mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-13 05:47:23 +00:00
SEMM and UEFI updates
This commit is contained in:
John Kaiser
parent
a62120574a
commit
15fe44be0f
BIN
devices/surface/images/manage-surface-uefi-fig5a.png
Normal file
BIN
devices/surface/images/manage-surface-uefi-fig5a.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 56 KiB |
BIN
devices/surface/images/manage-surface-uefi-fig7a.png
Normal file
BIN
devices/surface/images/manage-surface-uefi-fig7a.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 59 KiB |
@ -31,9 +31,9 @@ To adjust UEFI settings during system startup:
|
||||
2. Press and hold the **Volume-up** button and - at the same time - press and release the **Power button.**
|
||||
3. As the Microsoft or Surface logo appears on your screen, continue to hold the **Volume-up** button until the UEFI screen appears.
|
||||
|
||||
## PC information
|
||||
## UEFI PC information page
|
||||
|
||||
On the **PC information** page, detailed information about your Surface device is provided:
|
||||
The PC information page includes detailed information about your Surface device:
|
||||
|
||||
- **Model** – Your Surface device’s model will be displayed here, such as Surface Book 2 or Surface Pro 7. The exact configuration of your device is not shown, (such as processor, disk size, or memory size).
|
||||
- **UUID** – This Universally Unique Identification number is specific to your device and is used to identify the device during deployment or management.
|
||||
@ -59,9 +59,9 @@ You will also find detailed information about the firmware of your Surface devic
|
||||
|
||||
You can find up-to-date information about the latest firmware version for your Surface device in the [Surface Update History](https://www.microsoft.com/surface/support/install-update-activate/surface-update-history) for your device.
|
||||
|
||||
## Security
|
||||
## UEFI Security page
|
||||
|
||||
On the **Security** page of Surface UEFI settings, you can set a password to protect UEFI settings. This password must be entered when you boot the Surface device to UEFI. The password can contain the following characters (as shown in Figure 2):
|
||||
The Security page allows you to set a password to protect UEFI settings. This password must be entered when you boot the Surface device to UEFI. The password can contain the following characters (as shown in Figure 2):
|
||||
|
||||
- Uppercase letters: A-Z
|
||||
|
||||
@ -77,21 +77,21 @@ The password must be at least 6 characters and is case sensitive.
|
||||
|
||||
*Figure 2. Add a password to protect Surface UEFI settings*
|
||||
|
||||
On the **Security** page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 3. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library.
|
||||
On the Security page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 3. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library.
|
||||
|
||||
|
||||
|
||||
*Figure 3. Configure Secure Boot*
|
||||
|
||||
You can also enable or disable the Trusted Platform Module (TPM) device on the **Security** page, as shown in Figure 4. The TPM is used to authenticate encryption for your device’s data with BitLocker. Read more about [BitLocker](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview) in the TechNet Library.
|
||||
You can also enable or disable the Trusted Platform Module (TPM) device on the Security page, as shown in Figure 4. The TPM is used to authenticate encryption for your device’s data with BitLocker. Read more about [BitLocker](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview) in the TechNet Library.
|
||||
|
||||
|
||||
|
||||
*Figure 4. Configure Surface UEFI security settings*
|
||||
|
||||
## Devices
|
||||
## UEFI menu: Devices
|
||||
|
||||
On the **Devices** page you can enable or disable specific devices and components of your Surface device. Devices that you can enable or disable on this page include:
|
||||
The Devices page allows you to enable or disable specific devices and components including:
|
||||
|
||||
- Docking and USB Ports
|
||||
|
||||
@ -109,13 +109,13 @@ On the **Devices** page you can enable or disable specific devices and component
|
||||
|
||||
Each device is listed with a slider button that you can move to **On** (enabled) or **Off** (disabled) position, as shown in Figure 5.
|
||||
|
||||
|
||||
|
||||
|
||||
*Figure 5. Enable and disable specific devices*
|
||||
|
||||
## Boot configuration
|
||||
## UEFI menu: Boot configuration
|
||||
|
||||
On the **Boot Configuration** page, you can change the order of your boot devices and/or enable or disable boot of the following devices:
|
||||
The Boot Configuration page allows you to change the order of your boot devices as well as enable or disable boot of the following devices:
|
||||
|
||||
- Windows Boot Manager
|
||||
|
||||
@ -135,68 +135,83 @@ For the specified boot order to take effect, you must set the **Enable Alternate
|
||||
|
||||
You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE Network Boot** option, for example when performing a Windows deployment using PXE where the PXE server is configured for IPv4 only.
|
||||
|
||||
## UEFI menu: Management
|
||||
The Management page allows you to manage use of Zero Touch UEFI Management and other features on eligible devices including Surface Pro 7, Surface Pro X, and Surface Laptop 3.
|
||||
|
||||
## Exit
|
||||
|
||||
*Figure 7. Manage access to Zero Touch UEFI Management and other features*
|
||||
|
||||
Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 7.
|
||||
|
||||
Zero Touch UEFI Management lets you remotely manage UEFI settings by using a device profile within Intune called Device Firmware Configuration Interface (DFCI). If you do not configure this setting, the ability to manage eligible devices with DFCI is set to **Ready**. To prevent DFCI, select **Opt-Out**.
|
||||
|
||||
> [!NOTE]
|
||||
> The UEFI Management settings page and use of DFCI is only available on Surface Pro 7, Surface Pro X, and Surface Laptop 3.
|
||||
|
||||
For more information, refer to [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md).
|
||||
|
||||
## UEFI menu: Exit
|
||||
|
||||
Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 8.
|
||||
|
||||
|
||||
|
||||
*Figure 7. Click Restart Now to exit Surface UEFI and restart the device*
|
||||
*Figure 8. Click Restart Now to exit Surface UEFI and restart the device*
|
||||
|
||||
## Surface UEFI boot screens
|
||||
|
||||
When you update Surface device firmware, by using either Windows Update or manual installation, the updates are not applied immediately to the device, but instead during the next reboot cycle. You can find out more about the Surface firmware update process in [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates). The progress of the firmware update is displayed on a screen with progress bars of differing colors to indicate the firmware for each component. Each component’s progress bar is shown in Figures 8 through 17.
|
||||
When you update Surface device firmware, by using either Windows Update or manual installation, the updates are not applied immediately to the device, but instead during the next reboot cycle. You can find out more about the Surface firmware update process in [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates). The progress of the firmware update is displayed on a screen with progress bars of differing colors to indicate the firmware for each component. Each component’s progress bar is shown in Figures 9 through 18.
|
||||
|
||||
|
||||
|
||||
*Figure 8. The Surface UEFI firmware update displays a blue progress bar*
|
||||
*Figure 9. The Surface UEFI firmware update displays a blue progress bar*
|
||||
|
||||
|
||||
|
||||
*Figure 9. The System Embedded Controller firmware update displays a green progress bar*
|
||||
*Figure 10. The System Embedded Controller firmware update displays a green progress bar*
|
||||
|
||||
|
||||
|
||||
*Figure 10. The SAM Controller firmware update displays an orange progress bar*
|
||||
*Figure 11. The SAM Controller firmware update displays an orange progress bar*
|
||||
|
||||
|
||||
|
||||
*Figure 11. The Intel Management Engine firmware update displays a red progress bar*
|
||||
*Figure 12. The Intel Management Engine firmware update displays a red progress bar*
|
||||
|
||||
|
||||
|
||||
*Figure 12. The Surface touch firmware update displays a gray progress bar*
|
||||
*Figure 13. The Surface touch firmware update displays a gray progress bar*
|
||||
|
||||
|
||||
|
||||
*Figure 13. The Surface KIP firmware update displays a light green progress bar*
|
||||
*Figure 14. The Surface KIP firmware update displays a light green progress bar*
|
||||
|
||||
|
||||
|
||||
*Figure 14. The Surface ISH firmware update displays a light pink progress bar*
|
||||
*Figure 15. The Surface ISH firmware update displays a light pink progress bar*
|
||||
|
||||
|
||||
|
||||
*Figure 15. The Surface Trackpad firmware update displays a pink progress bar*
|
||||
*Figure 16. The Surface Trackpad firmware update displays a pink progress bar*
|
||||
|
||||
|
||||
|
||||
*Figure 16. The Surface TCON firmware update displays a light gray progress bar*
|
||||
*Figure 17. The Surface TCON firmware update displays a light gray progress bar*
|
||||
|
||||
|
||||
|
||||
|
||||
*Figure 17. The Surface TPM firmware update displays a purple progress bar*
|
||||
*Figure 18. The Surface TPM firmware update displays a purple progress bar*
|
||||
|
||||
|
||||
>[!NOTE]
|
||||
>An additional warning message that indicates Secure Boot is disabled is displayed, as shown in Figure 18.
|
||||
>An additional warning message that indicates Secure Boot is disabled is displayed, as shown in Figure 19.
|
||||
|
||||
|
||||
|
||||
*Figure 18. Surface boot screen that indicates Secure Boot has been disabled in Surface UEFI settings*
|
||||
*Figure 19. Surface boot screen that indicates Secure Boot has been disabled in Surface UEFI settings*
|
||||
|
||||
## Related topics
|
||||
|
||||
[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)
|
||||
- [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md)
|
||||
|
||||
- [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
|
||||
@ -173,6 +173,7 @@ You can select to run a wide range of logs across applications, drivers, hardwar
|
||||
### Version 2.43.139.0
|
||||
*Release date: October 21, 2019*<br>
|
||||
This version of Surface Diagnostic Toolkit for Business adds support for the following:
|
||||
|
||||
- Surface Pro 7
|
||||
- Surface Laptop 3
|
||||
|
||||
|
||||
@ -16,7 +16,7 @@ ms.audience: itpro
|
||||
|
||||
# Run Surface Diagnostic Toolkit for Business using commands
|
||||
|
||||
Running the Surface Diagnostic Toolkit (SDT) at a command prompt requires downloading the STD app console. After it's installed, you can run SDT at a command prompt via the Windows command console (cmd.exe) or using Windows PowerShell, including PowerShell Integrated Scripting Environment (ISE), which provides support for autocompletion of commands, copy/paste, and other features.
|
||||
Running the Surface Diagnostic Toolkit (SDT) at a command prompt requires downloading the STD app console. After it's installed, you can run SDT at a command prompt via the Windows command console (cmd.exe) or using Windows PowerShell, including PowerShell Integrated Scripting Environment (ISE), which provides support for autocompletion of commands, copy/paste, and other features. For a list of supported Surface devices in SDT, refer to [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md).
|
||||
|
||||
>[!NOTE]
|
||||
>To run SDT using commands, you must be signed in to the Administrator account or signed in to an account that is a member of the Administrator group on your Surface device.
|
||||
|
||||
@ -16,7 +16,8 @@ ms.audience: itpro
|
||||
|
||||
# Use Surface Diagnostic Toolkit for Business in desktop mode
|
||||
|
||||
This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help users in your organization run the tool to identify and diagnose issues with the Surface device. Successfully running SDT can quickly determine if a reported issue is caused by failed hardware or user error.
|
||||
This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help users in your organization run the tool to identify and diagnose issues with the Surface device. Successfully running SDT can quickly determine if a reported issue is caused by failed hardware or user error. For a list of supported Surface devices in SDT, refer to [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md).
|
||||
|
||||
|
||||
1. Direct the user to install [the SDT package](surface-diagnostic-toolkit-business.md#create-custom-sdt) from a software distribution point or network share. After it is installed, you’re ready to guide the user through a series of tests.
|
||||
|
||||
|
||||
@ -21,12 +21,14 @@ ms.audience: itpro
|
||||
Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal.
|
||||
|
||||
>[!NOTE]
|
||||
>SEMM is only available on devices with Surface UEFI firmware such as Surface Pro 4 and later, Surface Go, Surface Laptop, Surface Book, and Surface Studio. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
|
||||
>SEMM is only available on devices with Surface UEFI firmware.
|
||||
|
||||
|
||||
When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM.
|
||||
|
||||
There are two administrative options you can use to manage SEMM and enrolled Surface devices – a standalone tool or integration with System Center Configuration Manager. The SEMM standalone tool, called the Microsoft Surface UEFI Configurator, is described in this article. For more information about how to manage SEMM with System Center Configuration Manager, see [Use System Center Configuration Manager to manage devices with SEMM](https://technet.microsoft.com/itpro/surface/use-system-center-configuration-manager-to-manage-devices-with-semm).
|
||||
|
||||
|
||||
## Microsoft Surface UEFI Configurator
|
||||
|
||||
The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages or WinPE images that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied.
|
||||
@ -63,9 +65,10 @@ See the [Surface Enterprise Management Mode certificate requirements](#surface-e
|
||||
After a device is enrolled in SEMM, the configuration file is read and the settings specified in the file are applied to UEFI. When you run a configuration package on a device that is already enrolled in SEMM, the signature of the configuration file is checked against the certificate that is stored in the device firmware. If the signature does not match, no changes are applied to the device.
|
||||
|
||||
### Enable or disable devices in Surface UEFI with SEMM
|
||||
You can use Surface UEFI settings to enable or disable the operation of the following individual components:
|
||||
|
||||
You can enable or disable the following devices with SEMM:
|
||||
The built in devices that appear in the UEFI Devices page may vary depending on your device or corporate environment; for example, LTE only appears on devices equipped with LTE support.
|
||||
|
||||
The following list shows all the available devices you can manage in SEMM:
|
||||
|
||||
* Docking USB Port
|
||||
* On-board Audio
|
||||
@ -84,17 +87,18 @@ You can enable or disable the following devices with SEMM:
|
||||
|
||||
| Setting | Description |
|
||||
| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Ipv6 for PXE Boot | Allows you to manage Ipv6 support for PXE boot. If you do not configure this setting, Ipv6 support for PXE boot is ? |
|
||||
| Alternate Boot | Allows you to set an Alternate boot order to boot directly to a USB or Ethernet device by pressing both the Volume Down button and Power button during boot. If you do not configure this setting, |
|
||||
| Boot Order Lock | Allows you to lock the boot order to prevent changes. If you do not configure this setting, |
|
||||
| USB Boot | Allows you to manage booting to USB devices. If you do not configure this setting, |
|
||||
| Network Stack | Allows you to manage Network Stack boot settings. If you do not configure this setting, |
|
||||
| Auto Power On | Allows you to manage Auto Power On boot settings. If you do not configure this setting, |
|
||||
| IPv6 for PXE Boot | Allows you to manage Ipv6 support for PXE boot. If you do not configure this setting, IPv6 support for PXE boot is disabled. |
|
||||
| Alternate Boot | Allows you to manage use of an Alternate boot order to boot directly to a USB or Ethernet device by pressing both the Volume Down button and Power button during boot. If you do not configure this setting, Alternate boot is enabled. |
|
||||
| Boot Order Lock | Allows you to lock the boot order to prevent changes. If you do not configure this setting, Boot Order Lock is disabled. |
|
||||
| USB Boot | Allows you to manage booting to USB devices. If you do not configure this setting, USB Boot is enabled. |
|
||||
| Network Stack | Allows you to manage Network Stack boot settings. If you do not configure this setting, the ability to manage Network Stack boot settings is enabled. |
|
||||
| Auto Power On | Allows you to manage Auto Power On boot settings. If you do not configure this setting, Auto Power on is enabled. |
|
||||
| Simultaneous Multi-Threading (SMT) | Allows you to manage Simultaneous Multi-Threading (SMT) to enable or disable hyperthreading. If you do not configure this setting, SMT is enabled. |
|
||||
| Security | Displays the Surface UEFI **Security** page. If you do not configure this setting, |
|
||||
| Devices | Displays the Surface UEFI **Devices** page. If you do not configure this setting, |
|
||||
| Boot | Displays the Surface UEFI **Boot** page |
|
||||
| DateTime | Displays the Surface UEFI **DateTime** page. If you do not configure this setting, |
|
||||
|Enable Battery limit| Allows you to manage Battery limit functionality. If you do not configure this setting, Battery limit is enabled |
|
||||
| Security | Displays the Surface UEFI **Security** page. If you do not configure this setting, the Security page is displayed. |
|
||||
| Devices | Displays the Surface UEFI **Devices** page. If you do not configure this setting, the Devices page is displayed. |
|
||||
| Boot | Displays the Surface UEFI **Boot** page. If you do not configure this setting, the DateTime page is displayed. |
|
||||
| DateTime | Displays the Surface UEFI **DateTime** page. If you do not configure this setting, the DateTime page is displayed. |
|
||||
|
||||
|
||||
|
||||
|
||||
@ -384,7 +384,7 @@ To configure Surface UEFI settings or permissions for Surface UEFI settings, you
|
||||
|
||||
The computer where ShowSettingsOptions.ps1 is run must have Microsoft Surface UEFI Manager installed, but the script does not require a Surface device.
|
||||
|
||||
The following tables show the available settings for Surface Pro 4 and Surface Book:
|
||||
The following tables show the available settings for Surface Pro 4 and later including Surface Pro 7 and Surface Pro X; Surface Book, Surface Laptop 3, and Surface Go.
|
||||
|
||||
*Table 1. Surface UEFI settings for Surface Pro 4*
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user