Add FAQ info to SEMM

devices/surface/surface-enterprise-management-mode.md

@@ -17,7 +17,7 @@ ms.date: 01/06/2017
 Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal.
 
 >[!NOTE]
->SEMM is only available on devices with Surface UEFI firmware, such as Surface Pro 4 and later, Surface, Go, Surface Laptop, Surface Book, and Surface Studio. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
+>SEMM is only available on devices with Surface UEFI firmware such as Surface Pro 4 and later, Surface Go, Surface Laptop, Surface Book, and Surface Studio. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
 
 When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM.
 
@@ -193,6 +193,36 @@ For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must
 >[!NOTE]
 >For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with removable storage, such as a USB stick.
 
+### Managing certificates FAQ
+
+The recommended \*minimum\* length is 15 months. You can use a
+certificate that expires in less than 15 months or use a certificate
+that expires in longer than 15 months.
+
+[!NOTE] When a certificate expires, it does not automatically renew. 
+
+**Will existing machines continue to apply the bios settings after 15
+months?**
+
+Yes, but only if the package itself was signed when the certificate was
+valid.
+
+**Will** **the SEMM package and certificate need to be updated on all
+machines that have it?**
+
+If you want SEMM reset or recovery to work, the certificate needs to be
+valid and not expired. You can use the current valid ownership
+certificate to sign a package that updates to a new certificate for
+ownership. You do not need to create a reset package. 
+
+**Can bulk reset packages be created for each surface that we order? Can
+one be built that resets all machines in our environment?**
+
+The PowerShell samples that create a config package for a specific
+device type can also be used to create a reset package that is
+serial-number independent. If the certificate is still valid, you can
+create a reset package using PowerShell to reset SEMM.
+
 ## Version History
 
 ### Version 2.26.136.0