| Scenario | -Requirement | -
|---|---|
One-touch meeting join, meetings calendar, and email (for example, sending whiteboards) |
-Device account with Microsoft Exchange 2013 or later, or Exchange Online and a network connection to where the account is hosted. |
-
Meetings using Skype for Business |
-Device account with Skype for Business (Lync Server 2013 or later) or Skype for Business Online, and a network connection so the account can be accessed. |
-
Web browsing through Microsoft Edge |
-Internet connectivity. |
-
Remote and multi-device management |
-Supported mobile device management (MDM) solutions (Microsoft Intune, System Center 2012 R2 Configuration Manager, or supported third-party solution). |
-
Group-based local management (directory of employees who can manage a device) |
-Active Directory or Azure Active Directory (Azure AD). |
-
Universal Windows app installation |
-Windows Imaging and Configuration Designer (ICD) or supported MDM solutions (Intune, Configuration Manager, or supported third-party solution). |
-
OS updates |
-Internet connectivity or Windows Server Update Services (WSUS). |
-
Device monitoring and health |
-Microsoft Operations Management Suite (OMS). |
-
| Dependency | -Purpose | -
|---|---|
Active Directory (if using an on-premises deployment) |
-The Surface Hub must be able to connect to the domain controller in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and Session Initiation Protocol (SIP) address. |
-
Microsoft Office 365 (if using an online deployment) |
-The Surface Hub must have Internet access in order to reach your Office 365 tenant. The device will connect to the Office 365 in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and SIP address. |
-
Device account |
-The device account is an Active Directory and/or Azure AD account that enables several key features for the Surface Hub. Learn more about device accounts in [Create and test a device account](create-and-test-a-device-account-surface-hub.md). |
-
Exchange and Exchange ActiveSync |
-The Surface Hub must be able to reach the device account’s Exchange servers. Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join. -ActiveSync is used to sync the device account’s calendar and mail to the Surface Hub. If the device cannot use ActiveSync, it will not show meetings on the welcome screen, and joining meetings and emailing whiteboards will not be enabled. |
-
Skype for Business |
-The Surface Hub must be able to reach the device account’s Skype for Business servers. Skype for Business is used for various conferencing features, like video calls, IM, and screen sharing. |
-
Certificate-based authentication |
-If certificate-based authentication is required to establish a connection with Exchange ActiveSync or Skype for Business, those certificates must be deployed to each Surface Hub. |
-
Dynamic IP |
-The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address. Network or Internet access is required, depending on the configuration of your topology (on-premises or online respectively) in order to validate the device account. |
-
Proxy servers |
-If your topology requires a connection to a proxy server to reach Active Directory, Microsoft Online Services, or your Exchange or Skype for Business servers, then you can configure it during first run, or in Settings. |
-
Mobile device management (MDM) solution provider |
-If you want to manage devices remotely and by groups (apply settings or policies to multiple devices at a time), you must set up a MDM solution and enroll the device to that solution. |
-
Microsoft Operations Management Suite (OMS) |
-OMS is used to monitor Surface Hub devices. |
-
The Surface Hub's uses an Active Directory or Azure AD account (called a **device account**) to access Exchange and Skype for Business services. The Surface Hub must be able to connect to your Active Directory domain controller or to your Azure AD tenant in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and Session Initiation Protocol (SIP) address.
You can also domain join or Azure AD join your Surface Hub to allow a group of authorized users to configure settings on the Surface Hub. | +| Exchange (Exchange 2013 or later, or Exchange Online) and Exchange ActiveSync |Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join.
ActiveSync is used to sync the device account’s calendar and mail to the Surface Hub. If the device cannot use ActiveSync, it will not show meetings on the welcome screen, and joining meetings and emailing whiteboards will not be enabled. | +| Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing. | +| Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. | +| Microsoft Operations Managmement Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. | +| Network and Internet access |In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred.
**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.
**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. | + +Additionally, note that Surface Hub requires the following open ports: +- HTTPS: 443 +- HTTP: 80 + +Depending on your environment, access to additional ports may be needed: +- For online environments, see [Office 365 IP URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). +- For on-premises installations, see [Skype for Business Server: Ports and protocols for internal servers](https://technet.microsoft.com/library/gg398833.aspx). + +Microsoft collects telemetry to help improve your Surface Hub experience. Add these sites to your allow list: +- Telemetry client endpoint: `https://vortex.data.microsoft.com/` +- Telemetry settings endpoint: `https://settings.data.microsoft.com/` -In order to function properly, the Surface Hub must have access to a wired or wireless network that meets these requirements: +## Work with other admins -- Access to your Active Directory or Azure Active Directory (Azure AD) instance, as well as your Microsoft Exchange and Skype for Business servers -- Can receive an IP address using DHCP -- Open ports: - - HTTPS: 443 - - HTTP: 80 - -A wired connection is preferred. - -## Certificates +Surface Hub interacts with a few different products and services. Depending on the size of your organization, there could be multiple people supporting different products in your environment. You'll want to include people who manage Exchange, Active Directory (or Azure Active Directory), mobile device management (MDM), and network resources in your planning and prep for Surface Hub deployments. -Your Surface Hub may require certificates for ActiveSync, Skype for Business, network usage, or other authentication. To install certificates, you can either create a provisioning package (in order to install at first run, or after first run in Settings), or deploy them through a mobile device management (MDM) solution (after first run only). +## Create and verify device account -To install certificates using provisioning packages, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md). To install them using MDM, see the documentation for your MDM solution. +A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, and send email. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. -## Create provisioning packages +After you've created your device account, there are a couple of ways to verify that it's setup correctly. +- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scipts-for-surface-hub.md) later in this guide. +- Use the account with the [Lync Windows Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub. -Currently, Surface Hub can use provisioning packages only to install certificates and to install Universal Windows Platform (UWP) apps. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details. +## Prepare for first-run program +There are a few more item to consider before you start the [first-run program](first-run-program-surface-hub.md). -Customers will use provisioning packages to authenticate (for example, to Exchange or Skype for Business), or to sideload apps that don't come from the Windows Store or Windows Store for Business. +### Create provisioning packages (optional) +You can use provisioning packages to add certificates, customize settings and install apps. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details. You can [install provisioning packages at first-run](first-run-program-surface-hub.md#first-page). -## Know the Exchange server for your device account +### Set up admin groups +Every Surface Hub can be configured locally using the Settings app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app. See [Admin group management](admin-group-management-for-surface-hub.md) for details on how admin groups are set up and managed. You will [set up admins for the device at first run](first-run-program-surface-hub.md#setup-admins)). +### Review and complete Surface Hub setup worksheet (optional) +When you go through the first-run program for your Surface Hub, there's some information that you'll need to supply. The setup worksheet summarizes that info, and provides lists of environment-specific info that you'll need when you go through the first-run program. For more information, see [Setup worksheet](setup-worksheet-surface-hub.md). -You should know which Exchange server the device account will use for email and calendar services. The device will attempt to discover this automatically during first run, but if auto-discovery doesn't work, you may need to enter the server info manually. - -### Admin group management - -Every Surface Hub can be configured individually by opening the Settings app on the device. To prevent people who are not administrators from changing settings, the Settings app requires local administrator credentials to open the app and change settings. See [Admin group management](admin-group-management-for-surface-hub.md) for details on how admin groups are set up and managed. - -## Skype for Business - - -Certificates may be required in order to have the Surface Hub use Skype for Business. - -## Checklist for preparation - - -In order to ensure that your environment is ready for the Surface Hub, verify the items in the following list. - -1. The device account has been created. - - Test this by running: - - - Surface Hub device account validation PowerShell scripts - - Lync Windows app from the Windows Store (if Lync runs successfully, then Skype for Business will most likely run). - -2. Ensure that there is a working network/Internet connection for the device to connect to: - - - It must be able to receive an IP address using DHCP (Surface Hub cannot be configured with a static IP address) - - It must have these ports open: - - - HTTPS: 443 - - HTTP: 80 - - If your network runs through a proxy, you'll need the proxy address or script information as well. - -3. In order to improve your experience, we collect data. To collect data, we need these sites whitelisted: - - Telemetry client endpoint: https://vortex.data.microsoft.com/ - - Telemetry settings endpoint: https://settings.data.microsoft.com/ - -4. Choose the local admin method you want to set up during first run (see [Set up admins for this device](first-run-program-surface-hub.md#setup-admins)). Also, decide whether you'll be using MDM (see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)). -5. You've created provisioning packages, as needed. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md). -6. Have all necessary information available from the [Setup worksheet](setup-worksheet-surface-hub.md). ## In this section -|
- Proxy script: http://contoso/proxy.pa + Proxy script: |