deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 02:13:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into surface-2s-update-vjokai

Browse Source
This commit is contained in:
John Kaiser
2019-08-15 10:21:52 -07:00
parent 8c47ec8b26 5c8f62e754
commit 6c16a38387
1463 changed files with 24665 additions and 25390 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
devices/hololens/docfx.json
View File

@ -32,7 +32,8 @@
"breadcrumb_path": "/hololens/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "jdecker",
"audience": "ITPro",
"manager": "laurawi",
"ms.date": "04/05/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",

2
devices/hololens/hololens-encryption.md
View File

@ -102,6 +102,6 @@ Provisioning packages are files created by the Windows Configuration Designer to
Encryption is silent on HoloLens. To verify the device encryption status:
- On HoloLens, go to **Settings** > **System** > **About**. **BitLocker** is **enabled** if the device is encrypted.
- On HoloLens, go to **Settings** > **System** > **About**. **BitLocker** is **enabled** if the device is encrypted.
![About screen showing BitLocker enabled](images/about-encryption.png)

8
devices/hololens/hololens-requirements.md
View File

@ -37,10 +37,10 @@ When you develop for HoloLens, there are [system requirements and tools](https:/
- TTLS-TLS
### Device management
- Users have Azure AD accounts with [Intune license assigned](https://docs.microsoft.com/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune-step-4)
- Wi-Fi network
- Intune or a 3rd party mobile device management (MDM) provider that uses Microsoft MDM APIs
- Users have Azure AD accounts with [Intune license assigned](https://docs.microsoft.com/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune-step-4)
- Wi-Fi network
- Intune or a 3rd party mobile device management (MDM) provider that uses Microsoft MDM APIs
### Upgrade to Windows Holographic for Business
- HoloLens Enterprise license XML file

6
devices/hololens/hololens-updates.md
View File

@ -22,9 +22,9 @@ manager: dansimp
For a complete list of Update policies, see [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business).
To configure how and when updates are applied, use the following policies:
- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate)
- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime)
- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate)
- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime)
To turn off the automatic check for updates, set the following policy to value **5** Turn off Automatic Updates:
- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate)

2
devices/surface-hub/General-Data-Privacy-Regulation-and-Surface-Hub.md
View File

@ -2,8 +2,6 @@
title: General Data Privacy Regulation and Surface Hub
description: Informs users who are subject to EU data protection laws of their options regarding how to delete or restrict diagnostic data produced by Surface Hub.
ms.assetid: 087713CF-631D-477B-9CC6-EFF939DE0186
ms.reviewer:
manager:
keywords: GDPR
ms.prod: surface-hub
ms.sitesec: library

2
devices/surface-hub/connect-app-in-surface-hub-unexpectedly-exits.md
View File

@ -2,8 +2,6 @@
title: What to do if the Connect app in Surface Hub exits unexpectedly
description: Describes how to resolve an issue where the Connect app in Surface Hub exits to the Welcome screen after cycling through inputs.
ms.assetid: 9576f4e4-d936-4235-8a03-d8a6fe9e8fec
ms.reviewer:
manager:
keywords: surface, hub, connect, input, displayport
ms.prod: surface-hub
ms.sitesec: library

2
devices/surface-hub/docfx.json
View File

@ -27,7 +27,9 @@
"breadcrumb_path": "/surface-hub/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",
"audience": "ITPro",
"ms.topic": "article",
"manager": "laurawi",
"ms.mktglfcycl": "manage",
"ms.sitesec": "library",
"ms.date": "05/23/2017",

2
devices/surface-hub/known-issues-and-additional-info-about-surface-hub.md
View File

@ -2,8 +2,6 @@
title: Known issues and additional information about Microsoft Surface Hub
description: Outlines known issues with Microsoft Surface Hub.
ms.assetid: aee90a0c-fb05-466e-a2b1-92de89d0f2b7
ms.reviewer:
manager:
keywords: surface, hub, issues
ms.prod: surface-hub
ms.sitesec: library

2
devices/surface-hub/surface-Hub-installs-updates-and-restarts-outside-maintenance-hours.md
View File

@ -2,8 +2,6 @@
title: Surface Hub may install updates and restart outside maintenance hours
description: troubleshooting information for Surface Hub regarding automatic updates
ms.assetid: 6C09A9F8-F9CF-4491-BBFB-67A1A1DED0AA
ms.reviewer:
manager:
keywords: surface hub, maintenance window, update
ms.prod: surface-hub
ms.sitesec: library

2
devices/surface-hub/surface-hub-2s-setup.md
View File

@ -97,4 +97,4 @@ If you insert a USB thumb drive with a provisioning package into one of the USB
![* Select a device account and friendly name from your configuration file*](images/sh2-run14.png) <br>
4. Follow the instructions to complete first time Setup.
4. Follow the instructions to complete first time Setup.

16
devices/surface-hub/surface-hub-update-history.md
View File

@ -2,8 +2,6 @@
title: Surface Hub update history
description: Surface Hub update history
ms.assetid: d66a9392-2b14-4cb2-95c3-92db0ae2de34
ms.reviewer:
manager:
keywords:
ms.prod: surface-hub
ms.sitesec: library
@ -26,6 +24,18 @@ Please refer to the “[Surface Hub Important Information](https://support.micro
## Windows 10 Team Creators Update 1703
<details>
<summary>June 18, 2019—update for Team edition based on KB4503289* (OS Build 15063.1897)</summary>
This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include:
* Addresses an issue with log collection for Microsoft Surface Hub 2S.
* Addresses an issue preventing a user from signing in to a Microsoft Surface Hub device with an Azure Active Directory account. This issue occurs because a previous session did not end successfully.
Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services.
*[KB4503289](https://support.microsoft.com/help/4503289)
</details>
<details>
<summary>May 28, 2019—update for Team edition based on KB4499162* (OS Build 15063.1835)</summary>
@ -484,4 +494,4 @@ This update to the Surface Hub includes quality improvements and security fixes.
* [Windows 10 November update: FAQ](http://windows.microsoft.com/windows-10/windows-update-faq)
* [Microsoft Surface update history](http://go.microsoft.com/fwlink/p/?LinkId=724327)
* [Microsoft Lumia update history](http://go.microsoft.com/fwlink/p/?LinkId=785968)
* [Get Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=616447)
* [Get Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=616447)

2
devices/surface-hub/surfacehub-miracast-not-supported-europe-japan-israel.md
View File

@ -2,8 +2,6 @@
title: Surface Hub Miracast channels 149-165 not supported in Europe, Japan, Israel
description: Surface Hub Miracast channels 149-165 not supported in Europe, Japan, Israel
ms.assetid: 8af3a832-0537-403b-823b-12eaa7a1af1f
ms.reviewer:
manager:
keywords:
ms.prod: surface-hub
ms.sitesec: library

2
devices/surface-hub/use-cloud-recovery-for-bitlocker-on-surfacehub.md
View File

@ -2,8 +2,6 @@
title: How to use cloud recovery for BitLocker on a Surface Hub
description: How to use cloud recovery for BitLocker on a Surface Hub
ms.assetid: c0bde23a-49de-40f3-a675-701e3576d44d
ms.reviewer:
manager:
keywords: Accessibility settings, Settings app, Ease of Access
ms.prod: surface-hub
ms.sitesec: library

2
devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
View File

@ -2,8 +2,6 @@
title: Using the Surface Hub Hardware Diagnostic Tool to test a device account
description: Using the Surface Hub Hardware Diagnostic Tool to test a device account
ms.assetid: a87b7d41-d0a7-4acc-bfa6-b9070f99bc9c
ms.reviewer:
manager:
keywords: Accessibility settings, Settings app, Ease of Access
ms.prod: surface-hub
ms.sitesec: library

5
devices/surface-hub/whiteboard-collaboration.md
View File

@ -34,7 +34,7 @@ To get Whiteboard to Whiteboard collaboration up and running, youll need to m
- Currently not utilizing Office 365 Germany or Office 365 operated by 21Vianet
- Surface Hub needs to be updated to Windows 10, version 1607 or newer
- Port 443 needs to be open since Whiteboard makes standard https requests
- Whiteboard.ms, wbd.ms, \*.onenote.com, and your company's SharePoint tenant domain URLs need to be whitelisted for proxies
- Whiteboard.ms, whiteboard.microsoft.com, wbd.ms, \*.onenote.com, and your company's SharePoint tenant domain URLs need to be whitelisted for proxies
>[!NOTE]
@ -68,4 +68,5 @@ After youre done, you can export a copy of the Whiteboard collaboration for y
## Related topics
- [Windows 10 Creators Update for Surface Hub](https://www.microsoft.com/surface/support/surface-hub/windows-10-creators-update-surface-hub)
- [Support documentation for Microsoft Whiteboard](https://support.office.com/en-us/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01)
- [Support documentation for Microsoft Whiteboard](https://support.office.com/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01)

4
devices/surface/assettag.md
View File

@ -20,9 +20,9 @@ for Surface devices. It works on Surface Pro 3 and all newer Surface devices.
## System requirements
- Surface Pro 3 or later
- Surface Pro 3 or later
- UEFI firmware version 3.9.150.0 or later
- UEFI firmware version 3.9.150.0 or later
## Using Surface Asset Tag

38
devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
View File

@ -1,5 +1,5 @@
---
title: Download the latest firmware and drivers for Surface devices (Surface)
title: Deploy the latest firmware and drivers for Surface devices (Surface)
description: This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.
ms.assetid: 7662BF68-8BF7-43F7-81F5-3580A770294A
ms.reviewer:
@ -11,27 +11,43 @@ ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
author: dansimp
ms.date: 11/15/2018
ms.date: 08/13/2018
ms.author: dansimp
ms.topic: article
---
# Deploying the latest firmware and drivers for Surface devices
# Deploy the latest firmware and drivers for Surface devices
Although Surface devices are typically automatically updated with the latest device drivers and firmware via Windows Update, sometimes it's necessary to download and install updates manually, such as during a Windows deployment.
## Downloading MSI files
## Download MSI files
To download MSI files, refer to the following Microsoft Support page:
- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface)<br>
Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices.
## Deploying MSI files
Driver and firmware updates for Surface devices containing all required cumulative updates are packaged in separate MSI files for specific versions of Windows 10.
In the name of each of these files you will find a Windows build number, this number indicates the minimum supported build required to install the drivers and firmware contained within. Refer to [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information) for a list of the build numbers for each version. For example, to install the drivers contained in SurfacePro6_Win10_16299_1900307_0.msi file you must have Windows 10 Fall Creators Update version 1709, or newer installed on your Surface Pro 6.
Driver and firmware updates for Surface devices consisting of all required cumulative updates are packaged in separate MSI files for specific versions of Windows 10.
The MSI file names contain useful information including the minimum supported Windows build number required to install the drivers and firmware. For example, to install the drivers contained in SurfaceBook_Win10_17763_19.080.2031.0.msi requires Windows 10 Fall Creators Update version 1709 or later installed on your Surface Book.
To view build numbers for each version, refer to [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information).
### Surface MSI naming convention
Each .MSI file is named in accordance with a formula that begins with the product and Windows release information, followed by the Windows build number and version number, and ending with the revision of version number. SurfacePro6_Win10_16299_1900307_0.msi is classified as follows:
Beginning in August 2019, MSI files use the following naming formula:
- Product > Windows release > Windows build number > Version number > Revision of version number (typically zero).
**Example:**
SurfacePro6_Win10_18362_19.073.44195_0.msi :
| Product | Windows release | Build | Version | Revision of version |
| --- | --- | --- | --- | --- |
| SurfacePro6 | Win10 | 18362 | 19.073.44195 | 0 |
| | | | Indicates key date and sequence information. | Indicates release history of the update. |
| | | | **19:** Signifies the year (2019).<br>**073**: Signifies the month (July) and week of the release (3). <br>**44195**: Signifies the minute of the month that the MSI file was created. |**0:** Signifies it's the first release of version 1907344195 and has not been re-released for any reason. |
### Legacy Surface MSI naming convention
Legacy MSI files prior to August 2019 followed the same overall naming formula but used a different method to derive the version number.
**Example:**
SurfacePro6_Win10_16299_1900307_0.msi :
@ -39,8 +55,8 @@ SurfacePro6_Win10_16299_1900307_0.msi :
| Product | Windows release | Build | Version | Revision of version |
| --- | --- | --- | --- | --- |
| SurfacePro6 | Win10 | 16299 | 1900307 | 0 |
| | | | Indicates key date and sequence information | Indicates release history of the MSI file |
| | | | **19:** Signifies the year (2019)<br>**003**: Signifies that its the third release of 2019<br>**07**: Signifies the product version number. (Surface Pro 6 is officially the seventh version of Surface Pro.) | **0:** Signifies it's the first release of version 1900307 and has not been re-released for any reason. |
| | | | Indicates key date and sequence information. | Indicates release history of the MSI file. |
| | | | **19:** Signifies the year (2019)<br>**003**: Signifies that its the third release of 2019.<br>**07**: Signifies the product version number. (Surface Pro 6 is officially the seventh version of Surface Pro.) | **0:** Signifies it's the first release of version 1900307 and has not been re-released for any reason. |
Look to the **version** number to determine the latest files that contain the most recent security updates. For example, you might need to install the newest file from the following list:
@ -60,9 +76,9 @@ There are no downloadable firmware or driver updates available for Surface devic
For more information about deploying Surface drivers and firmware, refer to:
- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates).
- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates)
- [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business).
- [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business)
 

2
devices/surface/docfx.json
View File

@ -25,7 +25,9 @@
"breadcrumb_path": "/surface/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",
"audience": "ITPro",
"ms.topic": "article",
"manager": "laurawi",
"ms.date": "05/09/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",

26
devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
View File

@ -59,14 +59,14 @@ instant on/instant off functionality typical of smartphones. S0ix, also
known as Deepest Runtime Idle Platform State (DRIPS), is the default
power mode for Surface devices. Modern standby has two modes:
- **Connected standby.** The default mode for up-to-the minute
delivery of emails, messaging, and cloud-synced data, connected
standby keeps Wi-Fi on and maintains network connectivity.
- **Connected standby.** The default mode for up-to-the minute
delivery of emails, messaging, and cloud-synced data, connected
standby keeps Wi-Fi on and maintains network connectivity.
- **Disconnected standby.** An optional mode for extended battery
life, disconnected standby delivers the same instant-on experience
and saves power by turning off Wi-Fi, Bluetooth, and related network
connectivity.
- **Disconnected standby.** An optional mode for extended battery
life, disconnected standby delivers the same instant-on experience
and saves power by turning off Wi-Fi, Bluetooth, and related network
connectivity.
To learn more about modern standby, refer to the [Microsoft Hardware Dev
Center](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby-wake-sources).
@ -76,13 +76,13 @@ Center](https://docs.microsoft.com/windows-hardware/design/device-experiences/mo
Surface integrates the following features designed to help users
optimize the power management experience:
- [Singular power plan](#singular-power-plan)
- [Singular power plan](#singular-power-plan)
- [Simplified power settings user
interface](#simplified-power-settings-user-interface)
- [Simplified power settings user
interface](#simplified-power-settings-user-interface)
- [Windows performance power
slider](#windows-performance-power-slider)
- [Windows performance power
slider](#windows-performance-power-slider)
### Singular power plan
@ -171,4 +171,4 @@ To learn more, see:
- [Battery
saver](https://docs.microsoft.com/windows-hardware/design/component-guidelines/battery-saver)
- [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
- [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)

10
devices/surface/microsoft-surface-brightness-control.md
View File

@ -25,16 +25,16 @@ designed to help reduce thermal load and lower the overall carbon
footprint for deployed Surface devices. The tool automatically dims the screen when not in use and
includes the following configuration options:
- Period of inactivity before dimming the display.
- Period of inactivity before dimming the display.
- Brightness level when dimmed.
- Brightness level when dimmed.
- Maximum brightness level when in use.
- Maximum brightness level when in use.
**To run Surface Brightness Control:**
- Install surfacebrightnesscontrol.msi on the target device and Surface Brightness Control
will begin working immediately.
- Install surfacebrightnesscontrol.msi on the target device and Surface Brightness Control
will begin working immediately.
## Configuring Surface Brightness Control

28
devices/surface/step-by-step-surface-deployment-accelerator.md
View File

@ -61,8 +61,8 @@ The following steps show you how to create a deployment share for Windows 10 tha
>[!NOTE]
>As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows:
> * Deployment tools
> * User State Migration Tool (USMT)
> * Windows Preinstallation Environment (WinPE)
> * User State Migration Tool (USMT)
> * Windows Preinstallation Environment (WinPE)
> [!NOTE]
> As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1.
@ -75,11 +75,11 @@ The following steps show you how to create a deployment share for Windows 10 tha
- **Local Path** Specify or browse to a location on the local storage device where you would like to store the deployment share files for the Windows 10 SDA deployment share. For example, **E:\\SDAWin10\\** is the location specified in Figure 3.
- **Share Name** Specify a name for the file share that will be used to access the deployment share on this server from the network. For example, **SDAWin10** is the deployment share name shown in Figure 3. The local path folder is automatically shared by the SDA scripts under this name to the group **Everyone** with a permission level of **Full Control**.
- **Share Name** Specify a name for the file share that will be used to access the deployment share on this server from the network. For example, **SDAWin10** is the deployment share name shown in Figure 3. The local path folder is automatically shared by the SDA scripts under this name to the group **Everyone** with a permission level of **Full Control**.
- **Windows 10 Deployment Services**
- Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) for more information about how to configure Windows Deployment Services for PXE boot.
- Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) for more information about how to configure Windows Deployment Services for PXE boot.
- **Windows 10 Source Files**
@ -100,25 +100,25 @@ The following steps show you how to create a deployment share for Windows 10 tha
7. On the **Summary** page confirm your selections and click **Finish** to begin the creation of your deployment share. The process can take several minutes as files are downloaded, the tools are installed, and the deployment share is created. While the SDA scripts are creating your deployment share, an **Installation Progress** window will be displayed, as shown in Figure 5. A typical SDA process includes:
- Download of Windows ADK
- Download of Windows ADK
- Installation of Windows ADK
- Installation of Windows ADK
- Download of MDT
- Download of MDT
- Installation of MDT
- Installation of MDT
- Download of Surface apps and drivers
- Download of Surface apps and drivers
- Creation of the deployment share
- Creation of the deployment share
- Import of Windows installation files into the deployment share
- Import of Windows installation files into the deployment share
- Import of the apps and drivers into the deployment share
- Import of the apps and drivers into the deployment share
- Creation of rules and task sequences for Windows deployment
- Creation of rules and task sequences for Windows deployment
![The installation progress window](images/sdasteps-fig5-installwindow.png "The installation progress window")
![The installation progress window](images/sdasteps-fig5-installwindow.png "The installation progress window")
*Figure 5. The Installation Progress window*

2
devices/surface/support-solutions-surface.md
View File

@ -25,7 +25,7 @@ These are the top Microsoft Support solutions for common issues experienced when
## Screen cracked or scratched issues
- [Cracked screen and physical damage](https://www.microsoft.com/surface/support/warranty-service-and-recovery/surface-is-damaged)
- [Contact Microsoft Support](https://support.microsoft.com/en-us/supportforbusiness/productselection)
## Device cover or keyboard issues

2
devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
View File

@ -14,7 +14,7 @@ ms.reviewer:
manager: dansimp
---
# Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit
# Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit
#### Applies to
* Surface Pro 3

321
devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
View File

@ -103,39 +103,45 @@ The sample scripts include examples of how to set Surface UEFI settings and how
### Specify certificate and package names
The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates the names for the SEMM configuration package and SEMM reset package. The certificate and package names are specified on lines 56 through 67 in the ConfigureSEMM.ps1 script:
The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates SurfaceUEFIManager version, the names for the SEMM configuration package and SEMM reset package. The certificate name and SurfaceUEFIManager version are specified on lines 56 through 73 in the ConfigureSEMM.ps1 script:
```
56 $WorkingDirPath = split-path -parent $MyInvocation.MyCommand.Definition
57 $packageRoot = "$WorkingDirPath\Config"
58
59 if (-not (Test-Path $packageRoot)) { New-Item -ItemType Directory -Force -Path $packageRoot }
60 Copy-Item "$WorkingDirPath\FabrikamOwnerSigner.pfx" $packageRoot
61
62 $privateOwnerKey = Join-Path -Path $packageRoot -ChildPath "FabrikamOwnerSigner.pfx"
63 $ownerPackageName = Join-Path -Path $packageRoot -ChildPath "FabrikamSignerProvisioningPackage.pkg"
64 $resetPackageName = Join-Path -Path $packageRoot -ChildPath "FabrikamUniversalResetPackage.pkg"
65
66 # If your PFX file requires a password then it can be set here, otherwise use a blank string.
67 $password = "1234"
58 $certName = "FabrikamSEMMSample.pfx"
59 $DllVersion = "2.26.136.0"
60
61 $certNameOnly = [System.IO.Path]::GetFileNameWithoutExtension($certName)
62 $ProvisioningPackage = $certNameOnly + "ProvisioningPackage.pkg"
63 $ResetPackage = $certNameOnly + "ResetPackage.pkg"
64
65 if (-not (Test-Path $packageRoot)) { New-Item -ItemType Directory -Force -Path $packageRoot }
66 Copy-Item "$WorkingDirPath\$certName" $packageRoot
67
68 $privateOwnerKey = Join-Path -Path $packageRoot -ChildPath $certName
69 $ownerPackageName = Join-Path -Path $packageRoot -ChildPath $ProvisioningPackage
70 $resetPackageName = Join-Path -Path $packageRoot -ChildPath $ResetPackage
71
72 # If your PFX file requires a password then it can be set here, otherwise use a blank string.
73 $password = "1234"
```
Replace the **FabrikamOwnerSigner.pfx** value for the **$privateOwnerKey** variable with the name of your SEMM Certificate file on both lines 60 and 62. The script will create a working directory (named Config) in the folder where your scripts are located, and will then copy the certificate file to this working directory.
Replace the **FabrikamSEMMSample.pfx** value for the **$certName** variable with the name of your SEMM Certificate file on line 58. The script will create a working directory (named Config) in the folder where your scripts are located, and will then copy the certificate file to this working directory.
Replace the **FabrikamSignerProvisioningPackage.pkg** and **FabrikamUniversalResetPackage.pkg** values on lines 63 and 64 to define the **$ownerPackageName** and **$resetPackageName** variables with your desired names for the SEMM configuration and reset packages. These packages will also be created in the Config directory and hold the configuration for Surface UEFI settings and permissions generated by the script.
Owner package and reset package will also be created in the Config directory and hold the configuration for Surface UEFI settings and permissions generated by the script.
On line 67, replace the value of the **$password** variable, from 1234, to the password for your certificate file. If a password is not required, delete the **1234** text.
On line 73, replace the value of the **$password** variable, from 1234, to the password for your certificate file. If a password is not required, delete the **1234** text.
>[!Note]
>The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 144-149, to accomplish this:
>The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 150-155, to accomplish this:
```
144 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership.
145 # For convenience we get the thumbprint here and present to the user.
146 $pw = ConvertTo-SecureString $password -AsPlainText -Force
147 $certPrint = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
148 $certPrint.Import($privateOwnerKey, $pw, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
149 Write-Host "Thumbprint =" $certPrint.Thumbprint
150 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership.
151 # For convenience we get the thumbprint here and present to the user.
152 $pw = ConvertTo-SecureString $password -AsPlainText -Force
153 $certPrint = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
154 $certPrint.Import($privateOwnerKey, $pw, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
155 Write-Host "Thumbprint =" $certPrint.Thumbprint
```
Administrators with access to the certificate file (.pfx) can read the thumbprint at any time by opening the .pfx file in CertMgr. To view the thumbprint with CertMgr, follow this process:
@ -153,46 +159,47 @@ Administrators with access to the certificate file (.pfx) can read the thumbprin
### Configure permissions
The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 202 in the sample script with the comment **# Configure Permissions** and continues to line 238. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras:
The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 210 in the sample script with the comment **# Configure Permissions** and continues to line 247. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras:
```
202 # Configure Permissions
203 foreach ($uefiV2 IN $surfaceDevices.Values) {
204 # Here we define which "identities" will be allowed to modify which settings
205 # PermissionSignerOwner = The primary SEMM enterprise owner identity
206 # PermissionLocal = The user when booting to the UEFI pre-boot GUI
207 # PermissionSignerUser, PermissionSignerUser1, PermissionSignerUser2 =
208 # Additional user identities created so that the signer owner
209 # can delegate permission control for some settings.
210 $ownerOnly = [Microsoft.Surface.IUefiSetting]::PermissionSignerOwner
211 $ownerAndLocalUser = ([Microsoft.Surface.IUefiSetting]::PermissionSignerOwner -bor [Microsoft.Surface.IUefiSetting]::PermissionLocal)
212
213 # Make all permissions owner only by default
214 foreach ($setting IN $uefiV2.Settings.Values) {
215 $setting.ConfiguredPermissionFlags = $ownerOnly
216 }
217 # Allow the local user to change their own password
218 $uefiV2.SettingsById[501].ConfiguredPermissionFlags = $ownerAndLocalUser
219
220 # Allow the local user to change the state of the TPM
221 $uefiV2.Settings["Trusted Platform Module (TPM)"].ConfiguredPermissionFlags = $ownerAndLocalUser
222
223 # Allow the local user to change the state of the Front and Rear cameras
224 $uefiV2.SettingsById[302].ConfiguredPermissionFlags = $ownerAndLocalUser
225 $uefiV2.SettingsById[304].ConfiguredPermissionFlags = $ownerAndLocalUser
226
227
228 # Create a unique package name based on family and LSV.
229 # We will choose a name that can be parsed by later scripts.
230 $packageName = $uefiV2.SurfaceUefiFamily + "^Permissions^" + $lsv + ".pkg"
231 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
232
233 # Build and sign the Permission package then save it to a file.
234 $permissionPackageStream = $uefiV2.BuildAndSignPermissionPackage($privateOwnerKey, $password, "", $null, $lsv)
235 $permissionPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write)
236 $permissionPackageStream.CopyTo($permissionPackage)
237 $permissionPackage.Close()
238 }
210 # Configure Permissions
211 foreach ($uefiV2 IN $surfaceDevices.Values) {
212 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) {
213 Write-Host "Configuring permissions"
214 Write-Host $Device.Model
215 Write-Host "======================="
216
217 # Here we define which "identities" will be allowed to modify which settings
218 # PermissionSignerOwner = The primary SEMM enterprise owner identity
219 # PermissionLocal = The user when booting to the UEFI pre-boot GUI
220 # PermissionSignerUser, PermissionSignerUser1, PermissionSignerUser2 =
221 # Additional user identities created so that the signer owner
222 # can delegate permission control for some settings.
223 $ownerOnly = [Microsoft.Surface.IUefiSetting]::PermissionSignerOwner
224 $ownerAndLocalUser = ([Microsoft.Surface.IUefiSetting]::PermissionSignerOwner -bor [Microsoft.Surface.IUefiSetting]::PermissionLocal)
225
226 # Make all permissions owner only by default
227 foreach ($setting IN $uefiV2.Settings.Values) {
228 $setting.ConfiguredPermissionFlags = $ownerOnly
229 }
230
231 # Allow the local user to change their own password
232 $uefiV2.SettingsById[501].ConfiguredPermissionFlags = $ownerAndLocalUser
233
234 Write-Host ""
235
236 # Create a unique package name based on family and LSV.
237 # We will choose a name that can be parsed by later scripts.
238 $packageName = $uefiV2.SurfaceUefiFamily + "^Permissions^" + $lsv + ".pkg"
239 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
240
241 # Build and sign the Permission package then save it to a file.
242 $permissionPackageStream = $uefiV2.BuildAndSignPermissionPackage($privateOwnerKey, $password, "", $null, $lsv)
243 $permissionPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write)
244 $permissionPackageStream.CopyTo($permissionPackage)
245 $permissionPackage.Close()
246 }
247 }
```
Each **$uefiV2** variable identifies a Surface UEFI setting by setting name or ID, and then configures the permissions to one of the following values:
@ -204,69 +211,169 @@ You can find information about the available settings names and IDs for Surface
### Configure settings
The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 282 through line 312 in the sample script. The region appears as follows:
The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 291 through line 335 in the sample script. The region appears as follows:
```
282 # Configure Settings
283 foreach ($uefiV2 IN $surfaceDevices.Values) {
284 # In this demo, we will start by setting every setting to the default factory setting.
285 # You may want to start by doing this in your scripts
286 # so that every setting gets set to a known state.
287 foreach ($setting IN $uefiV2.Settings.Values) {
288 $setting.ConfiguredValue = $setting.DefaultValue
289 }
290
291 # If you want to set something to a different value from the default,
292 # here are examples of how to accomplish this.
293 $uefiV2.Settings["IPv6 for PXE Boot"].ConfiguredValue = "Disabled"
294
295 # If you want to leave the setting unmodified, set it to $null
296 # PowerShell has issues setting things to $null so ClearConfiguredValue()
297 # is supplied to do this explicitly.
298 # Here is an example of leaving the UEFI administrator password as-is,
299 # even after we initially set it to factory default above.
300 $uefiV2.SettingsById[501].ClearConfiguredValue()
301
302 # Create a unique package name based on family and LSV.
303 # We will choose a name that can be parsed by later scripts.
304 $packageName = $uefiV2.SurfaceUefiFamily + "^Settings^" + $lsv + ".pkg"
305 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
306
307 # Build and sign the Settings package then save it to a file.
308 $settingsPackageStream = $uefiV2.BuildAndSignSecuredSettingsPackage($privateOwnerKey, $password, "", $null, $lsv)
309 $settingsPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write)
310 $settingsPackageStream.CopyTo($settingsPackage)
311 $settingsPackage.Close()
312 }
291 # Configure Settings
292 foreach ($uefiV2 IN $surfaceDevices.Values) {
293 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) {
294 Write-Host "Configuring settings"
295 Write-Host $Device.Model
296 Write-Host "===================="
297
298 # In this demo, we will start by setting every setting to the default factory setting.
299 # You may want to start by doing this in your scripts
300 # so that every setting gets set to a known state.
301 foreach ($setting IN $uefiV2.Settings.Values) {
302 $setting.ConfiguredValue = $setting.DefaultValue
303 }
304
305 $EnabledValue = "Enabled"
306 $DisabledValue = "Disabled"
307
308 # If you want to set something to a different value from the default,
309 # here are examples of how to accomplish this.
310 # This disables IPv6 PXE boot by name:
311 $uefiV2.Settings["IPv6 for PXE Boot"].ConfiguredValue = $DisabledValue
312
313 # This disables IPv6 PXE Boot by ID:
314 $uefiV2.SettingsById[400].ConfiguredValue = $DisabledValue
315
316 Write-Host ""
317
318 # If you want to leave the setting unmodified, set it to $null
319 # PowerShell has issues setting things to $null so ClearConfiguredValue()
320 # is supplied to do this explicitly.
321 # Here is an example of leaving the UEFI administrator password as-is,
322 # even after we initially set it to factory default above.
323 $uefiV2.SettingsById[501].ClearConfiguredValue()
324
325 # Create a unique package name based on family and LSV.
326 # We will choose a name that can be parsed by later scripts.
327 $packageName = $uefiV2.SurfaceUefiFamily + "^Settings^" + $lsv + ".pkg"
328 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
329
330 # Build and sign the Settings package then save it to a file.
331 $settingsPackageStream = $uefiV2.BuildAndSignSecuredSettingsPackage($privateOwnerKey, $password, "", $null, $lsv)
332 $settingsPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write)
333 $settingsPackageStream.CopyTo($settingsPackage)
334 $settingsPackage.Close()
335 }
```
Like the permissions set in the **Configure Permissions** section of the script, the configuration of each Surface UEFI setting is performed by defining the **$uefiV2** variable. For each line defining the **$uefiV2** variable, a Surface UEFI setting is identified by setting name or ID and the configured value is set to **Enabled** or **Disabled**.
If you do not want to alter the configuration of a Surface UEFI setting, for example to ensure that the Surface UEFI administrator password is not cleared by the action of resetting all Surface UEFI settings to their default, you can use **ClearConfiguredValue()** to enforce that this setting will not be altered. In the sample script, this is used on line 300 to prevent the clearing of the Surface UEFI Administrator password, identified in the sample script by its setting ID, **501**.
If you do not want to alter the configuration of a Surface UEFI setting, for example to ensure that the Surface UEFI administrator password is not cleared by the action of resetting all Surface UEFI settings to their default, you can use **ClearConfiguredValue()** to enforce that this setting will not be altered. In the sample script, this is used on line 323 to prevent the clearing of the Surface UEFI Administrator password, identified in the sample script by its setting ID, **501**.
You can find information about the available settings names and IDs for Surface UEFI in the [Settings Names and IDs](#settings-names-and-ids) section later in this article.
### Settings registry key
To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes a registry key that can be used to identify enrolled systems as having been installed with the SEMM configuration script. This key can be found at the following location:
To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes registry keys that can be used to identify enrolled systems as having been installed with the SEMM configuration script. These keys can be found at the following location:
`HKLM\SOFTWARE\Microsoft\Surface\SEMM\Enabled_Version1000`
`HKLM\SOFTWARE\Microsoft\Surface\SEMM`
The following code fragment, found on lines 352-363, is used to write this registry key:
The following code fragment, found on lines 380-477, is used to write these registry keys:
```
352 $SurfaceRegKey = "HKLM:\SOFTWARE\Microsoft\Surface\SEMM"
353 New-RegKey $SurfaceRegKey
354 $SurfaceRegValue = Get-ItemProperty $SurfaceRegKey Enabled_Version1000 -ErrorAction SilentlyContinue
355
356 If ($SurfaceRegValue -eq $null)
357 {
358 New-ItemProperty -Path $SurfaceRegKey -Name Enabled_Version1000 -PropertyType String -Value 1 | Out-Null
359 }
360 Else
361 {
362 Set-ItemProperty -Path $SurfaceRegKey -Name Enabled_Version1000 -Value 1
363 }
380 # For SCCM or other management solutions that wish to know what version is applied, tattoo the LSV and current DateTime (in UTC) to the registry:
381 $UTCDate = (Get-Date).ToUniversalTime().ToString()
382 $certIssuer = $certPrint.Issuer
383 $certSubject = $certPrint.Subject
384
385 $SurfaceRegKey = "HKLM:\SOFTWARE\Microsoft\Surface\SEMM"
386 New-RegKey $SurfaceRegKey
387 $LSVRegValue = Get-ItemProperty $SurfaceRegKey LSV -ErrorAction SilentlyContinue
388 $DateTimeRegValue = Get-ItemProperty $SurfaceRegKey LastConfiguredUTC -ErrorAction SilentlyContinue
389 $OwnershipSessionIdRegValue = Get-ItemProperty $SurfaceRegKey OwnershipSessionId -ErrorAction SilentlyContinue
390 $PermissionSessionIdRegValue = Get-ItemProperty $SurfaceRegKey PermissionSessionId -ErrorAction SilentlyContinue
391 $SettingsSessionIdRegValue = Get-ItemProperty $SurfaceRegKey SettingsSessionId -ErrorAction SilentlyContinue
392 $IsResetRegValue = Get-ItemProperty $SurfaceRegKey IsReset -ErrorAction SilentlyContinue
393 $certUsedRegValue = Get-ItemProperty $SurfaceRegKey CertName -ErrorAction SilentlyContinue
394 $certIssuerRegValue = Get-ItemProperty $SurfaceRegKey CertIssuer -ErrorAction SilentlyContinue
395 $certSubjectRegValue = Get-ItemProperty $SurfaceRegKey CertSubject -ErrorAction SilentlyContinue
396
397
398 If ($LSVRegValue -eq $null)
399 {
400 New-ItemProperty -Path $SurfaceRegKey -Name LSV -PropertyType DWORD -Value $lsv | Out-Null
401 }
402 Else
403 {
404 Set-ItemProperty -Path $SurfaceRegKey -Name LSV -Value $lsv
405 }
406
407 If ($DateTimeRegValue -eq $null)
408 {
409 New-ItemProperty -Path $SurfaceRegKey -Name LastConfiguredUTC -PropertyType String -Value $UTCDate | Out-Null
410 }
411 Else
412 {
413 Set-ItemProperty -Path $SurfaceRegKey -Name LastConfiguredUTC -Value $UTCDate
414 }
415
416 If ($OwnershipSessionIdRegValue -eq $null)
417 {
418 New-ItemProperty -Path $SurfaceRegKey -Name OwnershipSessionId -PropertyType String -Value $ownerSessionIdValue | Out-Null
419 }
420 Else
421 {
422 Set-ItemProperty -Path $SurfaceRegKey -Name OwnershipSessionId -Value $ownerSessionIdValue
423 }
424
425 If ($PermissionSessionIdRegValue -eq $null)
426 {
427 New-ItemProperty -Path $SurfaceRegKey -Name PermissionSessionId -PropertyType String -Value $permissionSessionIdValue | Out-Null
428 }
429 Else
430 {
431 Set-ItemProperty -Path $SurfaceRegKey -Name PermissionSessionId -Value $permissionSessionIdValue
432 }
433
434 If ($SettingsSessionIdRegValue -eq $null)
435 {
436 New-ItemProperty -Path $SurfaceRegKey -Name SettingsSessionId -PropertyType String -Value $settingsSessionIdValue | Out-Null
437 }
438 Else
439 {
440 Set-ItemProperty -Path $SurfaceRegKey -Name SettingsSessionId -Value $settingsSessionIdValue
441 }
442
443 If ($IsResetRegValue -eq $null)
444 {
445 New-ItemProperty -Path $SurfaceRegKey -Name IsReset -PropertyType DWORD -Value 0 | Out-Null
446 }
447 Else
448 {
449 Set-ItemProperty -Path $SurfaceRegKey -Name IsReset -Value 0
450 }
451
452 If ($certUsedRegValue -eq $null)
453 {
454 New-ItemProperty -Path $SurfaceRegKey -Name CertName -PropertyType String -Value $certName | Out-Null
455 }
456 Else
457 {
458 Set-ItemProperty -Path $SurfaceRegKey -Name CertName -Value $certName
459 }
460
461 If ($certIssuerRegValue -eq $null)
462 {
463 New-ItemProperty -Path $SurfaceRegKey -Name CertIssuer -PropertyType String -Value $certIssuer | Out-Null
464 }
465 Else
466 {
467 Set-ItemProperty -Path $SurfaceRegKey -Name CertIssuer -Value $certIssuer
468 }
469
470 If ($certSubjectRegValue -eq $null)
471 {
472 New-ItemProperty -Path $SurfaceRegKey -Name CertSubject -PropertyType String -Value $certSubject | Out-Null
473 }
474 Else
475 {
476 Set-ItemProperty -Path $SurfaceRegKey -Name CertSubject -Value $certSubject
477 }
```
### Settings names and IDs