03, 2019

Speaking of security: Device health

Watch webinar
IT expert roundtable: Modern desktop and device management
June 03, 2019

IT expert roundtable: Modern desktop and device management

Watch webinar