Merge branch 'master' into jodben-ResetRecovery

devices/hololens/change-history-hololens.md

@@ -17,6 +17,14 @@ ms.localizationpriority: medium
 
 This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
 
+## Windows 10 Holographic, version 2004
+
+The topics in this library have been updated for Windows 10 Holographic, version 2004.
+
+## HoloLens 2
+
+The topics in this library have been updated for HoloLens 2 and Windows 10 Holographic, version 1903.
+
 ## April 2019
 
 New or changed topic | Description

devices/hololens/holographic-photos-and-videos.md

@@ -44,7 +44,9 @@ To take a quick photo of your current view, press the volume up and volume down
 
 ### Voice commands to take photos
 
-Cortana can also take a picture. Say: "Hey Cortana, take a picture."
+On HoloLens 2, version 2004 (and later), say: "Take a picture."
+
+On HoloLens (1st gen) or HoloLens 2, version 1903, say: "Hey Cortana, take a picture."
 
 ### Start menu to take photos
 
@@ -67,7 +69,9 @@ The quickest way to record a video is to press and hold the **volume up** and **
 
 ### Voice to record videos
 
-Cortana can also record a video. Say: "Hey Cortana, start recording." To stop a video, say "Hey Cortana, stop recording."
+On HoloLens 2, version 2004 (and later), say: "Start recording." To stop recording, say "Stop recording."
+
+On HoloLens (1st gen) or HoloLens 2, version 1903, say: "Hey Cortana, start recording." To stop recording, say "Hey Cortana, stop recording."
 
 ### Start menu to record videos
 

devices/hololens/hololens-faq-security.md

@@ -34,7 +34,7 @@ appliesto:
 1. **What frequency range and channels does the device operate on and is it configurable?**
     1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels.
     1. Bluetooth: Bluetooth uses the standard 2.4-2.48 GHz range.
-1. **Can the device blacklist or white list specific frequencies?**
+1. **Can the device allow or block specific frequencies?**
     1. This is not controllable by the user/device
 1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?**
     1. Our emissions testing standards can be found [here](https://fccid.io/C3K1688). Range of operation is highly dependent on the access point and environment - but is roughly equivalent to other high-quality phones, tablets, or PCs.
@@ -63,9 +63,9 @@ appliesto:
     1. Yes
 1. **Is there an ability to control or disable the use of ports on the device?**
     1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons.
-1. **Antivirus, end point detection, IPS, app control whitelist – Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.**
+1. **Antivirus, end point detection, IPS, app control allow list – Any ability to run antivirus, end point detection, IPS, app control allow list, etc.**
     1. Windows Holographic for Business (commercial suite) does support Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens.
-    1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
+    1. Allowing apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
 1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time?  Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc.  When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.**
     1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version.
 1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?**
@@ -85,7 +85,7 @@ appliesto:
     1. C3K1855
 1. **What frequency range and channels does the device operate on and is it configurable?**
     1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels.
-1. **Can the device blacklist or white list specific frequencies?**
+1. **Can the device allow or block specific frequencies?**
     1. This is not controllable by the user/device
 1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?**
     1. Wireless power levels depend on the channel of operation. Devices are calibrated to perform at the highest power levels allowed based on the region's regulatory rules.
@@ -113,9 +113,9 @@ appliesto:
     1. Yes
 1. **Is there an ability to control or disable the use of ports on the device?**
     1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons.
-1. **Antivirus, end point detection, IPS, app control whitelist – Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.**
+1. **Antivirus, end point detection, IPS, app control allow – Any ability to run antivirus, end point detection, IPS, app control allow, etc.**
     1. HoloLens 2nd Gen supports Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens.
-    1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
+    1. Allowing apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
 1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time?  Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc.  When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.**
     1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version.
 1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?**

devices/hololens/hololens-multiple-users.md

@@ -37,7 +37,7 @@ To use HoloLens, each user follows these steps:
 
 1. If another user has been using the device, do one of the following:
    - Press the power button once to go to standby, and then press the power button again to return to the lock screen
-   - HoloLens 2 users may select the user tile on the top of the Pins panel to sign out the current user.
+   - HoloLens 2 users may select the user tile from the Start menu to sign out the current user.
 
 1. Use your Azure AD account credentials to sign in to the device.  
     If this is the first time that you have used the device, you have to [calibrate](hololens-calibration.md) HoloLens to your own eyes.

devices/hololens/hololens-offline.md

@@ -22,7 +22,7 @@ appliesto:
 
 # Manage connection endpoints for HoloLens
 
-Some HoloLens components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that need to be whitelisted in your network configuration (e.g. proxy or firewall) for those components to be functional.    
+Some HoloLens components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that need to be allowed in your network configuration (e.g. proxy or firewall) for those components to be functional.    
 
 ## Near-offline setup
 

devices/hololens/hololens-release-notes.md

@@ -8,7 +8,7 @@ ms.prod: hololens
 ms.sitesec: library
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 05/12/2020
+ms.date: 06/9/2020
 ms.custom: 
 - CI 111456
 - CSSTroubleshooting
@@ -20,6 +20,52 @@ appliesto:
 
 # HoloLens 2 release notes
 
+To ensure you have a productive experience with your HoloLens devices, we continue to release feature, bug and security updates. In this page you can learn about what’s new on HoloLens each month. If you would like to download the latest HoloLens 2 FFU to flash your device via [Advanced Recovery Companion](hololens-recovery.md#re-install-the-operating-system) then you may download it from [here](https://aka.ms/hololens2download). This is kept up-to-date and will match the latest generally available build. 
+
+HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive).
+
+## Windows Holographic, version 2004 - June 2020 Update
+- Build 19041.1106
+
+Improvements and fixes in the update:
+
+- Custom MRC recorders have new default values for certain properties if they aren't specified.
+  - On the MRC Video Effect:
+    - PreferredHologramPerspective (1 PhotoVideoCamera)
+    - GlobalOpacityCoefficient (0.9 (HoloLens) 1.0 (Immersive headset))
+  - On the MRC Audio Effect:
+    - LoopbackGain (the current "App Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal)
+    - MicrophoneGain (the current "Mic Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal)
+- This update contains a bug fix that improves audio quality in Mixed Reality Capture scenarios. Specifically, it should eliminate any audio glitching in the recording when the Start Menu is displayed.
+- Improved hologram stability in recorded videos.
+- Resolves an issue where mixed reality capture couldn't record video after device is left in standby state for multiple days.
+- The HolographicSpace.UserPresence API is generally disabled for Unity applications to avoid an issue which causes some apps to pause when the visor is flipped up, even if the setting to run in the background is enabled. The API is now enabled for Unity versions 2018.4.18 and higher, and 2019.3.4 and higher.
+- When accessing Device Portal over a WiFi connection, a web browser might prevent access to due to an invalid certificate, reporting an error such as "ERR_SSL_PROTOCOL_ERROR," even if the device certificate has previously been trusted.  In this case, you would be unable to progress to Device Portal as options to ignore security warnings are not available.  This update resolves the issue.  If the device certificate was previously downloaded and trusted on a PC to remove browser security warnings and the SSL error has been encountered, the new certificate will need to be downloaded and trusted to address browser security warnings.
+- Enabled ability to create a runtime provisioning package which can install an app using MSIX packages.
+- New setting that users can find under Settings > System > Holograms, that allows users to automatically remove all holograms from the mixed reality home when the device shuts down.
+- Fixed an issue that caused HoloLens apps that change their pixel format to render black in the HoloLens emulator.
+- Fixed bug that caused a crash during Iris Login.
+- Fixes an issue around repeated store downloads for already current apps.
+- Fixed a bug to preventing immersive apps from launching Edge multiple times.
+- Fixes an issue around launches of the Photos app in initial boots after updating from the 1903 release.
+- Improved performance and reliability.
+
+## Windows Holographic, version 1903 - June 2020 Update
+- Build 18362.1064
+
+Improvements and fixes in the update:
+
+- Custom MRC recorders have new default values for certain properties if they aren't specified.
+  - On the MRC Video Effect:
+    - PreferredHologramPerspective (1 PhotoVideoCamera)
+    - GlobalOpacityCoefficient (0.9 (HoloLens) 1.0 (Immersive headset))
+  - On the MRC Audio Effect:
+    - LoopbackGain (the current "App Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal)
+    - MicrophoneGain (the current "Mic Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal)
+- The HolographicSpace.UserPresence API is generally disabled for Unity applications to avoid an issue which causes some apps to pause when the visor is flipped up, even if the setting to run in the background is enabled. The API is now enabled for Unity versions 2018.4.18 and higher, and 2019.3.4 and higher.
+- Fixed an issue that caused HoloLens apps that change their pixel format to render black in the HoloLens emulator.
+- Fixes an issue around launches of the Photos app in initial boots after updating from the 1903 release.
+
 ## Windows Holographic, version 2004  
 Build - 19041.1103
 
@@ -32,15 +78,12 @@ We are excited to announce our May 2020 major software update for HoloLens 2, **
 |       Improved provisioning                      |          Seamlessly apply a provisioning   package from a USB drive to your HoloLens                              |
 |       Application install status                 |          Check install status for apps have   been pushed to HoloLens 2 via MDM, in the Settings app              |
 |       Configuration Service Providers   (CSPs)   |          Added new Configuration Service   Providers (CSPs) enhancing admin control capabilities.                 |
-|       USB 5G/LTE support                       |          Expanded USB Ethernet capability   enables support for 5G/LTE dongles                                    |
+|       USB 5G/LTE support                       |          Expanded USB Ethernet capability   enables support for 5G/LTE                                    |
 |       Dark App Mode                              |          Dark App Mode for apps that support   both dark and light modes, improving the viewing experience        |
 |       Voice Commands                             |          Support for additional system voice   commands to control HoloLens, hands-free                           |
 |       Hand Tracking improvements                 |          Hand Tracking improvements make   buttons and 2D slate interactions more accurate                        |
 |       Quality improvements and fixes                 |          Various system performance and   reliability improvements across the platform                            |
 
-> [!Note]
-> HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive).
-
 ### Support for Windows Autopilot 
 
 Windows Autopilot for HoloLens 2 lets the device sales channel pre-enroll HoloLens into your Intune tenant.  When devices arrive, they’re ready to self-deploy as shared devices under your tenant. To take advantage of self-deployment, devices will need to connect to a network during the first screen in setup using either a USB-C to ethernet dongle or USB-C to LTE dongle. 

devices/hololens/hololens-requirements.md

@@ -23,7 +23,7 @@ This document also assumes that the HoloLens has been evaluated by security team
 1. [Determine what features you need](hololens-requirements.md#step-1-determine-what-you-need)
 1. [Determine what licenses you need](hololens-licenses-requirements.md)
 1. [Configure your network for HoloLens](hololens-commercial-infrastructure.md).
-    1. This section includes bandwidth requirements, URL, and ports that need to be whitelisted on your firewall; Azure AD guidance; Mobile Device Management (MDM) Guidance; app deployment/management guidance; and certificate guidance.
+    1. This section includes bandwidth requirements, URL, and ports that need to be allowed on your firewall; Azure AD guidance; Mobile Device Management (MDM) Guidance; app deployment/management guidance; and certificate guidance.
 1. (Optional) [Configure HoloLens using a provisioning package](hololens-provisioning.md)
 1. [Enroll Device](hololens-enroll-mdm.md)
 1. [Set up ring based updates for HoloLens](hololens-updates.md)

devices/hololens/hololens1-upgrade-enterprise.md

@@ -16,6 +16,9 @@ appliesto:
 
 # Unlock Windows Holographic for Business features
 
+> [!IMPORTANT]
+> This page only applies to HoloLens 1st Gen.
+
 Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 that is designed for HoloLens), and in the [Commercial Suite](hololens-commercial-features.md), which provides extra features designed for business.
 
 When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic for Business. You can apply this license to the device either by using the organization's [mobile device management (MDM) provider](#edition-upgrade-by-using-mdm) or a [provisioning package](#edition-upgrade-by-using-a-provisioning-package).

devices/hololens/hololens2-autopilot.md

@@ -71,10 +71,9 @@ Review the "[Requirements](https://docs.microsoft.com/windows/deployment/windows
 Before you start the OOBE and provisioning process, make sure that the HoloLens devices meet the following requirements:
 
 - The devices are not already members of Azure AD, and are not enrolled in Intune (or another MDM system). The Autopilot self-deploying process completes these steps. To make sure that all the device-related information is cleaned up, check the **Devices** pages in both Azure AD and Intune.
-- Every device can connect to the internet. You can "USB C to Ethernet" adapters for wired internet connectivity or "USB C to Wifi" adapters for wireless internet connectivity. 
-- Every device can connect to a computer by using a USB-C cable, and that computer has the following available:
-  - Advanced Recovery Companion (ARC)
-  - The latest Windows update: Windows 10, version 19041.1002.200107-0909 or a later version)
+- Every device can connect to the internet. You can use "USB C to Ethernet" adapters for wired internet connectivity or "USB C to Wifi" adapters for wireless internet connectivity. 
+- Every device can connect to a computer by using a USB-C cable, and that computer has [Advanced Recovery Companion (ARC)](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?rtc=1&activetab=pivot:overviewtab) installed
+- Every device has the latest Windows update: Windows 10, version 19041.1002.200107-0909 or a later version.
 
 To configure and manage the Autopilot self-deploying mode profiles, make sure that you have access to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).
 

devices/surface-hub/TOC.md

@@ -32,6 +32,7 @@
 ### [Create provisioning packages for Surface Hub 2S](surface-hub-2s-deploy.md)
 ### [Deploy apps to Surface Hub 2S using Intune](surface-hub-2s-deploy-apps-intune.md)
 ### [Create Surface Hub 2S on-premises accounts with PowerShell](surface-hub-2s-onprem-powershell.md)
+### [Surface Hub Teams app](hub-teams-app.md)
 
 ## Manage
 ### [Manage Surface Hub 2S with Microsoft Intune](surface-hub-2s-manage-intune.md)

devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md

@@ -16,7 +16,6 @@ ms.localizationpriority: medium
 
 # PowerShell for Surface Hub
 
-
 PowerShell scripts to help set up and manage your Microsoft Surface Hub.
 
 -   [PowerShell scripts for Surface Hub admins](#scripts-for-admins)
@@ -30,7 +29,6 @@ PowerShell scripts to help set up and manage your Microsoft Surface Hub.
     -   [Auto-accepting and declining meeting requests](#auto-accept-meetings-cmdlet)
     -   [Accepting external meeting requests](#accept-ext-meetings-cmdlet)
 
-
 ## Prerequisites
 
 To successfully execute these PowerShell scripts, you will need to install the following prerequisites:
@@ -41,7 +39,6 @@ To successfully execute these PowerShell scripts, you will need to install the f
 
 ## <a href="" id="scripts-for-admins"></a>PowerShell scripts for Surface Hub administrators
 
-
 What do the scripts do?
 
 -   Create device accounts for setups using pure single-forest on-premises (Microsoft Exchange and Skype 2013 and later only) or online (Microsoft Office 365), that are configured correctly for your Surface Hub.
@@ -53,14 +50,11 @@ What do you need in order to run the scripts?
 -   Remote PowerShell access to your organization's domain or tenant, Exchange servers, and Skype for Business servers.
 -   Admin credentials for your organization's domain or tenant, Exchange servers, and Skype for Business servers.
 
->[!NOTE]
->Whether you’re creating a new account or modifying an already-existing account, the validation script will verify that your device account is configured correctly. You should always run the validation script before adding a device account to Surface Hub.
-
- 
+> [!NOTE]
+> Whether you’re creating a new account or modifying an already-existing account, the validation script will verify that your device account is configured correctly. You should always run the validation script before adding a device account to Surface Hub.
 
 ## Running the scripts
 
-
 The account creation scripts will:
 
 -   Ask for administrator credentials
@@ -178,11 +172,8 @@ These are the attributes that are set by the scripts:
 </tbody>
 </table>
 
- 
-
 ## Account creation scripts
 
-
 These scripts will create a device account for you. You can use the [Account verification script](#acct-verification-ps-scripts) to make sure they ran correctly.
 
 The account creation scripts cannot modify an already existing account, but can be used to help you understand which cmdlets need to be run to configure the existing account correctly.
@@ -257,7 +248,6 @@ if (!$credNewAccount -Or [System.String]::IsNullOrEmpty($strDisplayName) -Or [Sy
     exit 1
 }
 
-
 ## Sign in to remote powershell for exchange and lync online ##
 
 $credExchange = $null
@@ -307,7 +297,8 @@ Import-PSSession $sessExchange -AllowClobber -WarningAction SilentlyContinue
 Import-PSSession $sessLync -AllowClobber -WarningAction SilentlyContinue
 
 ## Create the Exchange mailbox ##
-# Note: These exchange commandlets do not always throw their errors as exceptions
+> [!Note]
+> These exchange commandlets do not always throw their errors as exceptions
 
 # Because Get-Mailbox will throw an error if the mailbox is not found
 $Error.Clear()
@@ -324,7 +315,6 @@ $status["Mailbox Setup"] = "Successfully created a mailbox for the new account"
 $strEmail = $mailbox.WindowsEmailAddress
 PrintSuccess "The following mailbox has been created for this room: $strEmail"
 
-
 ## Create or retrieve a policy that will be applied to surface hub devices ##
 # The policy disables requiring a device password so that the SurfaceHub does not need to be lockable to use Active Sync
 $strPolicy = Read-Host 'Please enter the name for a new Surface Hub ActiveSync policy that will be created and applied to this account.
@@ -674,7 +664,8 @@ Import-PSSession $sessExchange -AllowClobber -WarningAction SilentlyContinue
 Import-PSSession $sessCS -AllowClobber -WarningAction SilentlyContinue
 
 ## Create the Exchange mailbox ##
-# Note: These exchange commandlets do not always throw their errors as exceptions
+> [!Note]
+> These exchange commandlets do not always throw their errors as exceptions
 
 # Because Get-Mailbox will throw an error if the mailbox is not found
 $Error.Clear()
@@ -994,7 +985,6 @@ else
 
 ## <a href="" id="acct-verification-ps-scripts"></a>Account verification script
 
-
 This script will validate the previously-created device account on a Surface Hub, no matter which method was used to create it. This script is basically pass/fail. If one of the test errors out, it will show a detailed error message, but if all tests pass, the end result will be a summary report. For example, you might see:
 
 ``` syntax
@@ -1446,7 +1436,6 @@ Cleanup
 
 ## <a href="" id="enable-sfb-ps-scripts"></a>Enable Skype for Business
 
-
 This script will enable Skype for Business on a device account. Use it only if Skype for Business wasn't previously enabled during account creation.
 
 ```PowerShell
@@ -1607,7 +1596,6 @@ Cleanup
 
 ## Useful cmdlets
 
-
 ### <a href="" id="create-compatible-as-policy"></a>Creating a Surface Hub-compatible ActiveSync policy
 
 For Surface Hub to use Exchange services, a device account configured with a compatible ActiveSync policy must be provisioned on the device. This policy has the following requirements:
@@ -1674,19 +1662,9 @@ Set-CalendarProcessing $strRoomUpn -AutomateProcessing AutoAccept
 
 For a device account to accept external meeting requests (a meeting request from an account not in the same tenant/domain), the device account must be set to allow processing of external meeting requests. Once set, the device account will automatically accept or decline meeting requests from external accounts as well as local accounts.
 
->**Note**  If the **AutomateProcessing** attribute is not set to **AutoAccept**, then setting this will have no effect.
-
- 
+> [!Note]
+> If the **AutomateProcessing** attribute is not set to **AutoAccept**, then setting this will have no effect.
 
 ```PowerShell
 Set-CalendarProcessing $strRoomUpn -ProcessExternalMeetingMessages $true
 ```
-
- 
-
- 
-
-
-
-
-

devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md

@@ -21,10 +21,10 @@ The Microsoft Surface Hub's device account uses ActiveSync to sync mail and cale
 
 For these features to work, the ActiveSync policies for your organization must be configured as follows:
 
--   There can't be any global policies that block synchronization of the resource mailbox that's being used by the Surface Hub’s device account. If there is such a blocking policy, you need to whitelist the Surface Hub as an allowed device.
+-   There can't be any global policies that block synchronization of the resource mailbox that's being used by the Surface Hub’s device account. If there is such a blocking policy, you need to add the Surface Hub as an allowed device.
 -   You must set a mobile device mailbox policy where the **PasswordEnabled** setting is set to False. Other mobile device mailbox policy settings are not compatible with the Surface Hub.
 
-## Whitelisting the DeviceID
+## Allowing the DeviceID
 
 
 Your organization may have a global policy that prevents syncing of device accounts provisioned on Surface Hubs. To configure this property, see [Allowing device IDs for ActiveSync](appendix-a-powershell-scripts-for-surface-hub.md#whitelisting-device-ids-cmdlet).

devices/surface-hub/create-and-test-a-device-account-surface-hub.md

@@ -38,7 +38,7 @@ This table explains the main steps and configuration decisions when you create a
 | 2    | Configure mailbox properties | The mailbox must be configured with the correct properties to enable the best meeting experience on Surface Hub. For more information on mailbox properties, see [Mailbox properties](exchange-properties-for-surface-hub-device-accounts.md). |
 | 3    | Apply a compatible mobile device mailbox policy to the mailbox | Surface Hub is managed using mobile device management (MDM) rather than through mobile device mailbox policies. For compatibility, the device account must have a mobile device mailbox policy where the **PasswordEnabled** setting is set to False. Otherwise, Surface Hub can't sync mail and calendar info. |
 | 4    | Enable mailbox with Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business must be enabled to use conferencing features like video calls, IM, and screen sharing.  |
-| 5    | (Optional) Whitelist ActiveSync Device ID | Your organization may have a global policy that prevents device accounts from syncing mail and calendar info. If so, you need to whitelist the ActiveSync Device ID of your Surface Hub. |
+| 5    | (Optional) Whitelist ActiveSync Device ID | Your organization may have a global policy that prevents device accounts from syncing mail and calendar info. If so, you need to allow the ActiveSync Device ID of your Surface Hub. |
 | 6    | (Optional) Disable password expiration | To simplify management, you can turn off password expiration for the device account and allow Surface Hub to automatically rotate the device account password. For more information about password management, see [Password management](password-management-for-surface-hub-device-accounts.md).  |
 
 ## Detailed configuration steps 

devices/surface-hub/hub-teams-app.md

@@ -0,0 +1,24 @@
+---
+title: Microsoft Teams app for Surface Hub 
+description: Provides a version history of updates for the Microsoft Teams app for Surface Hub
+keywords: surface, hub, 
+ms.prod: surface-hub
+ms.sitesec: library
+author: greglin
+ms.author: greglin
+ms.topic: article
+ms.date: 06/15/2020
+ms.localizationpriority: medium
+---
+
+# Microsoft Teams app for Surface Hub 
+
+The Microsoft Teams app for Surface Hub is periodically updated and available via the [Microsoft Store](https://www.microsoft.com/store/apps/windows). If you manage Surface Hub with Automatic Updates enabled (default setting), the app will update automatically.
+ 
+
+## Version history
+| Store app version | Updates                                                                                         | Published to Microsoft Store |
+| --------------------- | --------------------------------------------------------------------------------------------------- | -------------------------------- |
+| 0.2020.13201.0        | - 3x3 Gallery view on Surface Hub<br>- Ability to search for External users                         | June 10, 2020<br>            |
+| 0.2020.13201          | - Quality improvements and Bug fixes                                                                | June 1, 2020<br>          |
+| 0.2020.4301.0         | - Accept incoming PSTN calls on Surface Hub<br>- Consume Attendee/Presenter role changes            | May 21, 2020                     |

devices/surface-hub/index.yml

@@ -1,127 +1,105 @@
-### YamlMime:Hub
+### YamlMime:Landing
 
 title: Surface Hub documentation # < 60 chars
 summary: Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device. # < 160 chars
-# brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-bi | power-platform | sql | sql-server | vs | visual-studio | windows | xamarin
-brand: windows
 
 metadata:
   title: Surface Hub documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
-  description: Get started with Microsoft Surface Hub. # Required; article description that is displayed in search results. < 160 chars.
-  services: product-insights
+  description: Get started with Microsoft Surface Hub # Required; article description that is displayed in search results. < 160 chars.
   ms.service: product-insights #Required; service per approved list. service slug assigned to your service by ACOM.
-  ms.topic: hub-page # Required
-  ms.prod: surface-hub
-  ms.technology: windows
-  audience: ITPro
-  ms.localizationpriority: medium
+  ms.topic: landing-page # Required
+  manager: laurawi
   author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
   ms.author: greglin #Required; microsoft alias of author; optional team alias.
-  manager: laurawi
+  audience: itpro
+  ms.localizationpriority: High
 
-# highlightedContent section (optional)
-# Maximum of 8 items
-highlightedContent:
-# itemType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
-  items:
-    # Card
-    - title: What's new in Surface Hub 2S?
-      itemType: whats-new
-      url: surface-hub-2s-whats-new.md
-     # Card
-    - title: Surface Hub security overview 
-      itemType: learn
-      url: surface-hub-security.md
-   # Card
-    - title: Manage Surface Hub 2S with Intune
-      itemType: how-to-guide
-      url: surface-hub-2s-manage-intune.md
-    # Card
-    - title: Operating system essentials
-      itemType: learn
-      url: differences-between-surface-hub-and-windows-10-enterprise.md
-    # Card
-    - title: Surface Hub 2S Site Readiness Guide
-      itemType: learn
-      url: surface-hub-2s-site-readiness-guide.md
-    # Card
-    - title: Customize Surface Hub 2S installation
-      itemType: how-to-guide
-      url: surface-hub-2s-custom-install.md
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
 
-# productDirectory section (optional)
-productDirectory:
-  title: Deploy, manage, and support your Surface Hub devices # < 60 chars (optional)
-  summary: Find related links to deploy, manage and support your Surface Hub devices. # < 160 chars (optional)
-  items:
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+  # Card (optional)
+  - title: Surface devices
+    linkLists:
+      - linkListType: overview
+        links:
+          - text: What's new in Surface Hub 2S?
+            url: surface-hub-2s-whats-new.md
+          - text: Surface Hub 2S tech specs
+            url:  surface-hub-2s-techspecs.md
+          - text: Operating system essentials
+            url: differences-between-surface-hub-and-windows-10-enterprise.md
+  
+  # Card (optional)
+  - title: Get started
+    linkLists:
+      - linkListType: get-started
+        links:
+         - text: Surface Hub 2S Site Readiness Guide
+           url: surface-hub-2s-site-readiness-guide.md
+         - text: Customize Surface Hub 2S installation
+           url: surface-hub-2s-custom-install.md
+         - text: Prepare your environment for Surface Hub 2S
+           url: surface-hub-2s-prepare-environment.md  
+ 
+  # Card
+  - title: Deploy Surface Hub
+    linkLists:
+      - linkListType: deploy
+        links:
+          - text: Surface Hub 2S adoption and training
+            url: surface-hub-2s-adoption-kit.md
+          - text: Surface Hub 2S deployment checklist
+            url: surface-hub-2s-deploy-checklist.md
+          - text: Create device account
+            url: surface-hub-2s-account.md
+  
     # Card
-    - title: Deploy
-      # imageSrc should be square in ratio with no whitespace
-      imageSrc: https://docs.microsoft.com/office/media/icons/deploy-blue.svg
-      links:
-        - url: surface-hub-2s-adoption-kit.md
-          text: Surface Hub 2S adoption and training
-        - url: surface-hub-2s-deploy-checklist.md
-          text: Surface Hub 2S deployment checklist
-        - url: surface-hub-2s-account.md
-          text: Create device account
-    # Card
-    - title: Manage
-      imageSrc: https://docs.microsoft.com/office/media/icons/process-flow-blue.svg
-      links:
-        - url: surface-hub-2s-manage-intune.md
-          text: Manage with Intune
-        - url: local-management-surface-hub-settings.md
-          text: Manage local settings
-    # Card
-    - title: Secure
-      imageSrc: https://docs.microsoft.com/office/media/icons/security-blue.svg
-      links:
-        - url: surface-hub-2s-secure-with-uefi-semm.md
-          text: Secure with UEFI and SEMM
-        - url: surface-hub-wifi-direct.md
-          text: Wi-Fi security considerations
-    # Card
-    - title:  Troubleshoot
-      imageSrc: https://docs.microsoft.com/office/media/icons/connector-blue.svg
-      links:
-        - url: https://support.microsoft.com/help/4493926
-          text: Service and warranty
-        - url: surface-hub-2s-recover-reset.md
-          text: Recover & reset Surface Hub 2S
-        - url: support-solutions-surface-hub.md
-          text: Surface Hub support solutions
-        - url: https://support.office.com/article/Enable-Microsoft-Whiteboard-on-Surface-Hub-b5df4539-f735-42ff-b22a-0f5e21be7627
-          text: Enable Microsoft Whiteboard on Surface Hub
+  - title: Manage Surface devices
+    linkLists:
+      - linkListType: how-to-guide
+        links:
+          - text: Manage Surface Hub 2S with Intune
+            url: surface-hub-2s-manage-intune.md
+          - text: Manage local settings
+            url: local-management-surface-hub-settings.md
+          - text: Manage Windows updates on Surface Hub
+            url: manage-windows-updates-for-surface-hub.md
 
-# additionalContent section (optional)
-# Card with links style
-additionalContent:
-  # Supports up to 3 sections
-  sections:
-    - title: Other content # < 60 chars (optional)
-      summary: Find related links for videos, community and support. # < 160 chars (optional)
-      items:
-        # Card
-        - title: Get ready for Surface Hub 2S
-          links:
-            - text: Ordering Surface Hub 2S
-              url: https://www.microsoft.com/p/surface-hub-2S/8P62MW6BN9G4?activetab=pivot:overviewtab
-            - text: Prepare your environment for Surface Hub 2S
-              url: surface-hub-2s-prepare-environment.md
-        # Card
-        - title: Surface Hub 2S Videos
-          links:
-            - text: Adoption and training videos
-              url: surface-hub-2s-adoption-videos.md
-            - text: Surface Hub 2S with Teams
-              url: https://www.youtube.com/watch?v=CH2seLS5Wb0
-            - text: Surface Hub 2S with Microsoft 365
-              url: https://www.youtube.com/watch?v=I4N2lQX4WyI&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ&index=7
-        # Card
-        - title: Community
-          links:
-            - text: Join the Surface Hub Technical Community
-              url: https://techcommunity.microsoft.com/t5/Surface-Hub/bd-p/SurfaceHub
-            - text: Join the Surface Devices Technical Community
-              url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices
+  # Card
+  - title: Explore security guidance
+    linkLists:
+      - linkListType: learn
+        links:
+          - text: Secure and manage Surface Hub 2S with SEMM and UEFI
+            url: surface-hub-2s-secure-with-uefi-semm.md
+          - text: Wi-Fi security considerations
+            url: surface-hub-wifi-direct.md
+          - text: Surface Hub security overview
+            url:  surface-hub-security.md
+ 
+ # Card
+  - title: Troubleshoot Surface Hub
+    linkLists:
+      - linkListType: learn
+        links:
+          - text: Service and warranty
+            url: https://support.microsoft.com/help/4493926
+          - text: Recover & reset Surface Hub 2S
+            url: surface-hub-2s-recover-reset.md
+          - text: Surface Hub support solutions
+            url: support-solutions-surface-hub.md 
+
+
+# Card
+  - title: Surface Hub 2S Videos
+    linkLists:
+      - linkListType: video
+        links:
+          - text: Adoption and training videos
+            url: surface-hub-2s-adoption-videos.md
+          - text: Surface Hub 2S with Teams
+            url: https://www.youtube.com/watch?v=CH2seLS5Wb0
+          - text:  Surface Hub 2S with Microsoft 365
+            url: https://www.youtube.com/watch?v=I4N2lQX4WyI&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ&index=7

devices/surface-hub/local-management-surface-hub-settings.md

@@ -40,12 +40,12 @@ Surface Hubs have many settings that are common to other Windows devices, but al
 | Wireless projection (Miracast) channel | Surface Hub > Projection | Set the channel for Miracast projection. |
 | Meeting info shown on the welcome screen | Surface Hub > Welcome screen | Choose whether meeting organizer, time, and subject show up on the welcome screen. |
 | Welcome screen background |  Surface Hub > Welcome screen | Choose a background image for the welcome screen. |
-| Idle timeout to Welcome screen | Surface Hub > Session & Power | Choose how long until the Surface Hub returns to the welcome screen after no motion is detected. |
-| Resume session | Surface Hub > Session & Power | Choose to allow users to resume a session after no motion is detected or to automatically clean up a session. |
-| Access to Office 365 meetings and files | Surface Hub > Session & Power | Choose whether a user can sign in to Office 365 to get access to their meetings and files. |
-| Turn on screen with motion sensors | Surface Hub > Session & clean up | Choose whether the screen turns on when motion is detected. |
-| Session time out | Surface Hub > Session & clean up | Choose how long the device needs to be inactive before returning to the welcome screen. |
-| Sleep time out | Surface Hub > Session & clean up | Choose how long the device needs to be inactive before going to sleep mode. |
+| Session timeout to Welcome screen | Surface Hub > Session & power | Choose how long until the Surface Hub returns to the welcome screen after no motion is detected. |
+| Resume session | Surface Hub > Session & power | Choose to allow users to resume a session after no motion is detected or to automatically clean up a session. |
+| Access to Office 365 meetings and files | Surface Hub > Session & power | Choose whether a user can sign in to Office 365 to get access to their meetings and files. |
+| Turn on screen with motion sensors | Surface Hub > Session & power | Choose whether the screen turns on when motion is detected. |
+| Screen time out | Surface Hub > Session & power | Choose how long the device needs to be inactive before turning off the screen. |
+| Sleep time out | Surface Hub > Session & power | Choose how long the device needs to be inactive before going to sleep mode. |
 | Friendly name | Surface Hub > About | Set the Surface Hub name that people will see when connecting wirelessly. |
 | Maintenance hours | Update & security > Windows Update > Advanced options | Configure when updates can be installed. |
 | Configure Windows Server Update Services (WSUS) server | Update & security > Windows Update > Advanced options | Change whether Surface Hub receives updates from a WSUS server instead of Windows Update. |

devices/surface-hub/troubleshoot-surface-hub.md

@@ -415,7 +415,7 @@ Possible fixes for issues with Surface Hub first-run program.
 <td align="left"><p>Can't sync mail/calendar.</p></td>
 <td align="left"><p>The account has not allowed the Surface Hub as an allowed device.</p></td>
 <td align="left"><p>0x86000C1C</p></td>
-<td align="left"><p>Add the Surface Hub device ID to the whitelist by setting the <strong>ActiveSyncAllowedDeviceIds</strong> property for the mailbox.</p></td>
+<td align="left"><p>Add the Surface Hub device ID to the allowed list by setting the <strong>ActiveSyncAllowedDeviceIds</strong> property for the mailbox.</p></td>
 </tr>
 </tbody>
 </table>

devices/surface/TOC.md

@@ -51,16 +51,18 @@
 ### [Surface Brightness Control](microsoft-surface-brightness-control.md)
 ### [Surface Asset Tag](assettag.md)
 
-
 ## Secure
+
 ### [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md)
 ### [Manage Surface UEFI settings](manage-surface-uefi-settings.md)
 ### [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)
 ### [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
 ### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
 ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
+### [Secure Surface Dock 2 ports with SEMM](secure-surface-dock-ports-semm.md)
 ### [Use Microsoft Endpoint Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
 ### [Surface Data Eraser](microsoft-surface-data-eraser.md)
+### [Surface DMA Protection](dma-protect.md)
 
 ## Troubleshoot
 ### [Top support solutions for Surface devices](support-solutions-surface.md)

devices/surface/dma-protect.md

@@ -0,0 +1,22 @@
+---
+title: Surface DMA Protection
+description: This article describes DMA protection on compatible Surface devices
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.localizationpriority: medium
+ms.sitesec: library
+author: coveminer
+ms.author: greglin
+ms.topic: article
+ms.date: 6/10/2020
+ms.reviewer: carlol
+manager: laurawi
+audience: itpro
+---
+# DMA Protection on Surface devices
+
+Direct Memory Access (DMA) protection is designed to mitigate potential security vulnerabilities associated with using removable SSDs or external storage devices. Newer Surface devices come with DMA Protection enabled by default. These include Surface Pro 7, Surface Laptop 3, and Surface Pro X.  To check the presence of DMA protection feature on your device, open System Information (**Start** > **msinfo32.exe**), as shown in the figure below.
+
+![System information showing DMA Protection enabled](images/systeminfodma.png)
+
+If a Surface removable SSD is tampered with, the device will shutoff power. The resulting reboot causes UEFI to wipe memory, to erase any residual data.

devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md

@@ -97,6 +97,29 @@ To support Surface Laptop 3 with Intel Processor, import the following folders:
 - SurfaceUpdate\SurfaceSerialHub
 - SurfaceUpdate\SurfaceHotPlug
 - SurfaceUpdate\Itouch
+
+Importing the following folders will enable full keyboard, trackpad, and touch functionality in PE for Surface Laptop 3.
+
+- IclSerialIOGPIO
+- IclSerialIOI2C
+- IclSerialIOSPI
+- IclSerialIOUART
+- itouch
+- IclChipset
+- IclChipsetLPSS
+- IclChipsetNorthpeak
+- ManagementEngine
+- SurfaceAcpiNotify
+- SurfaceBattery
+- SurfaceDockIntegration
+- SurfaceHidMini
+- SurfaceHotPlug
+- SurfaceIntegration
+- SurfaceSerialHub
+- SurfaceService
+- SurfaceStorageFwUpdate
+
+
     > [!NOTE]
     >  Check the downloaded MSI package to determine the format and directory structure.  The directory structure will start with either SurfacePlatformInstaller (older MSI files) or SurfaceUpdate (Newer MSI files) depending on when the MSI was released. 
 

devices/surface/get-started.yml

@@ -72,10 +72,10 @@ landingContent:
     linkLists:
       - linkListType: how-to-guide
         links:
+          - text: Secure Surface Dock 2 ports with Surface Enterprise Management Mode (SEMM)
+            url: secure-surface-dock-ports-semm.md
           - text: Intune management of Surface UEFI settings
             url: surface-manage-dfci-guide.md
-          - text: Surface Enterprise Management Mode (SEMM)
-            url: surface-enterprise-management-mode.md
           - text: Surface Data Eraser tool
             url: microsoft-surface-data-eraser.md
  

devices/surface/manage-surface-driver-and-firmware-updates.md

@@ -35,7 +35,7 @@ Microsoft Endpoint Configuration Manager allows you to synchronize and deploy Su
 
 For detailed steps, see the following resources:
 
-- [How to manage Surface driver updates in Configuration Manager](https://docs.microsoft.com/surface/manage-surface-driver-updates-configuration-manager.md)
+- [How to manage Surface driver updates in Configuration Manager](https://docs.microsoft.com/surface/manage-surface-driver-updates-configuration-manager)
 - [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications)
 - [Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/)
 
@@ -142,8 +142,8 @@ This file name provides the following information:
 ## Learn more
 
 - [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware)
-- [How to manage Surface driver updates in Configuration Manager.](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager)
-- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications).
+- [How to manage Surface driver updates in Configuration Manager](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager)
+- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications)
 - [Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/)
 - [Microsoft Deployment Toolkit documentation](https://docs.microsoft.com/configmgr/mdt/)
 - [Deploy Windows 10 with the Microsoft Deployment Toolkit](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit)

devices/surface/secure-surface-dock-ports-semm.md

@@ -0,0 +1,168 @@
+---
+title: Secure Surface Dock 2 ports with Surface Enterprise Management Mode (SEMM)
+description: This document provides guidance for configuring UEFI port settings for Surface Dock 2 when connected to compatible Surface devices including Surface Book 3, Surface Laptop 3, and Surface Pro 7.
+ms.assetid: 2808a8be-e2d4-4cb6-bd53-9d10c0d3e1d6
+ms.reviewer: 
+manager: laurawi
+keywords: Troubleshoot common problems, setup issues
+ms.prod: w10
+ms.mktglfcycl: support
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: v-miegge
+ms.author: jesko
+ms.topic: article
+ms.date: 06/08/2020
+ms.localizationpriority: medium
+ms.audience: itpro
+---
+
+# Secure Surface Dock 2 ports with Surface Enterprise Management Mode (SEMM)
+
+## Introduction
+
+Surface Enterprise Management Mode (SEMM) enables IT admins to secure and manage Surface Dock 2 ports by configuring UEFI settings in a Windows installer configuration package (.MSI file) deployed to compatible Surface devices across a corporate environment.
+
+### Supported devices
+
+Managing Surface Dock 2 with SEMM is available for docks connected to Surface Book 3, Surface Laptop 3, and Surface Pro 7. These compatible Surface devices are commonly referred to as **host devices**. A package is applied to host devices based on if a host device is **authenticated** or **unauthenticated**. Configured settings reside in the UEFI layer on host devices enabling you — the IT admin — to manage Surface Dock 2 just like any other built-in peripheral such as the camera.
+
+>[!NOTE]
+>You can manage Surface Dock 2 ports only when the dock is connected to one of the following compatible devices:  Surface Book 3, Surface Laptop 3, and Surface Pro 7. Any device that doesn't receive the UEFI Authenticated policy settings is inherently an unauthenticated device.
+
+### Scenarios
+
+Restricting Surface Dock 2 to authorized persons signed into a corporate host device provides another layer of data protection. This ability to lock down Surface Dock 2 is critical for specific customers in highly secure environments who want the functionality and productivity benefits of the dock while maintaining compliance with strict security protocols. We anticipate SEMM used with Surface Dock 2 will be particularly useful in open offices and shared spaces especially for customers who want to lock USB ports for security reasons. For a video demo, check out [SEMM for Surface Dock 2](https://youtu.be/VLV19ISvq_s).
+
+## Configuring and deploying UEFI settings for Surface Dock 2
+
+This section provides step-by-step guidance for the following tasks:
+
+1. Install [**Surface UEFI Configurator**](https://www.microsoft.com/download/details.aspx?id=46703).
+1. Create or obtain public key certificates.
+1. Create an .MSI configuration package.
+   1. Add your certificates.
+   1. Enter the 16-digit RN number for your Surface Dock 2 devices.
+   1. Configure UEFI settings.
+1. Build and apply the configuration package to targeted Surface devices (Surface Book 3, Surface Laptop 3, or Surface Pro 7.)
+
+>[!NOTE]
+>The **Random Number (RN)** is a unique 16-digit hex code identifier which is provisioned at the factory, and printed in small type on the underside of the dock. The RN differs from most serial numbers in that it can't be read electronically. This ensures proof of ownership is primarily established only by reading the RN when physically accessing the device. The RN may also be obtained during the purchase transaction and is recorded in Microsoft inventory systems.
+
+### Install SEMM and Surface UEFI Configurator
+
+Install SEMM by running **SurfaceUEFI_Configurator_v2.71.139.0.msi**. This is a standalone installer and contains everything you need to create and distribute configuration packages for Surface Dock 2.
+
+- Download **Surface UEFI Configurator** from [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703).
+
+## Create public key certificates
+
+This section provides specifications for creating the certificates needed to manage ports for Surface Dock 2.
+
+### Prerequisites
+
+This article assumes that you either obtain certificates from a third-party provider or you already have expertise in PKI certificate services and know how to create your own.  You should be familiar with and follow the general recommendations for creating certificates as described in [Surface Enterprise Management Mode (SEMM)](https://docs.microsoft.com/surface/surface-enterprise-management-mode) documentation, with one exception. The certificates documented on this page require expiration terms of 30 years for the **Dock Certificate Authority**, and 20 years for the **Host Authentication Certificate**.
+
+For more information, see [Certificate Services Architecture](https://docs.microsoft.com/windows/win32/seccrypto/certificate-services-architecture) documentation and review the appropriate chapters in [Windows Server 2019 Inside Out](https://www.microsoftpressstore.com/store/windows-server-2019-inside-out-9780135492277), or [Windows Server 2008 PKI and Certificate Security](https://www.microsoftpressstore.com/store/windows-server-2008-pki-and-certificate-security-9780735640788) available from Microsoft Press.
+
+### Root and host certificate requirements
+
+Prior to creating the configuration package, you need to prepare public key certificates that authenticate ownership of Surface Dock 2 and facilitate any subsequent changes in ownership during the device lifecycle. The host and provisioning certificates require entering EKU IDs otherwise known as **Client Authentication Enhanced Key Usage (EKU) object identifiers (OIDs)**.
+
+The required EKU values are listed in Table 1 and Table 2.
+
+#### Table 1. Root and Dock Certificate requirements
+
+|Certificate|Algorithm|Description|Expiration|EKU OID|
+|---|---|---|---|---|
+|Root Certificate Authority|ECDSA_P384|- Root certificate with 384-bit prime elliptic curve digital signature algorithm (ECDSA)<br>- SHA 256 Key Usage:<br>CERT_DIGITAL_SIGNATURE_KEY_USAGE<br>- CERT_KEY_CERT_SIGN_KEY_USAGE<br>CERT_CRL_SIGN_KEY_USAGE|30 years|N/A
+|Dock Certificate Authority|ECC P256 curve|- Host certificate with 256-bit elliptic-curve cryptography (ECC)<br>- SHA 256 Key Usage:<br>CERT_KEY_CERT_SIGN_KEY_USAGE<br>- Path Length Constraint = 0|20 years|1.3.6.1.4.1.311.76.9.21.2<br>1.3.6.1.4.1.311.76.9.21.3|
+
+   >[!NOTE]
+   >The dock CA must be exported as a .p7b file.
+
+### Provisioning Administration Certificate requirements
+
+Each host device must have the doc CA and two certificates as shown in Table 2.
+
+#### Table 2. Provisioning administration certificate requirements
+
+|Certificate|Algorithm|Description|EKU OID|
+|---|---|---|---|
+|Host authentication certificate|ECC P256<br>SHA 256|Proves the identity of the host device.|1.3.6.1.4.1.311.76.9.21.2|
+|Provisioning administration certificate|ECC P256<br>SHA256|Enables you to change dock ownership and/or policy settings by allowing you to replace the CA that's currently installed on the dock.|1.3.6.1.4.1.311.76.9.21.3<br>1.3.6.1.4.1.311.76.9.21.4|
+
+   >[!NOTE]
+   >The host authentication and provisioning certificates must be exported as .pfx files.
+
+### Create configuration package
+
+When you have obtained or created the certificates, you’re ready to build the MSI configuration package that will be applied to target Surface devices.
+
+1. Run Surface **UEFI Configurator**.
+
+   ![Run Surface UEFI Configurator](images/secure-surface-dock-ports-semm-1.png)
+
+1. Select **Surface Dock**.
+
+   ![Select Surface Dock](images/secure-surface-dock-ports-semm-2.png)
+
+1. On the certificate page, enter the appropriate **certificates**.
+
+   ![enter the appropriate certificates](images/secure-surface-dock-ports-semm-3.png)
+
+1. Add appropriate dock RNs to the list.
+
+   >[!NOTE]
+   >When creating a configuration package for multiple Surface Dock 2 devices, instead of entering each RN manually, you can use a .csv file that contains a list of RNs.
+
+1. Specify your policy settings for USB data, Ethernet, and Audio ports. UEFI Configurator lets you configure policy settings for authenticated users (Authenticated Policy) and unauthenticated users (Unauthenticated Policy). The following figure shows port access turned on for authenticated users and turned off for unauthenticated users.
+
+   ![Choose which components you want to activate or deactivate.](images/secure-surface-dock-ports-semm-4.png)
+
+   - Authenticated user refers to a Surface Device that has the appropriate certificates installed, as configured in the .MSI configuration package that you applied to target devices. It applies to any user authenticated user who signs into the device. 
+   - Unauthenticated user refers to any other device.
+   - Select **Reset** to create a special “Reset” package that will remove any previous configuration package that the dock had accepted.
+
+1. Select **Build** to create the package as specified.
+
+### Apply the configuration package to a Surface Dock 2
+
+1. Take the MSI file that the Surface UEFI Configurator generated and install it on a Surface host device. Compatible host devices are Surface Book 3, Surface Laptop 3, or Surface Pro 7.
+1. Connect the host device to the Surface Dock 2. When you connect the dock UEFI policy settings are applied.
+
+## Verify managed state using the Surface App
+
+Once you have applied the configuration package, you can quickly verify the resultant policy state of the dock directly from the Surface App, installed by default on all Surface devices. If Surface App isn't present on the device, you can download and install it from the Microsoft Store.
+
+### Test scenario
+
+Objective: Configure policy settings to allow port access by authenticated users only.
+
+1. Turn on all ports for authenticated users and turn them off for unauthenticated users.
+
+   ![Enabling ports for authenticated users](images/secure-surface-dock-ports-semm-4.png)
+
+1. Apply the configuration package to your target device and then connect Surface Dock 2.
+
+1. Open **Surface App** and select **Surface Dock** to view the resultant policy state of your Surface Dock. If the policy settings are applied, Surface App will indicate that ports are available.
+
+   ![Surface app shows all ports are available for authenticated users](images/secure-surface-dock-ports-semm-5.png)
+
+1. Now you need to verify that the policy settings have successfully turned off all ports for unauthenticated users. Connect Surface Dock 2 to an unmanaged device, i.e., any Surface device outside the scope of management for the configuration package you created.
+
+1. Open **Surface App** and select **Surface Dock**. The resultant policy state will indicate ports are turned off.
+
+   ![Surface app showing ports turned off for unauthenticated users ](images/secure-surface-dock-ports-semm-6.png)
+
+>[!NOTE]
+>If you want to keep ownership of the device, but allow all users full access, you can make a new package with everything turned on. If you wish to completely remove the restrictions and ownership of the device (make it unmanaged), select **Reset** in Surface UEFI Configurator to create a package to apply to target devices.
+
+Congratulations. You have successfully managed Surface Dock 2 ports on targeted host devices.
+
+## Learn more
+
+- [Surface Enterprise Management Mode (SEMM) documentation](https://docs.microsoft.com/surface/surface-enterprise-management-mode)
+- [Certificate Services Architecture](https://docs.microsoft.com/windows/win32/seccrypto/certificate-services-architecture)
+- [Windows Server 2019 Inside Out](https://www.microsoftpressstore.com/store/windows-server-2019-inside-out-9780135492277)
+- [Windows Server 2008 PKI and Certificate Security](https://www.microsoftpressstore.com/store/windows-server-2008-pki-and-certificate-security-9780735640788)

devices/surface/surface-book-quadro.md

@@ -15,29 +15,29 @@ audience: itpro
 ---
 
 # Surface Book 3 Quadro RTX 3000 technical overview
- 
+
 Surface Book 3 for Business powered by the NVIDIA® Quadro RTX™ 3000 GPU is built for professionals who need real-time rendering, AI acceleration, advanced graphics, and compute performance in a portable form factor. Quadro RTX 3000 fundamentally changes what you can do with the new Surface Book 3:
 
-- **Ray Tracing** - Produce stunning renders, designs and animations faster than ever before with 30 RT Cores for hardware-accelerated ray tracing. 
+- **Ray Tracing** - Produce stunning renders, designs and animations faster than ever before with 30 RT Cores for hardware-accelerated ray tracing.
 - **Artificial Intelligence** - Remove redundant, tedious tasks and compute intensive work with 240 Tensor Cores for GPU-accelerated AI.
 - **Advanced Graphics and Compute Technology** - Experience remarkable speed and interactivity during your most taxing graphics and compute workloads with 1,920 CUDA Cores and 6GB of GDDR6 memory.
 
 ## Enterprise grade solution
 
-Of paramount importance to commercial customers, Quadro RTX 3000 brings a fully professional grade solution that combines accelerated ray tracing and deep learning capabilities with an integrated enterprise level management and support solution. Quadro drivers are tested and certified for more than 100 professional applications by leading ISVs providing an additional layer of quality assurance to validate stability, reliability, and performance.
+Of paramount importance to commercial customers, Quadro RTX 3000 brings a fully professional-grade solution that combines accelerated ray tracing and deep learning capabilities with an integrated enterprise level management and support solution. Quadro drivers are tested and certified for more than 100 professional applications by leading ISVs, providing an additional layer of quality assurance to validate stability, reliability, and performance.
  
-Quadro includes dedicated enterprise tools for remote management of Surface Book 3 devices with Quadro RTX 3000. IT admins can remotely configure graphics systems, save/restore configurations, continuously monitor graphics systems and perform remote troubleshooting if necessary. These capabilities along with deployment tools help maximize uptime and minimize IT support requirements.
+Quadro includes dedicated enterprise tools for remote management of Surface Book 3 devices with Quadro RTX 3000. IT admins can remotely configure graphics systems, save/restore configurations, continuously monitor graphics systems, and perform remote troubleshooting if necessary. These capabilities along with deployment tools help maximize uptime and minimize IT support requirements.
  
-NVIDIA develops and maintains Quadro Optimal Drivers for Enterprise (ODE) that are tuned, tested, and validated to provide enterprise level stability, reliability, availability, and support with extended product availability. Each driver release involves more than 2,000 man days of testing with professional applications test suites and test cases, as well as WHQL certification. Security threats are continually monitored, and regular security updates are released to protect against newly discovered vulnerabilities. In addition, Quadro drivers undergo an additional layer of testing by Surface engineering prior to release via Windows Update.
+NVIDIA develops and maintains Quadro Optimal Drivers for Enterprise (ODE) that are tuned, tested, and validated to provide enterprise level stability, reliability, availability, and support with extended product availability. Each driver release involves more than 2,000 man-days of testing with professional applications test suites and test cases, as well as WHQL certification. Security threats are continually monitored, and regular security updates are released to protect against newly discovered vulnerabilities. In addition, Quadro drivers undergo an additional layer of testing by Surface engineering prior to release via Windows Update.
  
 
 ## Built for compute-intensive workloads
 
-Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, enabling advanced professionals to work from anywhere.
+The Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, enabling advanced professionals to work from anywhere.
  
 - **Creative professionals such as designers and animators.** Quadro RTX enables real-time cinematic-quality rendering through Turing-optimized ray tracing APIs such as NVIDIA OptiX, Microsoft DXR, and Vulkan.
 - **Architects and engineers using large, complex computer aided design (CAD) models and assemblies.** The RTX platform features the new NGX SDK to infuse powerful AI-enhanced capabilities into visual applications. This frees up time and resources through intelligent manipulation of images, automation of repetitive tasks, and optimization of compute-intensive processes.
-- **Software developers across manufacturing, media & entertainment, medical, and other industries.** Quadro RTX speeds application development with ray tracing, deep learning, and rasterization capabilities through industry-leading software SDKs and APIs. 
+- **Software developers across manufacturing, media and entertainment, medical, and other industries.** Quadro RTX speeds application development with ray tracing, deep learning, and rasterization capabilities through industry-leading software SDKs and APIs.
 - **Data scientists using Tensor Cores and CUDA cores to accelerate computationally intensive tasks and other deep learning operations.** By using sensors, increased connectivity, and deep learning, researchers and developers can enable AI applications for everything from autonomous vehicles to scientific research.
 
  
@@ -45,14 +45,14 @@ Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of an
 
 | **Component**                                       | **Description**                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
 | --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| RT cores                                            | Dedicated hardware-based ray-tracing technology allows the GPU to render film quality, photorealistic objects and environments with physically accurate shadows, reflections, and refractions.  The real-time ray-tracing engine works with NVIDIA OptiX, Microsoft DXR, and Vulkan APIs to deliver a level of realism far beyond what is possible using traditional rendering techniques.  RT cores accelerate the Bounding Volume Hierarchy (BVH) traversal and ray casting functions using low number of rays casted through a pixel.                                     |
-| Enhanced tensor cores                               | Mixed-precision cores purpose-built for deep learning matrix arithmetic, deliver 8x TFLOPS for training compared with previous generation.  Quadro RTX 3000 utilizes 240 Tensor Cores; each Tensor Core performs 64 floating point fused multiply-add (FMA) operations per clock, and each streaming multiprocessor (SM) performs a total of 1,024 individual floating-point operations per clock.  In addition to supporting FP16/FP32 matrix operations, new Tensor Cores added INT8 (2,048 integer operations per clock) and experimental INT4 and INT1 (binary) precision modes for matrix operations. |
+| RT cores                                            | Dedicated hardware-based ray-tracing technology allows the GPU to render film quality, photorealistic objects and environments with physically accurate shadows, reflections, and refractions.  The real-time ray-tracing engine works with NVIDIA OptiX, Microsoft DXR, and Vulkan APIs to deliver a level of realism far beyond what is possible using traditional rendering techniques. RT cores accelerate the Bounding Volume Hierarchy (BVH) traversal and ray casting functions using low number of rays casted through a pixel.                                     |
+| Enhanced tensor cores                               | Mixed-precision cores purpose-built for deep learning matrix arithmetic, deliver 8x TFLOPS for training compared with previous generation.  Quadro RTX 3000 utilizes 240 Tensor Cores; each Tensor Core performs 64 floating point fused multiply-add (FMA) operations per clock, and each streaming multiprocessor (SM) performs a total of 1,024 individual floating-point operations per clock. In addition to supporting FP16/FP32 matrix operations, new Tensor Cores added INT8 (2,048 integer operations per clock) and experimental INT4 and INT1 (binary) precision modes for matrix operations. |
 | Turing optimized software                           | Deep learning frameworks such as the Microsoft Cognitive Toolkit (CNTK), Caffe2, MXNet, TensorFlow, and others deliver significantly faster training times and higher multi-node training performance. GPU accelerated libraries such as cuDNN, cuBLAS, and TensorRT deliver higher performance for both deep learning inference and High-Performance Computing (HPC) applications.                                                                                                                                                                                           |
 | NVIDIA CUDA parallel computing platform             | Natively execute standard programming languages like C/C++ and Fortran, and APIs such as OpenCL, OpenACC and Direct Compute to accelerate techniques such as ray tracing, video and image processing, and computation fluid dynamics.                                                                                                                                                                                                                                                                                                                                        |
-| Advanced streaming multiprocessor (SM) architecture | Combined shared memory and L1 cache improve performance significantly, while simplifying programming and reducing the tuning required to attain best application performance.                                                                                                                                                                                                                                                                                                                                                                                                |
-| High performance GDDR6 Memory             | Quadro RTX 3000 features 6GB of frame buffer making it the ideal platform for handling large datasets and latency-sensitive applications.                                                                                                                                                                                                                                                                                                                                                                                                                                    |
+| Advanced streaming multiprocessor (SM) architecture | Combined shared memory and L1 cache improve performance significantly, while simplifying programming and reducing the tuning required to attain the best application performance.                                                                                                                                                                                                                                                                                                                                                                                                |
+| High performance GDDR6 Memory             | Quadro RTX 3000 features 6GB of frame buffer, making it the ideal platform for handling large datasets and latency-sensitive applications.                                                                                                                                                                                                                                                                                                                                                                                                                                    |
 | Single instruction, multiple thread (SIMT)          | New independent thread scheduling capability enables finer-grain synchronization and cooperation between parallel threads by sharing resources among small jobs.                                                                                                                                                                                                                                                                                                                                                                                                             |
-| Mixed-precision computing                           | 16-bit floating-point precision computing enables the training and deployment of larger neural networks.  With independent parallel integer and floating-point data paths, the Turing SM handles workloads more efficiently using a mix of computation and addressing calculations.                                                                                                                                                                                                                                                                                          |
+| Mixed-precision computing                           | 16-bit floating-point precision computing enables the training and deployment of larger neural networks. With independent parallel integer and floating-point data paths, the Turing SM handles workloads more efficiently using a mix of computation and addressing calculations.                                                                                                                                                                                                                                                                                          |
 | Dynamic load balancing                              | Provides dynamic allocation capabilities of GPU resources for graphics and compute tasks as needed to maximize resource utilization.                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
 | Compute preemption                                  | Preemption at the instruction-level provides finer grain control over compute tasks to prevent long-running applications from either monopolizing system resources or timing out.                                                                                                                                                                                                                                                                                                                                                                                            |
 | H.264, H.265 and HEVC encode/decode engines         | Enables faster than real-time performance for transcoding, video editing, and other encoding applications with two dedicated H.264 and HEVC encode engines and a dedicated decode engine that are independent of 3D/compute pipeline.                                                                                                                                                                                                                                                                                                                                        |
@@ -86,7 +86,7 @@ Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of an
  
 ## App acceleration
 
-The following table shows how Quadro RTX 3000 provides significantly faster acceleration across leading professional applications. It includes SPECview perf 13 benchmark test results comparing Surface Book 3 15-inch with NVIDIA Quadro RTX 3000 versus Surface Book 2 15-inch with NVIDIA GeForce GTX 1060 devices in market March 2020.
+The following table shows how Quadro RTX 3000 provides significantly faster acceleration across leading professional applications. It includes SPECview perf 13 benchmark test results comparing the Surface Book 3 15-inch with NVIDIA Quadro RTX 3000 versus the Surface Book 2 15-inch with NVIDIA GeForce GTX 1060 devices in the market as of March 2020.
 
 **Table 3. App acceleration on Surface Book 3 with Quadro RTX 3000**
 
@@ -95,23 +95,23 @@ The following table shows how Quadro RTX 3000 provides significantly faster acce
 | Adobe Dimension                             | - RTX-accelerated ray tracing delivers photorealistic 3D rendering to 2D artists and designers.                                                                                                                                                                                                                                                                                                     |
 | Adobe Substance Alchemist                   | - Create and blend materials with ease, featuring RTX-accelerated AI.                                                                                                                                                                                                                                                                                                                             |
 | Adobe Substance Painter                     | - Paint materials onto 3d models, featuring RTX accelerated bakers, and Iray RTX rendering which generates photorealistic imagery for interactive and batch rendering workflows. <br>                                      |
-| Adobe Substance Designer                    | - Author procedural materials featuring RTX accelerated bakers<br>- Uses NVIDIA Iray rendering including textures/substances and bitmap texture export to render in any Iray powered compatible with MDL.<br>- DXR-accelerated light and ambient occlusion baking.                                                                                                                                  |
-| Adobe Photoshop                             | - CUDA core acceleration enables faster editing with 30+ GPU-accelerated features such as blur gallery, liquify, smart sharpen, & perspective warp enable photographers and designers to modify images smoothly and quickly.                                                                                                                                                                        |
+| Adobe Substance Designer                    | - Author procedural materials featuring RTX accelerated bakers<br>- Uses NVIDIA Iray rendering including textures/substances and bitmap texture export to render in any Iray that is compatible with MDL.<br>- DXR-accelerated light and ambient occlusion baking.                                                                                                                                  |
+| Adobe Photoshop                             | - CUDA core acceleration enables faster editing with 30+ GPU-accelerated features such as blur gallery, liquify, smart sharpen, and perspective warp enable photographers and designers to modify images smoothly and quickly.                                                                                                                                                                        |
 | Adobe Lightroom                             | - Faster editing high res images with GPU-accelerated viewport, which enables the modeling of larger 3D scenes, and the rigging of more complex animations.<br>- GPU-accelerated image processing enables dramatically more responsive adjustments, especially on 4K or higher resolution displays.<br>- GPU-accelerated AI-powered “Enhance Details” for refining fine color detail of RAW images. |
 | Adobe Illustrator                           | - Pan and zoom with GPU-accelerated canvas faster, which enables graphic designers and illustrators to pan across and zoom in and out of complex vector graphics smoothly and interactively.                                                                                                                                                                                                        |
-| Adobe<br>Premiere Pro                       | - Significantly faster editing and rendering video with GPU-accelerated effects vs CPU:<br>- GPU-accelerated effects with NVIDIA CUDA technology for real-time video editing and faster final frame rendering.<br>- GPU-accelerated AI Auto Reframe feature for intelligently converting landscape video to dynamically tracked portrait or square video.                                           |
+| Adobe<br>Premiere Pro                       | - Significantly faster editing and rendering video with GPU-accelerated effects vs CPU.<br>- GPU-accelerated effects with NVIDIA CUDA technology for real-time video editing and faster final frame rendering.<br>- GPU-accelerated AI Auto Reframe feature for intelligently converting landscape video to dynamically tracked portrait or square video.                                           |
 | Autodesk<br>Revit                           | - GPU-accelerated viewport for a smoother, more interactive design experience.<br>- Supports 3rd party GPU-accelerated 3D renderers such as V-Ray and Enscape.                                                                                                                                                                                                                                      |
-| Autodesk<br>3ds Max                         | - GPU-accelerated viewport graphics for fast, interactive 3D modelling and design.<br>- RTX-accelerated ray tracing and AI denoising ****with the default Arnold renderer.<br>- More than 70 percent faster compared with Surface Book 2 15”.                                                                                                                                               |
+| Autodesk<br>3ds Max                         | - GPU-accelerated viewport graphics for fast, interactive 3D modelling and design.<br>- RTX-accelerated ray tracing and AI denoising with the default Arnold renderer.<br>- More than 70 percent faster compared with Surface Book 2 15”.                                                                                                                                               |
 | Autodesk<br>Maya                            | - RTX-accelerated ray tracing and AI denoising with the default Arnold renderer.<br>- OpenGL Viewport Acceleration.                                                                                                                                                                                                                                                                             |
-| Dassault Systemes<br>Solidworks             | - Solidworks Interactive Ray Tracer (Visualize) accelerated by both RT Cores and Tensor Cores; AI-accelerated denoiser.<br>- Runs more than 50% faster compared with Surface Book 2 15”                                                                                                                                                                                                             |
-| Dassault Systemes<br>3D Experience Platform | - CATIA Interactive Ray Tracer (Live Rendering) accelerated by RT Cores.<br>- Catia runs more than 100% faster compared with Surface Book 2 15.                                                                                                                                                                                                                                                     |
-| ImageVis3D                                  | - Runs more than 2x faster compared with Surface Book 2 15”..                                                                                                                                                                                                                                                                                                                                       |
+| Dassault Systemes<br>Solidworks             | - Solidworks Interactive Ray Tracer (Visualize) accelerated by both RT Cores and Tensor Cores; AI-accelerated denoiser.<br>- Runs more than 50% faster compared with Surface Book 2 15”.                                                                                                                                                                                                             |
+| Dassault Systemes<br>3D Experience Platform | - CATIA Interactive Ray Tracer (Live Rendering) accelerated by RT Cores.<br>- Catia runs more than 100% faster compared with Surface Book 2 15".                                                                                                                                                                                                                                                     |
+| ImageVis3D                                  | - Runs more than 2x faster compared with Surface Book 2 15”.                                                                                                                                                                                                                                                                                                                                       |
 | McNeel & Associates<br>Rhino 3D             | - GPU-accelerated viewport for a smooth and interactive modelling and design experience.<br>- Supports Cycles for GPU-accelerated 3D rendering.                                                                                                                                                                                                                                                     |
-| Siemens NX                                  | - Siemens NX Interactive Ray Tracer (Ray Traced Studio) accelerated by RT Cores.<br>- Runs more than 10 x faster compared with Surface Book 2 15”..                                                                                                                                                                                                                                                 |
-| Esri ArcGIS                                 | - Real-time results from what took days & weeks, due to DL inferencing leveraging tensor cores.                                                                                                                                                                                                                                                                                                     |
+| Siemens NX                                  | - Siemens NX Interactive Ray Tracer (Ray Traced Studio) accelerated by RT Cores.<br>- Runs more than 10x faster compared with Surface Book 2 15”.                                                                                                                                                                                                                                                 |
+| Esri ArcGIS                                 | - Real-time results from what took days and weeks, due to DL inferencing leveraging tensor cores.                                                                                                                                                                                                                                                                                                     |
 | PTC Creo                                    | - Creo's real-time engineering simulation tool (Creo Simulation Live) built on CUDA.<br>- Runs more than 15% faster compared with Surface Book 2 15”.                                                                                                                                                                                                                                               |
 | Luxion KeyShot                              | - 3rd party Interactive Ray Tracer used by Solidworks, Creo, and Rhino. Accelerated by RT Cores, OptiX™ AI-accelerated denoising.                                                                                                                                                                                                                                                                   |
-| ANSYS<br>Discovery Live                     | - ANSYS real-time engineering simulation tool (ANSYS Discovery Live) built on CUDA                                                                                                                                                                                                                                                                                                                  |
+| ANSYS<br>Discovery Live                     | - ANSYS real-time engineering simulation tool (ANSYS Discovery Live) built on CUDA.                                                                                                                                                                                                                                                                                                                  |
 ## SKUs
 
 **Table 4. Surface Book 3 with Quadro RTX 3000 SKUs**
@@ -123,7 +123,7 @@ The following table shows how Quadro RTX 3000 provides significantly faster acce
 
 ## Summary
 
-Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance on any Surface laptop, providing architects, engineers, developers, and data scientists with the tools they need to work efficiently from anywhere:
+The Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, providing architects, engineers, developers, and data scientists with the tools they need to work efficiently from anywhere:
  
 - RTX-acceleration across multiple workflows like design, animation, video production, and more.
 - Desktop-grade performance in a mobile form factor.

devices/surface/surface-enterprise-management-mode.md

@@ -32,6 +32,9 @@ There are two administrative options you can use to manage SEMM and enrolled Sur
 
 The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages or WinPE images that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied.
 
+>[!NOTE]
+>You can now use Surface UEFI Configurator and SEMM to manage ports on Surface Dock 2. To learn more, see [Secure Surface Dock 2 ports with SEMM](secure-surface-dock-ports-semm.md).
+
 ![Microsoft Surface UEFI Configurator](images/surface-ent-mgmt-fig1-uefi-configurator.png "Microsoft Surface UEFI Configurator")
 
 *Figure 1. Microsoft Surface UEFI Configurator*
@@ -282,6 +285,6 @@ This version of SEMM includes:
 
 ## Related topics
 
-[Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
-
-[Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
+- [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
+- [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
+- [Secure Surface Dock 2 ports with SEMM](secure-surface-dock-ports-semm.md)

devices/surface/surface-manage-dfci-guide.md

@@ -31,7 +31,7 @@ Until now, managing firmware required enrolling devices into Surface Enterprise
 
 Now with newly integrated UEFI firmware management capabilities in Microsoft Intune, the ability to lock down hardware is simplified and easier to use with new features for provisioning, security, and streamlined updating all in a single console, now unified as [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). The following figure shows UEFI settings viewed directly on the device (left) and viewed in the Endpoint Manager console (right).
 
-![UEFI settings shown on device (left) and in the Endpoint Manager console (right) ](images/uefidfci.png)
+![UEFI settings shown on device (left) and in the Endpoint Manager console (right)](images/uefidfci.png)
 
 Crucially, DFCI enables zero touch management, eliminating the need for manual interaction by IT admins. DFCI is deployed via Windows Autopilot using the device profiles capability in Intune. A device profile allows you to add and configure settings which can then be deployed to devices enrolled in management within your organization. Once the device receives the device profile, the features and settings are applied automatically. Examples of common device profiles include Email, Device restrictions, VPN, Wi-Fi, and Administrative templates. DFCI is simply an additional device profile that enables you to manage UEFI configuration settings from the cloud without having to maintain on-premises infrastructure.