diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index a30f54205e..19ca61030d 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -4,6 +4,7 @@
## Overview
### [What's new in Surface Hub 2S](surface-hub-2s-whats-new.md)
+### [Surface Hub 2S tech specs](surface-hub-2s-techspecs.md)
## Plan
### Surface Hub 2S Site Readiness Guide
@@ -12,23 +13,23 @@
### [Physically installing and mounting Surface Hub 2S](surface-hub-2s-install-mount.md)
### [Connecting to Surface Hub 2S](surface-hub-2s-connect.md)
### [Prepare your environment for Microsoft Surface Hub 2S](surface-hub-2s-prepare-environment.md)
+### [Configure phone authentication for Surface Hub 2S](surface-hub-2s-phone-authenticate.md)
+### [Surface Hub 2S deployment checklist](surface-hub-2s-deploy-checklist.md)
## Deploy
-### Create Surface Hub 2S device account
-### [Deploying Surface Hub 2S](surface-hub-2s-deploy.md)
-### [Deploying Surface Hub 2S with PowerShell](surface-hub-2s-configure-with-powershell.md)
-### [Configure Skype for Business on Surface Hub 2S](surface-hub-2s-configure-skype.md)
-### [Configure Microsoft Teams on Surface Hub 2S](surface-hub-2s-configure-teams.md)
+### [Create Surface Hub 2S device account](surface-hub-2s-account.md)
+### [Deploy Surface Hub 2S](surface-hub-2s-deploy.md)
+### [Configure Surface Hub 2S with PowerShell](surface-hub-2s-configure-with-powershell.md)
+### [Configure Surface Hub 2S on-premises accounts with PowerShell](surface-hub-2s-onprem-powershell.md)
+
## Manage
### [Managing Surface Hub 2S with Microsoft Intune](surface-hub-2s-manage-intune.md)
### [Managing Surface Hub 2S with Surface app](surface-hub-2s-manage-surface-app.md)
### [Servicing and updating for Surface Hub 2S](surface-hub-2s-service-update.md)
-### [Updating pen firmware for Surface Hub 2S](surface-hub-2s-pen-firmware.md)
-### [Managing settings on Surface Hub 2S via the on screen display](surface-hub-2s-manage-settings.md)
## Secure
-### [Conditional access for Surface Hub 2S](surface-hub-2s-conditional-access.md)
+
### [Securing Surface Hub 2S with SEMM](surface-hub-2s-secure-with-semm.md)
### [Securing Surface Hub 2S with UEFI](surface-hub-2s-secure-with-uefi.md)
diff --git a/devices/surface-hub/images/h2gen-platemount.png b/devices/surface-hub/images/h2gen-platemount.png
index 4c546b1d59..4a8ca76fd4 100644
Binary files a/devices/surface-hub/images/h2gen-platemount.png and b/devices/surface-hub/images/h2gen-platemount.png differ
diff --git a/devices/surface-hub/images/h2gen-railmount.png b/devices/surface-hub/images/h2gen-railmount.png
index fd692bad14..0c8bf8ffb6 100644
Binary files a/devices/surface-hub/images/h2gen-railmount.png and b/devices/surface-hub/images/h2gen-railmount.png differ
diff --git a/devices/surface-hub/images/sh2-add-room.png b/devices/surface-hub/images/sh2-add-room.png
new file mode 100644
index 0000000000..c53ee340bc
Binary files /dev/null and b/devices/surface-hub/images/sh2-add-room.png differ
diff --git a/devices/surface-hub/images/sh2-mount-config.png b/devices/surface-hub/images/sh2-mount-config.png
index 552a7d61c2..5cde6108a1 100644
Binary files a/devices/surface-hub/images/sh2-mount-config.png and b/devices/surface-hub/images/sh2-mount-config.png differ
diff --git a/devices/surface-hub/images/sh2-set-intune1.png b/devices/surface-hub/images/sh2-set-intune1.png
new file mode 100644
index 0000000000..9993225210
Binary files /dev/null and b/devices/surface-hub/images/sh2-set-intune1.png differ
diff --git a/devices/surface-hub/images/sh2-set-intune3.png b/devices/surface-hub/images/sh2-set-intune3.png
new file mode 100644
index 0000000000..f931d828fc
Binary files /dev/null and b/devices/surface-hub/images/sh2-set-intune3.png differ
diff --git a/devices/surface-hub/images/sh2-set-intune5.png b/devices/surface-hub/images/sh2-set-intune5.png
new file mode 100644
index 0000000000..a800555847
Binary files /dev/null and b/devices/surface-hub/images/sh2-set-intune5.png differ
diff --git a/devices/surface-hub/images/sh2-set-intune6.png b/devices/surface-hub/images/sh2-set-intune6.png
new file mode 100644
index 0000000000..155cbb9930
Binary files /dev/null and b/devices/surface-hub/images/sh2-set-intune6.png differ
diff --git a/devices/surface-hub/images/sh2-set-intune8.png b/devices/surface-hub/images/sh2-set-intune8.png
new file mode 100644
index 0000000000..a8d9bfe874
Binary files /dev/null and b/devices/surface-hub/images/sh2-set-intune8.png differ
diff --git a/devices/surface-hub/images/sh2-wall-front.png b/devices/surface-hub/images/sh2-wall-front.png
index 11bc342754..ca982a8680 100644
Binary files a/devices/surface-hub/images/sh2-wall-front.png and b/devices/surface-hub/images/sh2-wall-front.png differ
diff --git a/devices/surface-hub/images/sh2-wall-side.png b/devices/surface-hub/images/sh2-wall-side.png
index 8962a539d9..91c3295987 100644
Binary files a/devices/surface-hub/images/sh2-wall-side.png and b/devices/surface-hub/images/sh2-wall-side.png differ
diff --git a/devices/surface-hub/surface-hub-2s-deploy-apps-intune.md b/devices/surface-hub/surface-hub-2s-deploy-apps-intune.md
new file mode 100644
index 0000000000..77d54afa4b
--- /dev/null
+++ b/devices/surface-hub/surface-hub-2s-deploy-apps-intune.md
@@ -0,0 +1,34 @@
+---
+title: "Manage Surface Hub 2S with Intune"
+description: "Learn how you can deploy apps to Surface Hub 2S using Intune."
+keywords: separate values with commas
+ms.prod: surface-hub
+ms.sitesec: library
+author: robmazz
+ms.author: robmazz
+audience: Admin
+ms.topic: article
+ms.localizationpriority: Normal
+---
+# Deploy apps to Surface Hub 2S using Intune
+
+You can deploy Universal Windows Platform (UWP) apps to Surface Hub 2S using Intune, easing app deployment to devices.
+
+1. To deploy apps, enable MDM for your organization. In the Intune portal, select **Intune** as your MDM Authority (recommended).
+
+
+
+2. Enable the Microsoft Store for Business in Intune.
+
+
+
+3. Open the store from the Intune portal and click **Settings** > **Distribute** > **Management tools**. Choose **Microsoft Intune** as your management tool.
+
+
+
+
+4. In **Settings** > **Shop** > **Shopping Experience**, turn on **Show offline apps**.
+
+Offline apps refer to apps that can be synced to Intune and centrally deployed to a device.
+
+5. After enabling Offline shopping, acquire offline licenses for apps, which you can sync to Intune and deploy as Device licensing.
diff --git a/devices/surface-hub/surface-hub-2s-deploy-checklist.md b/devices/surface-hub/surface-hub-2s-deploy-checklist.md
new file mode 100644
index 0000000000..0198218e3f
--- /dev/null
+++ b/devices/surface-hub/surface-hub-2s-deploy-checklist.md
@@ -0,0 +1,73 @@
+---
+title: "Surface Hub 2S deployment checklist"
+description: "Verify your deployment of Surface Hub 2S using pre- and post-deployment checklists."
+keywords: separate values with commas
+ms.prod: surface-hub
+ms.sitesec: library
+author: robmazz
+ms.author: robmazz
+audience: Admin
+ms.topic: article
+ms.localizationpriority: Normal
+---
+
+# Surface Hub 2S deployment checklist
+
+#
+## Surface Hub 2S pre-deployment checklist
+| **Item** | **Response** | **Learn more** |
+| ----------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Device account name** | | |
+| **Device account UPN** | | |
+| **ActiveSync Policy** | | |
+| **Calendar processing configuration completed** | - Yes
- No | |
+| **Device friendly name** | | |
+| **Device host name** | | |
+| **Affiliation** | - None
- Active Directory affiliation
- Azure Active Directory | |
+| **Microsoft Teams Mode** | - Mode 0
- Mode 1
- Mode 2 | |
+| **Device Management** | - Yes, Microsoft Intune
- Yes, other mobile device manager [MDM]
- None | |
+| **Proxy** | - Automatic configuration
- Proxy server
- Proxy auto-config (PAC) file | |
+| **Proxy authentication** | - Device account credentials
- Prompt for credentials | |
+| **Password rotation** | - On
- Off | |
+| **Skype for Business additional domain names (on-premises only)** | | |
+| **Session timeout time** | | |
+| **Session timeout action** | - End session
- Allow resume | |
+| **My meetings and files** | - Enabled
- Disabled | |
+| **Lock screen timeout** | | |
+| **Sleep idle timeout** | | |
+| **Bluetooth** | - On
- Off | |
+| **Use only BitLocker USB drives** | - On
- Off | |
+| **Install additional certificates (on-premises only)** | | [Using certificates for AADJ on-premises single-sign on](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert) |
+| **Windows update** | - Windows Update for Business
- Windows Server Update Services [WSUS] | [Deploy updates using Windows Update for Business](https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb)
[Get Started with Windows Server Update Services (WSUS)](https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) |
+| **Surface app speaker setting** | - Rolling stand
- Wall-mounted | |
+| **IP Address** | - Wired - DHCP
- Wired - DHCP reservation
- Wireless – DHCP
- Wireless – DHCP reservation | |
+
+
+
+## Surface Hub 2S post-deployment checklist
+
+
+
+| **Item** | **Response** | **Learn more** |
+| ------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- |
+| **Device account syncing** | - Yes
- No | |
+| **Bitlocker key** | - Saved to file (no affiliation)
- Saved in Active Directory (AD affiliation)
- Saved in Azure AD ( Azure AD affiliation) | |
+| **Device OS updates** | - Completed | |
+| **Windows Store updates** | - Automatic
- Manual | |
+| **Microsoft Teams scheduled meeting** | - Confirmation email received
- Meeting appears on start screen
- One-touch join functions
- Able to join audio
- Able to join video
- Able to share screen | |
+| **Skype for Business scheduled meeting** | - Confirmation email received
- Meeting appears on start screen
- One-touch join functions correctly
- Able to join audio
- Able to join video
- Able to share screen
- Able to send/receive IM | |
+| **Scheduled meeting when already invited** | - Meeting declined | |
+| **Microsoft Teams ad-hoc meeting** | - Invite other users work
- Able to join audio
- Able to join Video
- Able to share screen | |
+| **Skype for Business scheduled meeting** | - Invite other users work
- Able to join audio
- Able to join video
- Able to share screen
- Able to send/receive IM | |
+| **Microsoft Whiteboard** | - Launch from start / welcome screen
- Launch from Microsoft Teams | [Microsoft Whiteboard](https://whiteboard.microsoft.com/) |
+| **Incoming Skype/Teams call** | - Able to join audio
- Able to join video
- Able to share screen
- Able to send/receive IM (Skype for Business only) | |
+| **Incoming live video streams** | - Maximum 2 (Skype for Business)
- Maximum 4 (Microsoft Teams) | |
+| **Microsoft Teams Mode 0 behavior** | - Skype for Business tile on Welcome/Start screen
- Can join scheduled Skype for Business meetings (Skype UI)
- Can join scheduled Teams meetings (Teams UI) | |
+| **Microsoft Teams Mode 1 behavior** | - Teams tile on Welcome/Start screen
- Can join scheduled Skype for Business meetings (Skype UI)
- Can join scheduled Teams meetings (Teams UI) | |
+| **Microsoft Teams Mode 2 behavior** | - Teams tile on welcome / start screen
- Can join scheduled Teams meetings
- Fail to join Skype for Business meetings | |
+
+
+
+
+
+
diff --git a/devices/surface-hub/surface-hub-2s-manage-intune.md b/devices/surface-hub/surface-hub-2s-manage-intune.md
index 2084e42573..c19219463e 100644
--- a/devices/surface-hub/surface-hub-2s-manage-intune.md
+++ b/devices/surface-hub/surface-hub-2s-manage-intune.md
@@ -11,4 +11,62 @@ ms.topic: article
ms.localizationpriority: Normal
---
-# Manage Surface Hub 2S with Intune
\ No newline at end of file
+# Manage Surface Hub 2S with Intune
+
+## Register Surface Hub 2S with Intune
+Surface Hub 2S allows IT administrators to manage settings and policies using a mobile device management (MDM) provider. Surface Hub 2S has a built-in management component to communicate with the management server, so there is no need to install additional clients on the device.
+
+**Manual registration**
+
+1. Sign in as a local administrator on Surface Hub 2S and open the **Settings** app. Click **Surface Hub** > **Device management** and then click **+** to add.
+2. After authenticating, the device will automatically register with Intune.
+
+
+ 
+*Figure 1. Register Surface Hub 2S with Intune*
+**Auto registration — Azure Active Directory Affiliated**
+When affiliating Surface Hub 2S with a tenant that has Intune auto enrollment enabled, the device will automatically enroll with Intune.
+
+## Windows 10 Team Edition settings
+
+Select Windows 10 Team for preset device restriction settings for Surface Hub and Surface Hub 2S.
+
+
+ 
+*Figure 2. Set device restrictions for Surface Hub 2S*
+These settings include user experience and app behavior, Azure Log Analytics registration, Maintenance windows configuration, Session settings and Miracast settings.
+
+## Additional supported configuration service providers
+
+For a list of all available configuration service providers (CSPs), see [SurfaceHub CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/surfacehub-csp).
+
+**Quality of Service (QoS) settings**
+To ensure optimal video and audio quality on Surface Hub 2S, add the following QoS settings to the device. The settings are identical for Skype for Business and Teams.
+
+| Name | Description | OMA-URI | Type | Value |
+| ----------- | ------------------- | ----------------------------------------------------------------------- | ------- | ----------- |
+| Audio Ports | Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/SourcePortMatchCondition | String | 50000-50019 |
+| Audio DSCP | Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DSCPAction | Integer | 46 |
+| Video Ports | Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/SourcePortMatchCondition | String | 50020-50039 |
+| Video DSCP | Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DSCPAction | Integer | 34 |
+> [!NOTE]
+> These are the default port ranges. Administrators may change the port ranges in the Skype for Business and Teams control panel.
+
+**Microsoft Teams Mode settings**
+You can set the Microsoft Teams app mode using Intune. Surface Hub 2S comes installed with Microsoft Teams in mode 0, which supports both Microsoft Teams and Skype for Business. You can adjust the modes as shown below.
+
+Modes:
+
+- Mode 0 – Skype for Business with Microsoft Teams functionality for scheduled meetings.
+- Mode 1 – Microsoft Teams with Skype for Business functionality for scheduled meetings.
+- Mode 2 – Microsoft Teams only.
+
+To set modes, add the following settings to a custom Device Configuration Profile.
+
+| Name | Description | OMA-URI | Type | Value |
+| -------------- | ----------- | --------------------------------------------------------- | ------- | ----------------------------------------------------------- |
+| Teams App ID | App name | ./Vendor/MSFT/SurfaceHub/Properties/VtcAppPackageId | String | Microsoft.MicrosoftTeamsforSurfaceHub_8wekyb3d8bbwe!Teams |
+| Teams App Mode | Teams mode | ./Vendor/MSFT/SurfaceHub/Properties/SurfaceHubMeetingMode | Integer | 0 or 1 or 2 |
+
+#
+
diff --git a/devices/surface-hub/surface-hub-2s-onprem-powershell.md b/devices/surface-hub/surface-hub-2s-onprem-powershell.md
index 8f16b6311c..15dc2d786c 100644
--- a/devices/surface-hub/surface-hub-2s-onprem-powershell.md
+++ b/devices/surface-hub/surface-hub-2s-onprem-powershell.md
@@ -17,7 +17,14 @@ ms.localizationpriority: Normal
> [!NOTE]
> It is important that you know the FQDN of the Client Access service of the on-premises Exchange server.
+```PowerShell
+ $ExchServer = Read-Host "Please Enter the FQDN of your Exchange Server"
+$ExchSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$ExchServer/PowerShell/ -Authentication Kerberos -Credential (Get-Credential)
+Import-PSSession $ExchSession
```
+
+
+```PowerShell
$ExchServer = Read-Host "Please Enter the FQDN of your Exchange Server"
$ExchSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$ExchServer/PowerShell/ -Authentication Kerberos -Credential (Get-Credential)
Import-PSSession $ExchSession
@@ -25,13 +32,13 @@ Import-PSSession $ExchSession
## Create the device account
-```
+```PowerShell
New-Mailbox -UserPrincipalName Hub01@contoso.com -Alias Hub01 -Name "Hub 01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force)
```
## Set automatic calendar processing
-```
+```PowerShell
Set-CalendarProcessing -Identity "HUB01@contoso.com" -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false -AddAdditionalResponse $true -AdditionalResponse "This room is equipped with a Surface Hub"
```
@@ -40,7 +47,7 @@ Set-CalendarProcessing -Identity "HUB01@contoso.com" -AutomateProcessing AutoAcc
> [!NOTE]
> It is important that you know the FQDN of the Skype for Business Registrar Pool.
-```
+```PowerShell
Enable-CsMeetingRoom -Identity Contoso\HUB01 -SipAddressType emailaddress -RegistrarPool SfbIEFE01.contoso.local
```
@@ -50,7 +57,7 @@ You may need to create a new Mobile Device Mailbox Policy (also known as ActiveS
## Create a Surface Hub mobile device mailbox policy
-```
+```PowerShell
New-MobileDeviceMailboxPolicy -Name “Surface Hubs” -PasswordEnabled $false
```
@@ -58,6 +65,6 @@ New-MobileDeviceMailboxPolicy -Name “Surface Hubs” -PasswordEnabled $false
It is recommended to add a MailTip to Surface Hub rooms so users remember to make the meeting a Skype for Business or Teams meeting:
-```
+```PowerShell
Set-Mailbox "Surface Hub 2S" -MailTip "This is a Surface Hub room. Please make sure this is a Microsoft Teams meeting."
```
diff --git a/devices/surface-hub/surface-hub-2s-phone-authenticate.md b/devices/surface-hub/surface-hub-2s-phone-authenticate.md
new file mode 100644
index 0000000000..b40ad8bbfe
--- /dev/null
+++ b/devices/surface-hub/surface-hub-2s-phone-authenticate.md
@@ -0,0 +1,35 @@
+---
+title: "Configure phone authentication for Surface Hub 2S"
+description: "Learn how to simplify signing into Surface Hub 2S using phone authentication."
+keywords: separate values with commas
+ms.prod: surface-hub
+ms.sitesec: library
+author: robmazz
+ms.author: robmazz
+audience: Admin
+ms.topic: article
+ms.localizationpriority: Normal
+---
+
+# Configure phone authentication for Surface Hub
+
+Phone authentication for Surface Hub simplifies signing-in to your meetings and files on Surface Hub.
+
+**To set up phone authentication:**
+
+1. Download the [Microsoft Authenticator](https://www.microsoft.com/en-us/account/authenticator) app for iPhone or Android to your phone.
+2. From your PC, go to [https://aka.ms/MFASetup](https://aka.ms/MFASetup) , sign in with your account, and click **Next.**
+3. In the Additional security verification screen, select Mobile App and Use verification code, and then click Setup.
+
+**To configure mobile app:**
+
+1. In the Microsoft authenticator app on your phone, add an account, choose **Work or School Account**, and then scan the QR code displayed on your PC
+2. Send a notification to your phone and then approve the sign-in request.
+3. In the Authenticator app on your phone, use the drop-down menu next to your account and select **Enable phone sign-in**.
+4. If required, register your device with your organization and follow the on-screen instructions.
+
+**To sign into Surface Hub:**
+
+1. On Surface Hub, sign into **My meetings and files** and click **Send notification** when prompted.
+2. Match the number displayed on your phone with the number displayed on Surface Hub to approve your sign-in request.
+3. If prompted, enter the PIN or biometric ID on your phone, to complete sign-in.