Many of the typical differentiators of business PCs don't apply to Microsoft's Surface line. The form factors are the same, for example, and while business laptops often have a fingerprint sensor, the biometric Windows Hello camera is on consumer models as well.
Even a Surface Go with Windows Home has what's effectively BitLocker drive encryption (although it's called 'Device encryption' in Settings because home users don't have the same management options as enterprise admins). With a tablet form factor and USB-C, there are few worries about buying accessories that need to be interchangeable, or whether components will be available down the line because there's nothing replaceable.
Businesses do care about the packaging of devices (because they're on the hook for disposing of -- and preferably recycling -- it as part of their corporate social responsibility programs), so they like the brown-box packaging for the Surface business line: it's now 99% natural fibre and 64% post-consumer recycled waste.
VBS sets up several small, fast, invisible virtual machines (VMs) on the PC that are separate from the main Windows OS, and Hyper-V tells the PC hardware to treat memory pages for them differently, so each VM can only access its own memory. It handles things like secure Windows logon and the integrity of Hyper-V itself, as well as OS security features like Credential Guard. These are usually optional features, however, and before turning them on organisations want to make sure they don't break any drivers.
Having them on by default is more secure because the PC is protected from the very first time it's turned on – turning them on later runs the risk that malware could have already infiltrated the system. It's arguably simpler, as drivers that aren't compatible simply won't get installed. But OEMs tend not to turn them on by default because they worry that performance might be affected.
Microsoft tells us that it did a lot of tuning to Hyper-V (as well as pushing the ecosystem on drivers) so that turning on these security features hasn't reduced performance or battery life. (Also, as business PCs, it's less of a problem if the security features impact the frame rate of some games than it would be on consumer devices.)
Hopefully, that will encourage other PC vendors to start turning them on by default as well, because although Windows has a range of security features that use the hardware virtualisation features in CPUs, many PCs with the right hardware don't take advantage of them. Surface is an important business line for Microsoft and the devices have to succeed in their own right, but part of its raison d'être is to showcase how the hardware can enable Windows features in ways that other OEMs can follow.
The Pro 7+ doesn't go as far as the Surface Pro X and other Secured-core PCs, which use the CPU to check the measurements made during Secure Boot before loading Windows, in case malware has compromised UEFI or other firmware on the PC. Attacks on firmware have been increasing since 2016 and Secured-core offers the kind of protection you need in regulated industries because the device is protected before the TPM is initialised in the factory, so you don't have to worry about supply-chain attacks where the PCs you order are intercepted and tampered with before they reach you. When Secured-core PCs were announced in 2019, Microsoft director of OS security Dave Weston told us that they're "specifically designed for highly targeted industries that handle super-sensitive data and need added, multiple layers of security built in."
Not everyone needs that level of security, especially when it comes at the cost of some convenience. Like the new Pluton security processor, Secured-core PCs, take several lessons from the way Microsoft secures the Xbox, although Windows isn't becoming a appliance in the same way a games console is.
But you can't, for example, install a new DMA device attached over Thunderbolt on a Secured-core PC until you unlock it with a PIN or biometrics. And it's always possible that turning on all the Windows security features will mean some badly written driver that you actually need won't work.
That's far less of a problem in the Arm ecosystem where there are fewer legacy drivers to worry about and where every device is already running a hypervisor (usually the one Qualcomm provides). As long as Hyper-V delivers as good or better performance as that hypervisor, there's no performance impact from turning on the security features for Windows on Arm devices like the Surface Pro X.
For the Pro 7+ Microsoft told us that although it's not a Secured-core device, the company feels it has equivalent levels of security thanks to the custom UEFI firmware used in Surface devices.
These two features, which are the basis of so many advanced Windows security features, can push the x86 ecosystem along so that, over time, all PCs can eventually ship secure by default. And while it's too early to see the Pluton security processor showing up in Surface, Microsoft did tell us that's definitely on the roadmap for the future.
Retaining rather than replacing storage
Another notable thing about the Pro 7+ is its removable SSD. On the Surface Pro X models, this seems like a way to get flexibility in pricing and spec: you could buy a cheaper unit with the storage you thought you'd need and upgrade when you discovered you were doing more on the device than you'd planned. Or, as happened to us, you could buy a Pro X with less storage that you really wanted because the larger models weren't shipping and plan to upgrade later. (That upgrade hasn't happened yet because the right format of SSD has been hard to find.)
We did ask Microsoft if the company had taken any steps to make that easier for businesses – would additional SSDs be available through the Microsoft Store or deals with OEMs? – but the spokesperson had nothing to share.
In fact, although you could use the removable SSD to upgrade the storage capacity, even with OneDrive integration making it easy to get your files, cloning and reimaging devices is still a somewhat tedious process. The removable SSD in the Pro 7+ isn't really there for device upgrades; it's for data retention. If the Surface Pro is damaged, the organization doesn't have to worry about losing data that needs to be archived or securely deleted. It's much easier to scrub an SSD that you can pop out of the slot and put into an external enclosure than one that you have to prise out of a sealed tablet with specialist tools and a hot air gun (or send back to Microsoft).