deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'public' into patch-42

Browse Source
This commit is contained in:
VLG17
2019-11-11 16:33:34 +02:00
committed by GitHub
parent 9686b74bbd 9a9128e28f
commit 005e02ebe5
413 changed files with 14371 additions and 12442 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
devices/surface/battery-limit.md
View File

@ -6,22 +6,26 @@ ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: dansimp
ms.date: 10/02/2018
ms.date: 10/31/2019
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
---
# Battery Limit setting
Battery Limit option is a UEFI setting that changes how the Surface device battery is charged and may prolong its longevity. This setting is recommended in cases in which the device is continuously connected to power, for example when devices are integrated into kiosk solutions.
## Battery Limit information
## How Battery Limit works
Setting the device on Battery Limit changes the protocol for charging the device battery. When Battery Limit is enabled, the battery charge will be limited to 50% of its maximum capacity. The charge level reported in Windows will reflect this limit. Therefore, it will show that the battery is charged up to 50% and will not charge beyond this limit. If you enable Battery Limit while the device is above 50% charge, the Battery icon will show that the device is plugged in but discharging until the device reaches 50% of its maximum charge capacity.
Adding the Battery Limit option to Surface UEFI requires a [Surface UEFI firmware update](update.md), available through Windows Update or via the MSI driver and firmware packages on the Microsoft Download Center. Check [Enable "Battery Limit" for Surface devices that have to be plugged in for extended periods of time](https://support.microsoft.com/help/4464941) for the specific Surface UEFI version required for each supported device. Currently, Battery Limit is supported on a subset of Surface devices and will be available in the future on other Surface device models.
## Supported devices
The Battery Limit UEFI setting is built into the latest Surface devices including Surface Pro 7 and Surface Laptop 3. Earlier devices require a
[Surface UEFI firmware update](update.md), available through Windows Update or via the MSI driver and firmware packages on the [Surface Support site](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface). Check [Enable "Battery Limit" for Surface devices that have to be plugged in for extended periods of time](https://support.microsoft.com/help/4464941) for the specific Surface UEFI version required for each supported device.
## Enabling Battery Limit in Surface UEFI (Surface Pro 4 and later)

12
devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
View File

@ -11,17 +11,14 @@ ms.author: dansimp
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
ms.date: 10/21/2019
ms.date: 10/24/2019
ms.reviewer:
manager: dansimp
---
# Considerations for Surface and System Center Configuration Manager
Fundamentally, management and deployment of Surface devices with System Center Configuration Manager is the same as the management and deployment of any other PC. Like any other PC, a deployment to Surface devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client to publish apps, settings, and policies, you use the same process that you would use for any other device.
> [!NOTE]
> SCCM is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md).
Fundamentally, management and deployment of Surface devices with System Center Configuration Manager (SCCM) is the same as the management and deployment of any other PC. Like other PCs, a deployment to Surface devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client to publish apps, settings, and policies, you use the same process that you would use for any other device.
You can find more information about how to use Configuration Manager to deploy and manage devices in the [Documentation for System Center Configuration Manager](https://docs.microsoft.com/sccm/index).
@ -30,6 +27,11 @@ Although the deployment and management of Surface devices is fundamentally the s
>[!NOTE]
>For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
## Support for Surface Pro X
Beginning in version 1802, SCCM includes client management support for Surface Pro X. Note however that running the SCCM agent on Surface Pro X may accelerate battery consumption. In addition, SCCM operating system deployment is not supported on Surface Pro X. For more information, refer to:
- [What's new in version 1802 of System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802)
- [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md)
## Updating Surface device drivers and firmware
For devices that receive updates through Windows Update, drivers for Surface components and even firmware updates are applied automatically as part of the Windows Update process. For devices with managed updates, such as those updated through Windows Server Update Services (WSUS), the option to install drivers and firmware through Windows Update is not available. For these managed devices, the recommended driver management process is the deployment of driver and firmware updates using the Windows Installer (.msi) files, which are provided through the Microsoft Download Center. You can find a list of these downloads at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).

16
devices/surface/deploy.md
View File

@ -11,6 +11,8 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
---
# Deploy Surface devices
@ -39,19 +41,7 @@ Learn about about deploying ARM- and Intel-based Surface devices.
| [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)| See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices. |
[Battery Limit setting](battery-limit.md) | Learn how to use Battery Limit, a UEFI setting that changes how the Surface device battery is charged and may prolong its longevity.
 
## Related topics
[Surface for IT pros blog](http://blogs.technet.com/b/surface/)
 
 
[Surface IT Pro Blog](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro)

84
devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md
View File

@ -9,12 +9,15 @@ ms.sitesec: library
author: Teresa-Motiv
ms.author: v-tea
ms.topic: article
ms.date: 10/2/2019
ms.date: 10/31/2019
ms.reviewer: scottmca
ms.localizationpriority: medium
ms.audience: itpro
manager: jarrettr
appliesto:
- Surface Laptop (1st Gen)
- Surface Laptop 2
- Surface Laptop 3
---
# How to enable the Surface Laptop keyboard during MDT deployment
@ -30,44 +33,77 @@ On most types of Surface devices, the keyboard should work during Lite Touch Ins
To add the keyboard drivers to the selection profile, follow these steps:
1. Download the latest Surface Laptop MSI file from the appropriate locations:
- [Surface Laptop (1st Gen) Drivers and Firmware](https://www.microsoft.com/download/details.aspx?id=55489)
- [Surface Laptop 2 Drivers and Firmware](https://www.microsoft.com/download/details.aspx?id=57515)
- [Surface Laptop (1st Gen) Drivers and Firmware](https://www.microsoft.com/download/details.aspx?id=55489)
- [Surface Laptop 2 Drivers and Firmware](https://www.microsoft.com/download/details.aspx?id=57515)
- [Surface Laptop 3 with Intel Processor Drivers and Firmware](https://www.microsoft.com/download/details.aspx?id=100429)
1. Extract the contents of the Surface Laptop MSI file to a folder that you can easily locate (for example, c:\surface_laptop_drivers). To extract the contents, open an elevated Command Prompt window and run the following command:
2. Extract the contents of the Surface Laptop MSI file to a folder that you can easily locate (for example, c:\surface_laptop_drivers). To extract the contents, open an elevated Command Prompt window and run the command from the following example:
```cmd
Msiexec.exe /a SurfaceLaptop_Win10_15063_1703008_1.msi targetdir=c:\surface_laptop_drivers /qn
```
1. Open the Deployment Workbench and expand the **Deployment Shares** node and your deployment share, then navigate to the **WindowsPEX64** folder.
3. Open the Deployment Workbench and expand the **Deployment Shares** node and your deployment share, then navigate to the **WindowsPEX64** folder.
![Image that shows the location of the WindowsPEX64 folder in the Deployment Workbench](./images/surface-laptop-keyboard-1.png)
1. Right-click the **WindowsPEX64** folder and select **Import Drivers**.
1. Follow the instructions in the Import Driver Wizard to import the driver folders into the WindowsPEX64 folder.
To support Surface Laptop (1st Gen), import the following folders:
- SurfacePlatformInstaller\Drivers\System\GPIO
- SurfacePlatformInstaller\Drivers\System\SurfaceHidMiniDriver
- SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver
To support Surface Laptop 2, import the following folders:
- SurfacePlatformInstaller\Drivers\System\GPIO
- SurfacePlatformInstaller\Drivers\System\SurfaceHIDMiniDriver
- SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver
- SurfacePlatformInstaller\Drivers\System\I2C
- SurfacePlatformInstaller\Drivers\System\SPI
- SurfacePlatformInstaller\Drivers\System\UART
4. Right-click the **WindowsPEX64** folder and select **Import Drivers**.
5. Follow the instructions in the Import Driver Wizard to import the driver folders into the WindowsPEX64 folder.
1. Verify that the WindowsPEX64 folder now contains the imported drivers. The folder should resemble the following:
> [!NOTE]
> Check the downloaded MSI package to determine the format and directory structure. The directory structure will start with either SurfacePlatformInstaller (older MSI files) or SurfaceUpdate (Newer MSI files) depending on when the MSI was released.
To support Surface Laptop (1st Gen), import the following folders:
- SurfacePlatformInstaller\Drivers\System\GPIO
- SurfacePlatformInstaller\Drivers\System\SurfaceHidMiniDriver
- SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver
Or for newer MSI files beginning with "SurfaceUpdate", use:
- SurfaceUpdate\SerialIOGPIO
- SurfaceUpdate\SurfaceHidMiniDriver
- SurfaceUpdate\SurfaceSerialHubDriver
To support Surface Laptop 2, import the following folders:
- SurfacePlatformInstaller\Drivers\System\GPIO
- SurfacePlatformInstaller\Drivers\System\SurfaceHIDMiniDriver
- SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver
- SurfacePlatformInstaller\Drivers\System\I2C
- SurfacePlatformInstaller\Drivers\System\SPI
- SurfacePlatformInstaller\Drivers\System\UART
Or for newer MSI files beginning with "SurfaceUpdate", use:
- SurfaceUpdate\SerialIOGPIO
- SurfaceUpdate\IclSerialIOI2C
- SurfaceUpdate\IclSerialIOSPI
- SurfaceUpdate\IclSerialIOUART
- SurfaceUpdate\SurfaceHidMini
- SurfaceUpdate\SurfaceSerialHub
To support Surface Laptop 3 with Intel Processor, import the following folders:
- SurfaceUpdate\IclSerialIOGPIO
- SurfaceUpdate\IclSerialIOI2C
- SurfaceUpdate\IclSerialIOSPI
- SurfaceUpdate\IclSerialIOUART
- SurfaceUpdate\SurfaceHidMini
- SurfaceUpdate\SurfaceSerialHub
- SurfaceUpdate\SurfaceHotPlug
6. Verify that the WindowsPEX64 folder now contains the imported drivers. The folder should resemble the following:
![Image that shows the newly imported drivers in the WindowsPEX64 folder of the Deployment Workbench](./images/surface-laptop-keyboard-2.png)
1. Configure a selection profile that uses the WindowsPEX64 folder. The selection profile should resemble the following:
7. Configure a selection profile that uses the WindowsPEX64 folder. The selection profile should resemble the following:
![Image that shows the WindowsPEX64 folder selected as part of a selection profile](./images/surface-laptop-keyboard-3.png)
1. Configure the Windows PE properties of the MDT deployment share to use the new selection profile, as follows:
8. Configure the Windows PE properties of the MDT deployment share to use the new selection profile, as follows:
- For **Platform**, select **x64**.
- For **Selection profile**, select the new profile.
@ -75,7 +111,7 @@ To add the keyboard drivers to the selection profile, follow these steps:
![Image that shows the Windows PE properties of the MDT Deployment Share](./images/surface-laptop-keyboard-4.png)
1. Verify that you have configured the remaining Surface Laptop drivers by using either a selection profile or a **DriverGroup001** variable.
9. Verify that you have configured the remaining Surface Laptop drivers by using either a selection profile or a **DriverGroup001** variable.
- For Surface Laptop (1st Gen), the model is **Surface Laptop**. The remaining Surface Laptop drivers should reside in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop folder as shown in the figure that follows this list.
- For Surface Laptop 2, the model is **Surface Laptop 2**. The remaining Surface Laptop drivers should reside in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop 2 folder.

10
devices/surface/get-started.md
View File

@ -14,7 +14,7 @@ ms.localizationpriority: High
---
# Get started with Surface devices
Harness the power of Surface, Windows,and Office connected together through the cloud. Find tools, step-by-step guides, and other resources to help you plan, deploy, and manage Surface devices in your organization.
Harness the power of Surface, Windows, and Office connected together through the cloud. Find tools, step-by-step guides, and other resources to help you plan, deploy, and manage Surface for Business devices in your organization.
<ul class="panelContent cardsF">
<li>
@ -29,7 +29,7 @@ Harness the power of Surface, Windows,and Office connected together through the
<div class="cardText">
<h3>Plan</h3>
<p><a href="considerations-for-surface-and-system-center-configuration-manager.md">Surface and SCCM considerations</a></p>
<p><a href="deploy-surface-app-with-windows-store-for-business.md">Deploy Surface app with Microsoft Store for Business</a></p>
<p><a href="wake-on-lan-for-surface-devices.md">Wake On LAN for Surface devices</a></p>
</div>
</div>
</div>
@ -86,8 +86,8 @@ Harness the power of Surface, Windows,and Office connected together through the
</div>
<div class="cardText">
<h3>Secure</h3>
<p><a href="surface-enterprise-management-mode.md">Surface Enterprise Management Mode (SEMM)</a></p>
<p><a href="manage-surface-uefi-settings.md">Manage UEFI</a></p>
<p><a href="surface-manage-dfci-guide.md">Intune management of Surface UEFI settings</a></p>
<p><a href="surface-enterprise-management-mode.md">Surface Enterprise Management Mode (SEMM)</a></p>
<p><a href="microsoft-surface-data-eraser.md">Surface Data Eraser tool</a></p>
</div>
</div>
@ -105,6 +105,8 @@ Harness the power of Surface, Windows,and Office connected together through the
</div>
<div class="cardText">
<h3>Support</h3>
<p><a href="https://support.microsoft.com/help/4483194/maximize-surface-battery-life">Maximize your Surface battery life</a></p>
<p><a href="https://support.microsoft.com/help/4023468/surface-troubleshoot-surface-dock-and-docking-stations">Troubleshoot Surface Dock and docking stations</a></p>
<p><a href="support-solutions-surface.md">Top support solutions</a></p>
</div>
</div>

BIN
devices/surface/images/df1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 96 KiB

After

Width:  |  Height:  |  Size: 95 KiB

BIN
devices/surface/images/manage-surface-uefi-fig5a.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
devices/surface/images/manage-surface-uefi-fig7a.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 59 KiB

20
devices/surface/ltsb-for-surface.md
View File

@ -10,6 +10,8 @@ ms.author: dansimp
ms.topic: article
ms.reviewer:
manager: dansimp
ms.localizationpriority: medium
ms.audience: itpro
---
# Long-Term Servicing Channel (LTSC) for Surface devices
@ -28,23 +30,7 @@ General-purpose Surface devices are intended to run on the Semi-Annual Channel t
Surface devices in specialized scenariossuch as PCs that control medical equipment, point-of-sale systems, and ATMsmight consider the use of LTSC. These special-purpose systems typically perform a single task and do not require feature updates as frequently as other devices in the organization.
## Related topics
- [Surface TechCenter](https://technet.microsoft.com/windows/surface)
- [Surface for IT pros blog](http://blogs.technet.com/b/surface/)
 
 
- [Surface IT Pro Blog](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro)

8
devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
View File

@ -1,6 +1,6 @@
---
title: Best practice power settings for Surface devices
description: This topic provides best practice recommendations for maintaining optimal power settings and explains how Surface streamlines the power management experience.
description: This topic provides best practice recommendations for maintaining optimal power settings and explains how Surface streamlines the power management experience. This article applies to all currently supported Surface devices including Surface Pro 7, Surface Pro X, and Surface Laptop 3.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@ -9,7 +9,9 @@ ms.author: dansimp
ms.topic: article
ms.reviewer:
manager: dansimp
ms.date: 08/21/2019
ms.localizationpriority: medium
ms.audience: itpro
ms.date: 10/28/2019
---
# Best practice power settings for Surface devices
@ -49,7 +51,7 @@ module (SAM). The SAM chip functions as the Surface device power-policy
owner, using algorithms to calculate optimal power requirements. It
works in conjunction with Windows power manager to allocate or throttle
only the exact amount of power required for hardware components to
function.
function. This article applies to all currently supported Surface devices including Surface Pro 7, Surface Pro X, and Surface Laptop 3.
## Utilizing the custom power profile in Surface

88
devices/surface/manage-surface-uefi-settings.md
View File

@ -17,22 +17,25 @@ manager: dansimp
# Manage Surface UEFI settings
Current and future generations of Surface devices, including Surface Pro 7, Surface Book 2, and Surface Studio 2,use a unique UEFI firmware engineered by Microsoft specifically for these devices. This firmware allows for significantly greater control of the devices operation over firmware versions in earlier generation Surface devices, including the support for touch, mouse, and keyboard operation. By using the Surface UEFI settings you can easily enable or disable internal devices or components, configure security to protect UEFI settings from being changed, and adjust the Surface device boot settings.
>[!NOTE]
>Surface Pro 3, Surface 3, Surface Pro 2, Surface 2, Surface Pro, and Surface do not use the Surface UEFI and instead use firmware provided by third-party manufacturers, such as AMI.
You can enter the Surface UEFI settings on your Surface device by pressing the **Volume Up** button and the **Power** button simultaneously. Hold the **Volume Up** button until the Surface logo is displayed, which indicates that the device has begun to boot.
All current and future generations of Surface devices use a unique Unified Extensible Firmware Interface (UEFI) engineered by Microsoft specifically for these devices. Surface UEFI settings provide the ability to enable or disable built-in devices and components, protect UEFI settings from being changed, and adjust the Surface device boot settings.
## Support for cloud-based management
With Device Firmware Configuration Interface (DFCI) profiles built into Microsoft Intune (now available in public preview), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future. DFCI is currently available for Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information, refer to [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md).
## Open Surface UEFI menu
## PC information
To adjust UEFI settings during system startup:
On the **PC information** page, detailed information about your Surface device is provided:
1. Shut down your Surface and wait about 10 seconds to make sure it's off.
2. Press and hold the **Volume-up** button and - at the same time - press and release the **Power button.**
3. As the Microsoft or Surface logo appears on your screen, continue to hold the **Volume-up** button until the UEFI screen appears.
- **Model** Your Surface devices model will be displayed here, such as Surface Book or Surface Pro 4. The exact configuration of your device is not shown, (such as processor, disk size, or memory size).
## UEFI PC information page
The PC information page includes detailed information about your Surface device:
- **Model** Your Surface devices model will be displayed here, such as Surface Book 2 or Surface Pro 7. The exact configuration of your device is not shown, (such as processor, disk size, or memory size).
- **UUID** This Universally Unique Identification number is specific to your device and is used to identify the device during deployment or management.
- **Serial Number** This number is used to identify this specific Surface device for asset tagging and support scenarios.
@ -56,9 +59,9 @@ You will also find detailed information about the firmware of your Surface devic
You can find up-to-date information about the latest firmware version for your Surface device in the [Surface Update History](https://www.microsoft.com/surface/support/install-update-activate/surface-update-history) for your device.
## Security
## UEFI Security page
On the **Security** page of Surface UEFI settings, you can set a password to protect UEFI settings. This password must be entered when you boot the Surface device to UEFI. The password can contain the following characters (as shown in Figure 2):
The Security page allows you to set a password to protect UEFI settings. This password must be entered when you boot the Surface device to UEFI. The password can contain the following characters (as shown in Figure 2):
- Uppercase letters: A-Z
@ -74,21 +77,21 @@ The password must be at least 6 characters and is case sensitive.
*Figure 2. Add a password to protect Surface UEFI settings*
On the **Security** page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 3. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library.
On the Security page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 3. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library.
![Configure Secure Boot](images/manage-surface-uefi-fig3.png "Configure Secure Boot")
*Figure 3. Configure Secure Boot*
You can also enable or disable the Trusted Platform Module (TPM) device on the **Security** page, as shown in Figure 4. The TPM is used to authenticate encryption for your devices data with BitLocker. Read more about [BitLocker](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview) in the TechNet Library.
You can also enable or disable the Trusted Platform Module (TPM) device on the Security page, as shown in Figure 4. The TPM is used to authenticate encryption for your devices data with BitLocker. Read more about [BitLocker](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview) in the TechNet Library.
![Configure Surface UEFI security settings](images/manage-surface-uefi-fig4.png "Configure Surface UEFI security settings")
*Figure 4. Configure Surface UEFI security settings*
## Devices
## UEFI menu: Devices
On the **Devices** page you can enable or disable specific devices and components of your Surface device. Devices that you can enable or disable on this page include:
The Devices page allows you to enable or disable specific devices and components including:
- Docking and USB Ports
@ -106,13 +109,13 @@ On the **Devices** page you can enable or disable specific devices and component
Each device is listed with a slider button that you can move to **On** (enabled) or **Off** (disabled) position, as shown in Figure 5.
![Enable and disable specific devices](images/manage-surface-uefi-fig5.png "Enable and disable specific devices")
![Enable and disable specific devices](images/manage-surface-uefi-fig5a.png "Enable and disable specific devices")
*Figure 5. Enable and disable specific devices*
## Boot configuration
## UEFI menu: Boot configuration
On the **Boot Configuration** page, you can change the order of your boot devices and/or enable or disable boot of the following devices:
The Boot Configuration page allows you to change the order of your boot devices as well as enable or disable boot of the following devices:
- Windows Boot Manager
@ -132,68 +135,83 @@ For the specified boot order to take effect, you must set the **Enable Alternate
You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE Network Boot** option, for example when performing a Windows deployment using PXE where the PXE server is configured for IPv4 only.
## UEFI menu: Management
The Management page allows you to manage use of Zero Touch UEFI Management and other features on eligible devices including Surface Pro 7, Surface Pro X, and Surface Laptop 3.
## Exit
![Manage access to Zero Touch UEFI Management and other features](images/manage-surface-uefi-fig7a.png "Manage access to Zero Touch UEFI Management and other features")
*Figure 7. Manage access to Zero Touch UEFI Management and other features*
Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 7.
Zero Touch UEFI Management lets you remotely manage UEFI settings by using a device profile within Intune called Device Firmware Configuration Interface (DFCI). If you do not configure this setting, the ability to manage eligible devices with DFCI is set to **Ready**. To prevent DFCI, select **Opt-Out**.
> [!NOTE]
> The UEFI Management settings page and use of DFCI is only available on Surface Pro 7, Surface Pro X, and Surface Laptop 3.
For more information, refer to [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md).
## UEFI menu: Exit
Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 8.
![Exit Surface UEFI and restart the device](images/manage-surface-uefi-fig7.png "Exit Surface UEFI and restart the device")
*Figure 7. Click Restart Now to exit Surface UEFI and restart the device*
*Figure 8. Click Restart Now to exit Surface UEFI and restart the device*
## Surface UEFI boot screens
When you update Surface device firmware, by using either Windows Update or manual installation, the updates are not applied immediately to the device, but instead during the next reboot cycle. You can find out more about the Surface firmware update process in [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates). The progress of the firmware update is displayed on a screen with progress bars of differing colors to indicate the firmware for each component. Each components progress bar is shown in Figures 8 through 17.
When you update Surface device firmware, by using either Windows Update or manual installation, the updates are not applied immediately to the device, but instead during the next reboot cycle. You can find out more about the Surface firmware update process in [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates). The progress of the firmware update is displayed on a screen with progress bars of differing colors to indicate the firmware for each component. Each components progress bar is shown in Figures 9 through 18.
![Surface UEFI firmware update with blue progress bar](images/manage-surface-uefi-fig8.png "Surface UEFI firmware update with blue progress bar")
*Figure 8. The Surface UEFI firmware update displays a blue progress bar*
*Figure 9. The Surface UEFI firmware update displays a blue progress bar*
![System Embedded Controller firmware with green progress bar](images/manage-surface-uefi-fig9.png "System Embedded Controller firmware with green progress bar")
*Figure 9. The System Embedded Controller firmware update displays a green progress bar*
*Figure 10. The System Embedded Controller firmware update displays a green progress bar*
![SAM Controller firmware update with orange progress bar](images/manage-surface-uefi-fig10.png "SAM Controller firmware update with orange progress bar")
*Figure 10. The SAM Controller firmware update displays an orange progress bar*
*Figure 11. The SAM Controller firmware update displays an orange progress bar*
![Intel Management Engine firmware with red progress bar](images/manage-surface-uefi-fig11.png "Intel Management Engine firmware with red progress bar")
*Figure 11. The Intel Management Engine firmware update displays a red progress bar*
*Figure 12. The Intel Management Engine firmware update displays a red progress bar*
![Surface touch firmware with gray progress bar](images/manage-surface-uefi-fig12.png "Surface touch firmware with gray progress bar")
*Figure 12. The Surface touch firmware update displays a gray progress bar*
*Figure 13. The Surface touch firmware update displays a gray progress bar*
![Surface KIP firmware with light green progress bar](images/manage-surface-uefi-fig13.png "Surface touch firmware with light green progress bar")
*Figure 13. The Surface KIP firmware update displays a light green progress bar*
*Figure 14. The Surface KIP firmware update displays a light green progress bar*
![Surface ISH firmware with pink progress bar](images/manage-surface-uefi-fig14.png "Surface ISH firmware with pink progress bar")
*Figure 14. The Surface ISH firmware update displays a light pink progress bar*
*Figure 15. The Surface ISH firmware update displays a light pink progress bar*
![Surface Trackpad firmware with gray progress bar](images/manage-surface-uefi-fig15.png "Surface Trackpad firmware with gray progress bar")
*Figure 15. The Surface Trackpad firmware update displays a pink progress bar*
*Figure 16. The Surface Trackpad firmware update displays a pink progress bar*
![Surface TCON firmware with light gray progress bar](images/manage-surface-uefi-fig16.png "Surface TCON firmware with light gray progress bar")
*Figure 16. The Surface TCON firmware update displays a light gray progress bar*
*Figure 17. The Surface TCON firmware update displays a light gray progress bar*
![Surface TPM firmware with light purple progress bar](images/manage-surface-uefi-fig17.png "Surface TPM firmware with purple progress bar")
*Figure 17. The Surface TPM firmware update displays a purple progress bar*
*Figure 18. The Surface TPM firmware update displays a purple progress bar*
>[!NOTE]
>An additional warning message that indicates Secure Boot is disabled is displayed, as shown in Figure 18.
>An additional warning message that indicates Secure Boot is disabled is displayed, as shown in Figure 19.
![Surface boot screen that indicates Secure Boot has been disabled](images/manage-surface-uefi-fig18.png "Surface boot screen that indicates Secure Boot has been disabled")
*Figure 18. Surface boot screen that indicates Secure Boot has been disabled in Surface UEFI settings*
*Figure 19. Surface boot screen that indicates Secure Boot has been disabled in Surface UEFI settings*
## Related topics
[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)
- [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md)
- [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)

4
devices/surface/microsoft-surface-brightness-control.md
View File

@ -8,9 +8,11 @@ ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
ms.date: 1/15/2019
ms.date: 10/31/2019
ms.reviewer: hachidan
manager: dansimp
ms.localizationpriority: medium
ms.audience: itpro
---
# Surface Brightness Control

7
devices/surface/microsoft-surface-deployment-accelerator.md
View File

@ -4,7 +4,7 @@ description: Microsoft Surface Deployment Accelerator provides a quick and simpl
ms.assetid: E7991E90-4AAE-44B6-8822-58BFDE3EADE4
ms.reviewer: hachidan
manager: dansimp
ms.date: 07/27/2017
ms.date: 10/31/2019
ms.localizationpriority: medium
keywords: deploy, install, tool
ms.prod: w10
@ -19,16 +19,13 @@ ms.audience: itpro
# Microsoft Surface Deployment Accelerator
Microsoft Surface Deployment Accelerator (SDA) automates the creation and configuration of a Microsoft recommended deployment experience by using free Microsoft deployment tools.
> [!NOTE]
> SDA is not currently supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md).
> SDA is not supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md).
SDA is built on the powerful suite of deployment tools available from Microsoft including the Windows Assessment and Deployment Kit (ADK), the Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS). The resulting deployment share encompasses the recommended best practices for managing drivers during deployment and automating image creation and can serve as a starting point upon which you build your own customized deployment solution.
You can find more information about how to deploy to Surface devices, including step-by-step walkthroughs of customized deployment solution implementation, on the Deploy page of the [Surface TechCenter](https://technet.microsoft.com/windows/dn913725).
**Download Microsoft Surface Deployment Accelerator**
You can download the installation files for SDA from the Microsoft Download Center. To download the installation files:

5
devices/surface/step-by-step-surface-deployment-accelerator.md
View File

@ -13,13 +13,16 @@ ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
ms.date: 07/27/2017
ms.date: 10/31/2019
---
# Step by step: Surface Deployment Accelerator
This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices. This article also contains instructions on how to perform these tasks without an Internet connection or without support for Windows Deployment Services network boot (PXE).
> [!NOTE]
> SDA is not supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md).
## How to install Surface Deployment Accelerator
For information about prerequisites and instructions for how to download and install SDA, see [Microsoft Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md).

3
devices/surface/support-solutions-surface.md
View File

@ -14,6 +14,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 09/26/2019
ms.localizationpriority: medium
ms.audience: itpro
---
# Top support solutions for Surface devices
@ -47,7 +48,7 @@ These are the top Microsoft Support solutions for common issues experienced when
- [Troubleshoot connecting Surface to a second screen](https://support.microsoft.com/help/4023496)
- [Microsoft Surface Dock Updater](https://docs.microsoft.com/surface/surface-dock-updater)
- [Microsoft Surface Dock Firmware Update](https://docs.microsoft.com/surface/surface-dock-updater)
## Surface Drivers and Firmware

11
devices/surface/surface-diagnostic-toolkit-business.md
View File

@ -3,12 +3,12 @@ title: Deploy Surface Diagnostic Toolkit for Business
description: This topic explains how to use the Surface Diagnostic Toolkit for Business.
ms.prod: w10
ms.mktglfcycl: manage
ms.localizationpriority: normal
ms.localizationpriority: medium
ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
ms.date: 09/27/2019
ms.date: 10/31/2019
ms.reviewer: hachidan
manager: dansimp
ms.audience: itpro
@ -172,9 +172,10 @@ You can select to run a wide range of logs across applications, drivers, hardwar
## Changes and updates
### Version 2.43.139.0
*Release date: October 21, 2019*<br>
This version of Surface Diagnostic Toolkit for Business adds support for the following:
-Surface Pro 7
-Surface Laptop 3
This version of Surface Diagnostic Toolkit for Business adds support for the following:
- Surface Pro 7
- Surface Laptop 3
### Version 2.42.139.0
*Release date: September 24, 2019*<br>

2
devices/surface/surface-diagnostic-toolkit-command-line.md
View File

@ -16,7 +16,7 @@ ms.audience: itpro
# Run Surface Diagnostic Toolkit for Business using commands
Running the Surface Diagnostic Toolkit (SDT) at a command prompt requires downloading the STD app console. After it's installed, you can run SDT at a command prompt via the Windows command console (cmd.exe) or using Windows PowerShell, including PowerShell Integrated Scripting Environment (ISE), which provides support for autocompletion of commands, copy/paste, and other features.
Running the Surface Diagnostic Toolkit (SDT) at a command prompt requires downloading the STD app console. After it's installed, you can run SDT at a command prompt via the Windows command console (cmd.exe) or using Windows PowerShell, including PowerShell Integrated Scripting Environment (ISE), which provides support for autocompletion of commands, copy/paste, and other features. For a list of supported Surface devices in SDT, refer to [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md).
>[!NOTE]
>To run SDT using commands, you must be signed in to the Administrator account or signed in to an account that is a member of the Administrator group on your Surface device.

28
devices/surface/surface-diagnostic-toolkit-desktop-mode.md
View File

@ -7,36 +7,34 @@ ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
ms.date: 11/15/2018
ms.date: 10/31/2019
ms.reviewer: hachidan
manager: dansimp
ms.localizationpriority: normal
ms.localizationpriority: medium
ms.audience: itpro
---
# Use Surface Diagnostic Toolkit for Business in desktop mode
This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help users in your organization run the tool to identify and diagnose issues with the Surface device. Successfully running SDT can quickly determine if a reported issue is caused by failed hardware or user error.
This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help users in your organization run the tool to identify and diagnose issues with the Surface device. Successfully running SDT can quickly determine if a reported issue is caused by failed hardware or user error. For a list of supported Surface devices in SDT, refer to [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md).
1. Direct the user to install [the SDT package](surface-diagnostic-toolkit-business.md#create-custom-sdt) from a software distribution point or network share. After it is installed, youre ready to guide the user through a series of tests.
2. Begin at the home page, which allows users to enter a description of the issue, and click **Continue**, as shown in figure 1.
![Start SDT in desktop mode](images/sdt-desk-1.png)
*Figure 1. SDT in desktop mode*
*Figure 1. SDT in desktop mode*
3. When SDT indicates the device has the latest updates, click **Continue** to advance to the catalog of available tests, as shown in figure 2.
![Select from SDT options](images/sdt-desk-2.png)
*Figure 2. Select from SDT options*
*Figure 2. Select from SDT options*
4. You can choose to run all the diagnostic tests. Or, if you already suspect a particular issue such as a faulty display or a power supply problem, click **Select** to choose from the available tests and click **Run Selected**, as shown in figure 3. See the following table for details of each test.
![Select hardware tests](images/sdt-desk-3.png)
*Figure 3. Select hardware tests*
*Figure 3. Select hardware tests*
Hardware test | Description
--- | ---
@ -55,6 +53,7 @@ This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help user
<span id="multiple" />
## Running multiple hardware tests to troubleshoot issues
SDT is designed as an interactive tool that runs a series of tests. For each test, SDT provides instructions summarizing the nature of the test and what users should expect or look for in order for the test to be successful. For example, to diagnose if the display brightness is working properly, SDT starts at zero and increases the brightness to 100 percent, asking users to confirm by answering **Yes** or **No** -- that brightness is functioning as expected, as shown in figure 4.
@ -62,7 +61,6 @@ SDT is designed as an interactive tool that runs a series of tests. For each tes
For each test, if functionality does not work as expected and the user clicks **No**, SDT generates a report of the possible causes and ways to troubleshoot it.
![Running hardware diagnostics](images/sdt-desk-4.png)
*Figure 4. Running hardware diagnostics*
1. If the brightness successfully adjusts from 0-100 percent as expected, direct the user to click **Yes** and then click **Continue**.
@ -75,24 +73,18 @@ For each test, if functionality does not work as expected and the user clicks **
SDT enables you to diagnose and repair applications that may be causing issues, as shown in figure 5.
![Running repairs](images/sdt-desk-5.png)
*Figure 5. Running repairs*
<span id="logs" />
### Generating logs for analyzing issues
SDT provides extensive log-enabled diagnosis support across applications, drivers, hardware, and operating system issues, as shown in figure 6.
![Generating logs](images/sdt-desk-6.png)
*Figure 6. Generating logs*
<span id="detailed-report" />
### Generating detailed report comparing device vs. optimal configuration
Based on the logs, SDT generates a report for software- and firmware-based issues that you can save to a preferred location.

2
devices/surface/surface-diagnostic-toolkit-for-business-intro.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.date: 06/11/2019
ms.reviewer: cottmca
manager: dansimp
ms.localizationpriority: normal
ms.localizationpriority: medium
ms.audience: itpro
---

8
devices/surface/surface-dock-firmware-update.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
ms.date: 09/18/2019
ms.date: 10/09/2019
ms.reviewer: scottmca
manager: dansimp
ms.audience: itpro
@ -50,8 +50,14 @@ You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firm
> [!NOTE]
> A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]"
> [!NOTE]
> A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]"
For more information, refer to [Command line options](https://docs.microsoft.com/windows/win32/msi/command-line-options) documentation.
> [!IMPORTANT]
> If you want to keep your Surface Dock updated using any other method, refer to [Update your Surface Dock](https://support.microsoft.com/help/4023478/surface-update-your-surface-dock) for details.
## Intune deployment
You can use Intune to distribute Surface Dock Firmware Update to your devices. First you will need to convert the MSI file to the .intunewin format, as described in the following documentation: [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps/apps-win32-app-management).

67
devices/surface/surface-enterprise-management-mode.md
View File

@ -9,9 +9,11 @@ ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
ms.date: 01/06/2017
ms.reviewer:
ms.date: 10/31/2019
ms.reviewer: scottmca
manager: dansimp
ms.localizationpriority: medium
ms.audience: itpro
---
# Microsoft Surface Enterprise Management Mode
@ -19,12 +21,14 @@ manager: dansimp
Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal.
>[!NOTE]
>SEMM is only available on devices with Surface UEFI firmware such as Surface Pro 4 and later, Surface Go, Surface Laptop, Surface Book, and Surface Studio. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
>SEMM is only available on devices with Surface UEFI firmware.
When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM.
There are two administrative options you can use to manage SEMM and enrolled Surface devices a standalone tool or integration with System Center Configuration Manager. The SEMM standalone tool, called the Microsoft Surface UEFI Configurator, is described in this article. For more information about how to manage SEMM with System Center Configuration Manager, see [Use System Center Configuration Manager to manage devices with SEMM](https://technet.microsoft.com/itpro/surface/use-system-center-configuration-manager-to-manage-devices-with-semm).
## Microsoft Surface UEFI Configurator
The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages or WinPE images that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied.
@ -33,8 +37,6 @@ The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown i
*Figure 1. Microsoft Surface UEFI Configurator*
>[!NOTE]
>Windows 10 is required to run Microsoft Surface UEFI Configurator
You can use the Microsoft Surface UEFI Configurator tool in three modes:
@ -62,17 +64,9 @@ See the [Surface Enterprise Management Mode certificate requirements](#surface-e
After a device is enrolled in SEMM, the configuration file is read and the settings specified in the file are applied to UEFI. When you run a configuration package on a device that is already enrolled in SEMM, the signature of the configuration file is checked against the certificate that is stored in the device firmware. If the signature does not match, no changes are applied to the device.
You can use Surface UEFI settings to enable or disable the operation of individual components, such as cameras, wireless communication, or docking USB port (as shown in Figure 3), and configure advanced settings (as shown in Figure 4).
### Enable or disable devices in Surface UEFI with SEMM
![Enable or disable devices in Surface UEFI with SEMM](images/surface-ent-mgmt-fig3-enabledisable.png "Enable or disable devices in Surface UEFI with SEMM")
*Figure 3. Enable or disable devices in Surface UEFI with SEMM*
![Configure advanced settings in SEMM](images/surface-ent-mgmt-fig4-advancedsettings.png "Configure advanced settings in SEMM")
*Figure 4. Configure advanced settings with SEMM*
You can enable or disable the following devices with SEMM:
The following list shows all the available devices you can manage in SEMM:
* Docking USB Port
* On-board Audio
@ -86,31 +80,40 @@ You can enable or disable the following devices with SEMM:
* Wi-Fi and Bluetooth
* LTE
You can configure the following advanced settings with SEMM:
>[!NOTE]
>The built-in devices that appear in the UEFI Devices page may vary depending on your device or corporate environment. For example, the UEFI Devices page is not supported on Surface Pro X; LTE only appears on LTE-equipped devices.
### Configure advanced settings with SEMM
**Table 1. Advanced settings**
| Setting | Description |
| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| IPv6 for PXE Boot | Allows you to manage Ipv6 support for PXE boot. If you do not configure this setting, IPv6 support for PXE boot is disabled. |
| Alternate Boot | Allows you to manage use of an Alternate boot order to boot directly to a USB or Ethernet device by pressing both the Volume Down button and Power button during boot. If you do not configure this setting, Alternate boot is enabled. |
| Boot Order Lock | Allows you to lock the boot order to prevent changes. If you do not configure this setting, Boot Order Lock is disabled. |
| USB Boot | Allows you to manage booting to USB devices. If you do not configure this setting, USB Boot is enabled. |
| Network Stack | Allows you to manage Network Stack boot settings. If you do not configure this setting, the ability to manage Network Stack boot settings is enabled. |
| Auto Power On | Allows you to manage Auto Power On boot settings. If you do not configure this setting, Auto Power on is enabled. |
| Simultaneous Multi-Threading (SMT) | Allows you to manage Simultaneous Multi-Threading (SMT) to enable or disable hyperthreading. If you do not configure this setting, SMT is enabled. |
|Enable Battery limit| Allows you to manage Battery limit functionality. If you do not configure this setting, Battery limit is enabled |
| Security | Displays the Surface UEFI **Security** page. If you do not configure this setting, the Security page is displayed. |
| Devices | Displays the Surface UEFI **Devices** page. If you do not configure this setting, the Devices page is displayed. |
| Boot | Displays the Surface UEFI **Boot** page. If you do not configure this setting, the DateTime page is displayed. |
| DateTime | Displays the Surface UEFI **DateTime** page. If you do not configure this setting, the DateTime page is displayed. |
* IPv6 support for PXE boot
* Alternate boot order, where the Volume Down button and Power button can be pressed together during boot, to boot directly to a USB or Ethernet device
* Lock the boot order to prevent changes
* Support for booting to USB devices
* Enable Network Stack boot settings
* Enable Auto Power On boot settings
* Display of the Surface UEFI **Security** page
* Display of the Surface UEFI **Devices** page
* Display of the Surface UEFI **Boot** page
* Display of the Surface UEFI **DateTime** page
>[!NOTE]
>When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5.
>When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 3.
![Certificate thumbprint display](images/surface-ent-mgmt-fig5-success.png "Certificate thumbprint display")
*Figure 5. Display of the last two characters of the certificate thumbprint on the Successful page*
*Figure 3. Display of the last two characters of the certificate thumbprint on the Successful page*
These characters are the last two characters of the certificate thumbprint and should be written down or recorded. The characters are required to confirm enrollment in SEMM on a Surface device, as shown in Figure 6.
These characters are the last two characters of the certificate thumbprint and should be written down or recorded. The characters are required to confirm enrollment in SEMM on a Surface device, as shown in Figure 4.
![Enrollment confirmation in SEMM](images/surface-ent-mgmt-fig6-enrollconfirm.png "Enrollment confirmation in SEMM")
*Figure 6. Enrollment confirmation in SEMM with the SEMM certificate thumbprint*
*Figure 4. Enrollment confirmation in SEMM with the SEMM certificate thumbprint*
>[!NOTE]
>Administrators with access to the certificate file (.pfx) can read the thumbprint at any time by opening the .pfx file in CertMgr. To view the thumbprint with CertMgr, follow this process:
@ -132,11 +135,11 @@ A Surface UEFI reset package is used to perform only one task — to unenroll a
### Recovery request
In some scenarios, it may be impossible to use a Surface UEFI reset package. (For example, if Windows becomes unusable on the Surface device.) In these scenarios you can unenroll the Surface device from SEMM through the **Enterprise Management** page of Surface UEFI (shown in Figure 7) with a Recovery Request operation.
In some scenarios, it may be impossible to use a Surface UEFI reset package. (For example, if Windows becomes unusable on the Surface device.) In these scenarios you can unenroll the Surface device from SEMM through the **Enterprise Management** page of Surface UEFI (shown in Figure 5) with a Recovery Request operation.
![Initiate a SEMM recovery request](images/surface-ent-mgmt-fig7-semmrecovery.png "Initiate a SEMM recovery request")
*Figure 7. Initiate a SEMM recovery request on the Enterprise Management page*
*Figure 5. Initiate a SEMM recovery request on the Enterprise Management page*
When you use the process on the **Enterprise Management** page to reset SEMM on a Surface device, you are provided with a Reset Request. This Reset Request can be saved as a file to a USB drive, copied as text, or read as a QR Code with a mobile device to be easily emailed or messaged. Use the Microsoft Surface UEFI Configurator Reset Request option to load a Reset Request file or enter the Reset Request text or QR Code. Microsoft Surface UEFI Configurator will generate a verification code that can be entered on the Surface device. If you enter the code on the Surface device and click **Restart**, the device will be unenrolled from SEMM.

13
devices/surface/surface-manage-dfci-guide.md
View File

@ -17,11 +17,11 @@ ms.audience: itpro
## Introduction
The ability to manage devices from the cloud has dramatically simplified IT deployment and provisioning across the lifecycle. With Device Firmware Configuration Interface (DFCI) profiles built into Microsoft Intune (now available in public preview), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future.
The ability to manage devices from the cloud has dramatically simplified IT deployment and provisioning across the lifecycle. With Device Firmware Configuration Interface (DFCI) profiles built into Microsoft Intune (now available in [public preview](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows)), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future. For answers to frequently asked questions, see [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333).
### Background
Like any computer running Windows 10, Surface devices rely on code stored in the SoC that enables the CPU to interface with hard drives, display devices, USB ports, and other devices. The programs stored in this read-only memory (ROM) are collectively known as firmware (while programs stored in dynamic media are known as software).
Like any computer running Windows 10, Surface devices rely on code stored in the SoC that enables the CPU to interface with hard drives, display devices, USB ports, and other devices. The programs stored in this read-only memory (ROM) are known as firmware (while programs stored in dynamic media are known as software).
In contrast to other Windows 10 devices available in the market today, Surface provides IT admins with the ability to configure and manage firmware through a rich set of UEFI configuration settings. This provides a layer of hardware control on top of software-based policy management as implemented via mobile device management (MDM) policies, Configuration Manager or Group Policy. For example, organizations deploying devices in highly secure areas with sensitive information can prevent camera use by removing functionality at the hardware level. From a device standpoint, turning the camera off via a firmware setting is equivalent to physically removing the camera. Compare the added security of managing at the firmware level to relying only on operating system software settings. For example, if you disable the Windows audio service via a policy setting in a domain environment, a local admin could still re-enable the service.
@ -43,13 +43,13 @@ At this time, DFCI is supported in the following devices:
## Prerequisites
- Devices must be registered with Windows Autopilot by your reseller or distributor. For more information, refer to the [Microsoft Device Partner Center](https://devicepartner.microsoft.com/support).
- Devices must be registered with Windows Autopilot by a [Microsoft Cloud Solution Provider (CSP) partner](https://partner.microsoft.com/membership/cloud-solution-provider) or OEM distributor.
- Before configuring DFCI for Surface, you should already be familiar with [Microsoft Intune](https://docs.microsoft.com/intune/) and [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/) (Azure AD).
- Before configuring DFCI for Surface, you should be familiar with Autopilot configuration requirements in [Microsoft Intune](https://docs.microsoft.com/intune/) and [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/) (Azure AD).
## Before you begin
Add your target Surface devices to an Azure AD security group. For more information about creating and managing security groups, refer to [Azure AD documentation](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal).
Add your target Surface devices to an Azure AD security group. For more information about creating and managing security groups, refer to [Intune documentation](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows#create-your-azure-ad-security-groups).
## Configure DFCI management for Surface devices
@ -167,6 +167,7 @@ If the original DFCI profile has been deleted, you can remove policy settings by
6. Validate DFCI is removed from the device in the UEFI.
## Learn more
- [Windows Autopilot](https://www.microsoft.com/microsoft-365/windows/windows-autopilot)
- [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333)
[Windows Autopilot](https://www.microsoft.com/microsoft-365/windows/windows-autopilot)
- [Windows Autopilot and Surface devices](windows-autopilot-and-surface-devices.md)
- [Use DFCI profiles on Windows devices in Microsoft Intune](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows)

9
devices/surface/surface-pro-arm-app-management.md
View File

@ -36,7 +36,7 @@ Organizations already using modern management, security, and productivity soluti
## Image-based deployment considerations
Surface Pro X will be released without a standard Windows .ISO deployment image, which means its not supported on the Microsoft Deployment Toolkit (MDT) or operating system deployment methods using System Center Configuration Manager (SCCM) aka ConfiMgr. Customers relying on image-based deployment should consider Surface Pro 7 while they continue to evaluate the right time to transition to the cloud.
Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager (SCCM) operating system deployment currently do not support Surface Pro X. Customers relying on image-based deployment should consider Surface Pro 7 while they continue to evaluate the right time to transition to the cloud.
## Managing Surface Pro X devices
@ -147,13 +147,12 @@ The following tables show the availability of selected key features on Surface P
| Conditional Access | Yes | Yes | |
| Secure Boot | Yes | Yes | |
| Windows Information Protection | Yes | Yes | |
| Surface Data Eraser (SDE) | Yes | Yes | |
| Surface Data Eraser (SDE) | Yes | Yes |
## FAQ
### Will an OS image be available at launch?
### Can I deploy Surface Pro X with MDT or SCCM?
No. Surface Pro X will be released without a standard Windows .ISO deployment image, which means its not supported on the Microsoft Deployment Toolkit (MDT) or operating system deployment methods using System Center Configuration Manager (SCCM) aka ConfiMgr. Customers relying on image-based deployment should consider Surface Pro 7 while they continue to evaluate the right time to transition to the cloud.
The Microsoft Deployment Toolkit and System Center Configuration Manager operating system deployment currently do not support Surface Pro X. Customers relying on image-based deployment should consider Surface Pro 7 while they continue to evaluate the right time to transition to the cloud.
### How can I deploy Surface Pro X?

9
devices/surface/surface-system-sku-reference.md
View File

@ -9,9 +9,11 @@ ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
ms.date: 03/20/2019
ms.date: 10/31/2019
ms.reviewer:
manager: dansimp
ms.localizationpriority: medium
ms.audience: itpro
---
# System SKU reference
@ -39,6 +41,11 @@ System Model and System SKU are variables that are stored in the System Manageme
| Surface Pro 6 Commercial | Surface Pro 6 | Surface_Pro_6_1796_Commercial |
| Surface Laptop 2 Consumer | Surface Laptop 2 | Surface_Laptop_2_1769_Consumer |
| Surface Laptop 2 Commercial | Surface Laptop 2 | Surface_Laptop_2_1769_Commercial |
| Surface Pro 7 | Surface Pro 7 | Surface_Pro_7_1866 |
| Surface Pro X | Surface Pro X | Surface_Pro_X_1876 |
| Surface Laptop 3 13" Intel | Surface Laptop 3 | Surface_Laptop_3_1867:1868 |
| Surface Laptop 3 15" Intel | Surface Laptop 3 | Surface_Laptop_3_1872 |
| Surface Laptop 3 15" AMD | Surface Laptop 3 | Surface_Laptop_3_1873 |
## Examples

7
devices/surface/surface-wireless-connect.md
View File

@ -6,16 +6,15 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: dansimp
ms.audience: itpro
ms.localizationpriority: normal
ms.localizationpriority: medium
ms.author: dansimp
ms.topic: article
ms.date: 08/15/2019
ms.date: 10/31/2019
ms.reviewer: tokatz
manager: dansimp
---
# Optimize Wi-Fi connectivity for Surface devices
## Introduction
To stay connected with all-day battery life, Surface devices implement wireless connectivity settings that balance performance and power conservation. Outside of the most demanding mobility scenarios, users can maintain sufficient wireless connectivity without modifying default network adapter or related settings.
@ -32,7 +31,7 @@ If youre managing a wireless network thats typically accessed by many diff
- **802.11r.** “**Fast BSS Transition”** accelerates connecting to new wireless access points by reducing the number of frames required before your device can access another AP as you move around with your device.
- **802.11k.** **“Neighbor Reports”** provides devices with information on current conditions at neighboring access points. It can help your Surface device choose the best AP using criteria other than signal strength such as AP utilization.
Surface Go devices can also use 802.11v “BSS Transition Management Frames,” which functions much like 802.11k in providing information on nearby candidate APs.
Specific Surface devices can also use 802.11v “BSS Transition Management Frames,” which functions much like 802.11k in providing information on nearby candidate APs. These include Surface Go, Surface Pro 7, Surface Pro X, and Surface Laptop 3.
## Managing user settings

2
devices/surface/unenroll-surface-devices-from-semm.md
View File

@ -12,6 +12,8 @@ ms.topic: article
ms.date: 01/06/2017
ms.reviewer:
manager: dansimp
ms.localizationpriority: medium
ms.audience: itpro
---
# Unenroll Surface devices from SEMM

6
devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
View File

@ -9,9 +9,11 @@ ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
ms.date: 02/01/2017
ms.date: 10/31/2019
ms.reviewer:
manager: dansimp
ms.localizationpriority: medium
ms.audience: itpro
---
# Use System Center Configuration Manager to manage devices with SEMM
@ -382,7 +384,7 @@ To configure Surface UEFI settings or permissions for Surface UEFI settings, you
The computer where ShowSettingsOptions.ps1 is run must have Microsoft Surface UEFI Manager installed, but the script does not require a Surface device.
The following tables show the available settings for Surface Pro 4 and Surface Book:
The following tables show the available settings for Surface Pro 4 and later including Surface Pro 7, Surface Book, Surface Laptop 3, and Surface Go.
*Table 1. Surface UEFI settings for Surface Pro 4*

2
devices/surface/using-the-sda-deployment-share.md
View File

@ -23,7 +23,7 @@ With Microsoft Surface Deployment Accelerator (SDA), you can quickly and easily
For more information about SDA and information on how to download SDA, see [Microsoft Surface Deployment Accelerator (SDA)](https://technet.microsoft.com/itpro/surface/microsoft-surface-deployment-accelerator).
> [!NOTE]
> SDA is not currently supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md).
> SDA is not supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md).
Using SDA provides these primary benefits: