deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

edits

Browse Source
This commit is contained in:
Jan Backstrom
2016-07-06 16:04:04 -07:00
parent 91ec4c38af
commit 61de0d491b
2 changed files with 35 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
devices/surface/enroll-and-configure-surface-devices-with-semm.md
View File

@ -41,7 +41,7 @@ To create a Surface UEFI configuration package, follow these steps:
*Figure 2. Add the SEMM certificate and Surface UEFI password to a Surface UEFI configuration package*
5. When you are prompted to confirm the certificate password, enter and confirm the password for your certificate file, and then click **OK**.
6. Click **Password Protection** to add a password to Surface UEFI. This password will be required whenever you boot to UEFI. If this password is not entered, only the **PC Information**, **About**, **Enterprise Management**, and **Exit** pages will be displayed. This step is optional.
6. Click **Password Protection** to add a password to Surface UEFI. This password will be required whenever you boot to UEFI. If this password is not entered, only the **PC information**, **About**, **Enterprise management**, and **Exit** pages will be displayed. This step is optional.
7. When you are prompted, enter and confirm your chosen password for Surface UEFI, and then click **OK**. If you want to clear an existing Surface UEFI password, leave the password field blank.
8. If you do not want the Surface UEFI package to apply to a particular device, on the **Choose which Surface type you want to target** page, click the slider beneath the corresponding Surface Book or Surface Pro 4 image so that it is in the **Off** position. (As shown in Figure 3.)
@ -57,24 +57,24 @@ To create a Surface UEFI configuration package, follow these steps:
*Figure 4. Disable or enable individual Surface components*
11. Click **Next**.
12. To enable or disable advanced options in Surface UEFI or the display of Surface UEFI pages, on the **Choose the advanced settings for your devices** page, click the slider beside the desired setting to configure that option to **On** or **Off**. (As show in Figure 5.) In the **UEFI Front Page** section, you can use the sliders for **Security**, **Devices**, and **Boot** to control what pages are available to users who boot into Surface UEFI. (For more information about Surface UEFI settings, see [Manage Surface UEFI settings](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-uefi-settings).) Click **Build** when you have finished selecting options to generate and save the package.
12. To enable or disable advanced options in Surface UEFI or the display of Surface UEFI pages, on the **Choose the advanced settings for your devices** page, click the slider beside the desired setting to configure that option to **On** or **Off**. (Shown in Figure 5.) In the **UEFI Front Page** section, you can use the sliders for **Security**, **Devices**, and **Boot** to control what pages are available to users who boot into Surface UEFI. (For more information about Surface UEFI settings, see [Manage Surface UEFI settings](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-uefi-settings).) Click **Build** when you have finished selecting options to generate and save the package.
![Control advanced Surface UEFI settings and Surface UEFI pages](images\surface-semm-enroll-fig5.png "Control advanced Surface UEFI settings and Surface UEFI pages")
*Figure 5. Control advanced Surface UEFI settings and Surface UEFI pages with SEMM*
13. In the **Save As** dialog, specify a name for the Surface UEFI configuration package, browse to the location where you would like to save the file, and then click **Save**.
13. In the **Save As** dialog box, specify a name for the Surface UEFI configuration package, browse to the location where you would like to save the file, and then click **Save**.
14. When the package is created and saved, the **Successful** page is displayed.
>**Note**:  Record the certificate thumbprint characters that are displayed on this page, as shown in Figure 6. You will need these characters to confirm enrollment of new Surface devices in SEMM. Click **End** to complete package creation and close Microsoft Surface UEFI Configurator.
![Display of certificate thumbprint characters](images\surface-semm-enroll-fig6.png "Display of certificate thumbprint characters")
*Figure 6. The last to characters of the certificate thumbprint are displayed on the Successful page*
*Figure 6. The last two characters of the certificate thumbprint are displayed on the Successful page*
Now that you have created your Surface UEFI configuration package, you can enroll or configure Surface devices.
>**Note**:  When a Surface UEFI configuration package is created, a log file is created on the Desktop with details of the Configuration Package settings and options.
>**Note**:  When a Surface UEFI configuration package is created, a log file is created on the desktop with details of the configuration package settings and options.
## Enroll a Surface device in SEMM
When the Surface UEFI configuration package is executed, the SEMM certificate and Surface UEFI configuration files are staged in the firmware storage of the Surface device. When the Surface device reboots, Surface UEFI processes these files and begins the process of applying the Surface UEFI configuration or enrolling the Surface device in SEMM, as shown in Figure 7.
@ -112,11 +112,11 @@ You can verify that a Surface device has been successfully enrolled in SEMM by l
*Figure 10. Verify the enrollment of a Surface device in SEMM in Event Viewer*
You can also verify that the device is enrolled in SEMM in Surface UEFI while the device is enrolled, Surface UEFI will contain the Enterprise Management page (as shown in Figure 11).
You can also verify that the device is enrolled in SEMM in Surface UEFI while the device is enrolled, Surface UEFI will contain the **Enterprise management** page (as shown in Figure 11).
![Surface UEFI Enterprise Management page](images\surface-semm-enroll-fig11.png "Surface UEFI Enterprise Management page")
![Surface UEFI Enterprise management page](images\surface-semm-enroll-fig11.png "Surface UEFI Enterprise management page")
*Figure 11. The Surface UEFI Enterprise Management page*
*Figure 11. The Surface UEFI Enterprise management page*
## Configure Surface UEFI settings with SEMM
@ -125,7 +125,7 @@ After a device is enrolled in SEMM, you can run Surface UEFI configuration packa
For more information about how to deploy Windows Installer (.msi) files with Configuration Manager, see [Deploy and manage applications with System Center Configuration Manager](https://technet.microsoft.com/library/mt627959).
If you have secured Surface UEFI with a password, users without the password who attempt to boot to Surface UEFI will only have the **PC Information**, **About**, **Enterprise Management**, and **Exit** pages displayed to them.
If you have secured Surface UEFI with a password, users without the password who attempt to boot to Surface UEFI will only have the **PC information**, **About**, **Enterprise management**, and **Exit** pages displayed to them.
If you have not secured Surface UEFI with a password or a user enters the password correctly, settings that are configured with SEMM will be dimmed (unavailable) and the text Some settings are managed by your organization will be displayed at the top of the page, as shown in Figure 12.

52
devices/surface/unenroll-surface-devices-from-semm.md
View File

@ -11,21 +11,21 @@ author: jobotto
# Unenroll Surface devices from SEMM (Surface)
When a Surface device is enrolled in Surface Enterprise Management Mode (SEMM), a certificate is stored in the firmware of that device. The presence of that certificate and the enrollment in SEMM prevent any unauthorized changes to Surface UEFI settings or options while the device is enrolled in SEMM. To restore control of Surface UEFI settings to the user, the Surface device must be unenrolled from SEMM, a process sometimes described as reset or recovery. There are two ways to unenroll a device from SEMM—a Surface UEFI reset package and a recovery request.
When a Surface device is enrolled in Surface Enterprise Management Mode (SEMM), a certificate is stored in the firmware of that device. The presence of that certificate and the enrollment in SEMM prevent any unauthorized changes to Surface UEFI settings or options while the device is enrolled in SEMM. To restore control of Surface UEFI settings to the user, the Surface device must be unenrolled from SEMM, a process sometimes described as reset or recovery. There are two methods you can use to unenroll a device from SEMM—a Surface UEFI reset package and a Recovery Request.
>**Warning:**  To unenroll a device from SEMM and restore user control of Surface UEFI settings, you must have the SEMM certificate that was used to enroll the device in SEMM. If this certificate becomes lost or corrupted, it is not possible to unenroll from SEMM. Back up and protect your SEMM certificate accordingly.
For more information about SEMM, see [Surface Enterprise Management Mode](https://technet.microsoft.com/en-us/itpro/surface/surface-enterprise-management-mode).
For more information about SEMM, see [Microsoft Surface Enterprise Management Mode](https://technet.microsoft.com/en-us/itpro/surface/surface-enterprise-management-mode).
## Unenroll a Surface device from SEMM with a Surface UEFI reset package
The Surface UEFI reset package is the primary method you use to unenroll a Surface device from SEMM. Like a Surface UEFI configuration package, the Reset Package is a Windows Installer (.msi) file that configures SEMM on the device. Unlike the configuration package, the reset package will reset the Surface UEFI configuration on a Surface device to its default settings, remove the SEMM certificate, and unenroll the device from SEMM.
The Surface UEFI reset package is the primary method you use to unenroll a Surface device from SEMM. Like a Surface UEFI configuration package, the reset package is a Windows Installer (.msi) file that configures SEMM on the device. Unlike the configuration package, the reset package will reset the Surface UEFI configuration on a Surface device to its default settings, remove the SEMM certificate, and unenroll the device from SEMM.
Reset packages are created specifically for an individual Surface device. To begin the process of creating a reset package, you will need the serial number of the device you want to unenroll, as well as the SEMM certificate used to enroll the device. You can find the serial number of your Surface device on the **PC Information** page of Surface UEFI, as shown in Figure 1. This page is displayed even if Surface UEFI is password protected and the incorrect password is entered.
![Serial number of Surface device is displayed](images\surface-semm-unenroll-fig1.png "Serial number of Surface device is displayed")
*Figure 1. The serial number of the Surface device is displayed on the Surface UEFI PC Information page*
*Figure 1. The serial number of the Surface device is displayed on the Surface UEFI PC information page*
>**Note:**  To boot to Surface UEFI, press **Volume Up** and **Power** simultaneously while the device is off. Hold **Volume Up** until the Surface logo is displayed and the device begins to boot.
@ -43,7 +43,7 @@ To create a Surface UEFI reset package, follow these steps:
![Add the SEMM certificate to Surface UEFI reset package](images\surface-semm-unenroll-fig3.png "Add the SEMM certificate to Surface UEFI reset package")
*Figure 3. Adding the SEMM certificate to a Surface UEFI Reset Package*
*Figure 3. Add the SEMM certificate to a Surface UEFI reset package*
5. Click **Next**.
6. Type the serial number of the device you want to unenroll from SEMM (as shown in Figure 4), and then click **Build** to generate the Surface UEFI reset package.
@ -55,11 +55,11 @@ To create a Surface UEFI reset package, follow these steps:
7. In the **Save As** dialog box, specify a name for the Surface UEFI reset package, browse to the location where you would like to save the file, and then click **Save**.
8. When the package generation has completed, the **Successful** page is displayed. Click **End** to complete package creation and close Microsoft Surface UEFI Configurator.
Run the Surface UEFI reset package Windows Installer (.msi) file on the Surface device to unenroll the device from SEMM. The Reset Package will require a reboot to perform the unenroll operation. After the device has been unenrolled, you can verify the successful removal by ensuring that the **Microsoft Surface Configuration Package** item in **Programs and Features** (shown in Figure 5) is no longer present.
Run the Surface UEFI reset package Windows Installer (.msi) file on the Surface device to unenroll the device from SEMM. The reset package will require a reboot to perform the unenroll operation. After the device has been unenrolled, you can verify the successful removal by ensuring that the **Microsoft Surface Configuration Package** item in **Programs and Features** (shown in Figure 5) is no longer present.
![Screen that shows device is enrolled in SEMM](images\surface-semm-unenroll-fig5.png "Screen that shows device is enrolled in SEMM")
*Figure 5. The presence of the **Microsoft Surface Configuration Package** item in **Programs and Features** indicates that the device is enrolled in SEMM*
*Figure 5. The presence of the Microsoft Surface Configuration Package item in Programs and Features indicates that the device is enrolled in SEMM*
## Unenroll a Surface device from SEMM with a Recovery Request
@ -71,34 +71,34 @@ To initiate a Recovery Request, follow these steps:
1. Boot the Surface device that is to be unenrolled from SEMM to Surface UEFI.
2. Type the Surface UEFI password if you are prompted to do so.
3. Click the **Enterprise Management** page, as shown in Figure 6.
3. Click the **Enterprise management** page, as shown in Figure 6.
![Enterprise Management page](images\surface-semm-unenroll-fig6.png "Enterprise Management page")
*Figure 6. The Enterprise Management page is shown in Surface UEFI on devices enrolled in SEMM*
*Figure 6. The Enterprise management page is displayed in Surface UEFI on devices enrolled in SEMM*
4. Click or press **Get Started**.
5. Click or press **Next** to begin the Recovery Request process.
>**Note:**  Recovery Requests expire two hours after they are created. If a Recovery Request is not completed in this time, you will have to restart the Recovery Request process.
6. Select the SEMM certificate from the list of certificates displayed on the **Choose a SEMM Reset Key** page (shown in Figure 7), and then click or press **Next**.
>**Note:**  A Recovery Request expires two hours after it is created. If a Recovery Request is not completed in this time, you will have to restart the Recovery Request process.
6. Select **SEMM Certificate** from the list of certificates displayed on the **Choose a SEMM reset key** page (shown in Figure 7), and then click or press **Next**.
![Select the SEMM certificate for your Recovery Request](images\surface-semm-unenroll-fig7.png "Select the SEMM certificate for your Recovery Request")
![Select SEMM certificate for your Recovery Request](images\surface-semm-unenroll-fig7.png "Select SEMM certificate for your Recovery Request")
*Figure 7. Choose the SEMM certificate for your Recovery Request*
*Figure 7. Choose SEMM Certificate for your Recovery Request (Reset Request)*
7. On the **Enter SEMM Reset Verification Code** page you can use the **QR Code** or **Text** buttons to display your recovery request (as shown in Figure 8), or the **USB** button to save your recovery request as a file to a USB drive (as shown in Figure 9).
7. On the **Enter SEMM reset verification code** page you can click the **QR Code** or **Text** buttons to display your recovery request (as shown in Figure 8), or the **USB** button to save your recovery request as a file to a USB drive (as shown in Figure 9).
![Recovery Request displayed as a QR Code](images\surface-semm-unenroll-fig8.png "Recovery Request displayed as a QR Code")
*Figure 8. A Recovery Request displayed as a QR Code*
*Figure 8. A Recovery Request (Reset Request) displayed as a QR Code*
![Save a recovery request to a USB drive](images\surface-semm-unenroll-fig9.png "Save a recovery request to a USB drive")
*Figure 9. Save a Recovery Request to a USB drive*
*Figure 9. Save a Recovery Request (Reset Request) to a USB drive*
* To use a QR Code Recovery Request, use a QR reader app on a mobile device to read the code. The QR reader app will translate the QR code into an alphanumeric string. You can then email or message that string to the administrator that will produce the Reset Verification Code with Microsoft Surface UEFI Configurator.
* To use a Reset Request saved to a USB drive as a file, use the USB drive to transfer the file to the computer where Microsoft Surface UEFI Configurator will be used to produce the Reset Verification Code. The file can also be copied from the USB drive on another device to be emailed or transferred over the network.
* To use the Reset Request as text, simply type the Reset Request text directly into the Microsoft Surface UEFI Configurator.
* To use a QR Code Recovery Request (Reset Request), use a QR reader app on a mobile device to read the code. The QR reader app will translate the QR code into an alphanumeric string. You can then email or message that string to the administrator that will produce the reset verification code with Microsoft Surface UEFI Configurator.
* To use a Recovery Request (Reset Request) saved to a USB drive as a file, use the USB drive to transfer the file to the computer where Microsoft Surface UEFI Configurator will be used to produce the Reset Verification Code. The file can also be copied from the USB drive on another device to be emailed or transferred over the network.
* To use the Recovery Request (Reset Request) as text, simply type the text directly into the Microsoft Surface UEFI Configurator.
8. Start Microsoft Surface UEFI Configurator from the Start menu on another computer.
>**Note:**  Microsoft Surface UEFI Configurator must run in an environment that is able to authenticate the certificate chain for the SEMM certificate.
@ -109,7 +109,7 @@ To initiate a Recovery Request, follow these steps:
*Figure 10. Click Recovery Request to begin the process to approve a Recovery Request*
11. Click **Certificate Protection** to authenticate the recovery request with the SEMM certificate.
11. Click **Certificate Protection** to authenticate the Recovery Request with the SEMM certificate.
12. Browse to and select your SEMM certificate file, and then click **OK**.
13. When you are prompted to enter the certificate password as shown in Figure 11, type and confirm the password for the certificate file, and then click **OK**.
@ -118,15 +118,15 @@ To initiate a Recovery Request, follow these steps:
*Figure 11. Type the password for the SEMM certificate*
14. Click **Next**.
15. Enter the Recovery Request, and then click **Generate** to create a reset verification code (as shown in Figure 12).
15. Enter the Recovery Request (Reset Request), and then click **Generate** to create a reset verification code (as shown in Figure 12).
![Enter the recovery request](images\surface-semm-unenroll-fig12.png "Enter the recovery request")
*Figure 12. Enter the Recovery Request*
*Figure 12. Enter the Recovery Request (Reset Request)*
* If you displayed the Recovery Request as text on the Surface device being reset, use the keyboard to type the Recover Request in the provided field.
* If you displayed the Recovery Request as a QR Code and then used a messaging or email application to send the code to the computer with Microsoft Surface UEFI Configurator, copy and paste the code into the provided field.
* If you saved the Recovery Request as a file to a USB drive, click the **Import** button, browse to and select the Recovery Request file, and then click **OK**.
* If you displayed the Recovery Request (Reset Request) as text on the Surface device being reset, use the keyboard to type the Recovery Request (Reset Request) in the provided field.
* If you displayed the Recovery Request (Reset Request) as a QR Code and then used a messaging or email application to send the code to the computer with Microsoft Surface UEFI Configurator, copy and paste the code into the provided field.
* If you saved the Recovery Request (Reset Request) as a file to a USB drive, click the **Import** button, browse to and select the Recovery Request (Reset Request) file, and then click **OK**.
16. The reset verification code is displayed in Microsoft Surface UEFI Configurator, as shown in Figure 13.
@ -137,7 +137,7 @@ To initiate a Recovery Request, follow these steps:
* Click the **Share** button to send the reset verification code by email.
17. Enter the reset verification code in the provided field on the Surface device (shown in Figure 8), and then click or press **Verify** to reset the device and unenroll the device from SEMM.
18. Click or press **Restart Now** on the **SEMM Reset Successful** page to complete the unenrollment from SEMM, as shown in Figure 14.
18. Click or press **Restart Now** on the **SEMM reset successful** page to complete the unenrollment from SEMM, as shown in Figure 14.
![Example display of successful unenrollment from SEMM](images\surface-semm-unenroll-fig14.png "Example display of successful unenrollment from SEMM")