diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index 27249ab885..2a580770fb 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -33,7 +33,7 @@
### [Managing Surface Hub 2S with Microsoft Intune](surface-hub-2s-manage-intune.md)
### [Local management for Surface Hub 2S settings](local-management-surface-hub-settings.md)
### [Manage device account password rotation](surface-hub-2s-manage-passwords.md)
-### [Servicing and updating for Surface Hub 2S](surface-hub-2s-service-update.md)
+### [Manage Windows updates](manage-windows-updates-for-surface-hub.md)
### [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md)
### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)
diff --git a/devices/surface-hub/images/sh2-uefi1.png b/devices/surface-hub/images/sh2-uefi1.png
new file mode 100644
index 0000000000..ecb5aad455
Binary files /dev/null and b/devices/surface-hub/images/sh2-uefi1.png differ
diff --git a/devices/surface-hub/images/sh2-uefi10.png b/devices/surface-hub/images/sh2-uefi10.png
new file mode 100644
index 0000000000..eafc0617a2
Binary files /dev/null and b/devices/surface-hub/images/sh2-uefi10.png differ
diff --git a/devices/surface-hub/images/sh2-uefi2.png b/devices/surface-hub/images/sh2-uefi2.png
new file mode 100644
index 0000000000..8dbcb3df84
Binary files /dev/null and b/devices/surface-hub/images/sh2-uefi2.png differ
diff --git a/devices/surface-hub/images/sh2-uefi3.png b/devices/surface-hub/images/sh2-uefi3.png
new file mode 100644
index 0000000000..f9b0fdb754
Binary files /dev/null and b/devices/surface-hub/images/sh2-uefi3.png differ
diff --git a/devices/surface-hub/images/sh2-uefi4.png b/devices/surface-hub/images/sh2-uefi4.png
new file mode 100644
index 0000000000..ae6f427772
Binary files /dev/null and b/devices/surface-hub/images/sh2-uefi4.png differ
diff --git a/devices/surface-hub/images/sh2-uefi5.png b/devices/surface-hub/images/sh2-uefi5.png
new file mode 100644
index 0000000000..18a780074f
Binary files /dev/null and b/devices/surface-hub/images/sh2-uefi5.png differ
diff --git a/devices/surface-hub/images/sh2-uefi6.png b/devices/surface-hub/images/sh2-uefi6.png
new file mode 100644
index 0000000000..7b4390574a
Binary files /dev/null and b/devices/surface-hub/images/sh2-uefi6.png differ
diff --git a/devices/surface-hub/images/sh2-uefi7.png b/devices/surface-hub/images/sh2-uefi7.png
new file mode 100644
index 0000000000..0302b41a43
Binary files /dev/null and b/devices/surface-hub/images/sh2-uefi7.png differ
diff --git a/devices/surface-hub/images/sh2-uefi8.png b/devices/surface-hub/images/sh2-uefi8.png
new file mode 100644
index 0000000000..c5ccc27628
Binary files /dev/null and b/devices/surface-hub/images/sh2-uefi8.png differ
diff --git a/devices/surface-hub/images/sh2-uefi9.png b/devices/surface-hub/images/sh2-uefi9.png
new file mode 100644
index 0000000000..4747c398c8
Binary files /dev/null and b/devices/surface-hub/images/sh2-uefi9.png differ
diff --git a/devices/surface-hub/surface-hub-2s-deploy-checklist.md b/devices/surface-hub/surface-hub-2s-deploy-checklist.md
index 75c5edab71..e35778871a 100644
--- a/devices/surface-hub/surface-hub-2s-deploy-checklist.md
+++ b/devices/surface-hub/surface-hub-2s-deploy-checklist.md
@@ -15,49 +15,49 @@ ms.localizationpriority: Normal
## Surface Hub 2S pre-deployment checklist
-|**Check**|**Item**|**Response**|**Learn more**|
-|:------ |:------ |:----- |:------ |
-| ☐ |**Device account name**| | |
-| ☐ |**Device account UPN**| | |
-| ☐ |**ActiveSync Policy**| | |
-| ☐ |**Calendar processing configuration completed**| - Yes
- No | |
-| ☐ |**Device-friendly name**| | |
-| ☐ |**Device host name**| | |
-| ☐ |**Affiliation**| - None
- Active Directory affiliation
- Azure Active Directory | |
-| ☐ |**Microsoft Teams Mode**| - Mode 0
- Mode 1
- Mode 2 | |
-| ☐ |**Device Management**| - Yes, Microsoft Intune
- Yes, other mobile device manager [MDM]
- None | |
-| ☐ |**Proxy**| - Automatic configuration
- Proxy server
- Proxy auto-config (PAC) file | |
-| ☐ |**Proxy authentication**| - Device account credentials
- Prompt for credentials | |
-| ☐ |**Password rotation**| - On
- Off | |
-| ☐ |**Skype for Business additional domain names (on-premises only)**| | |
-| ☐ |**Session timeout time**| | |
-| ☐ |**Session timeout action**| - End session
- Allow resume | |
-| ☐ |**My meetings and files**| - Enabled
- Disabled | |
-| ☐ |**Lock screen timeout**| | |
-| ☐ |**Sleep idle timeout**| | |
-| ☐ |**Bluetooth**| - On
- Off | |
-| ☐ |**Use only BitLocker USB drives**| - On
- Off | |
-| ☐ |**Install additional certificates (on-premises only)**| | [Using certificates for AADJ on-premises single-sign on](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert) |
-|☐ |**Windows update**| - Windows Update for Business
- Windows Server Update Services [WSUS] | [Deploy updates using Windows Update for Business](https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb)
[Get Started with Windows Server Update Services (WSUS)](https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) |
-|☐ |**Surface app speaker setting**| - Rolling stand
- Wall-mounted | |
-|☐ |**IP Address**| - Wired — DHCP
- Wired — DHCP reservation
- Wireless — DHCP
- Wireless — DHCP reservation | |
+|**Item**|**Response**|**Learn more**|
+|:------ |:------ |:----- |
+|**Device account name**| | |
+|**Device account UPN**| | |
+|**ActiveSync Policy**| | |
+|**Calendar processing configuration completed**| ☐ Yes
☐ No | |
+|**Device-friendly name**| | |
+|**Device host name**| | |
+|**Affiliation**| ☐ None
☐ Active Directory affiliation
☐ Azure Active Directory | |
+|**Microsoft Teams Mode**| ☐ Mode 0
☐ Mode 1
☐ Mode 2 | |
+|**Device Management**| ☐ Yes, Microsoft Intune
☐ Yes, other mobile device manager [MDM]
☐ None | |
+|**Proxy**| ☐ Automatic configuration
☐ Proxy server
☐ Proxy auto-config (PAC) file | |
+|**Proxy authentication**| ☐ Device account credentials
☐ Prompt for credentials | |
+|**Password rotation**| ☐ On
☐ Off | |
+|**Skype for Business additional domain names (on-premises only)**| | |
+|**Session timeout time**| | |
+|**Session timeout action**| ☐ End session
☐ Allow resume | |
+|**My meetings and files**| ☐ Enabled
☐ Disabled | |
+|**Lock screen timeout**| | |
+|**Sleep idle timeout**| | |
+|**Bluetooth**| ☐ On
☐ Off | |
+|**Use only BitLocker USB drives**| ☐ On
☐ Off | |
+|**Install additional certificates (on-premises only)**| | [Using certificates for AADJ on-premises single-sign on](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert) |
+|**Windows update**| ☐ Windows Update for Business
☐ Windows Server Update Services [WSUS] | [Deploy updates using Windows Update for Business](https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb)
[Get Started with Windows Server Update Services (WSUS)](https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) |
+|**Surface app speaker setting**| ☐ Rolling stand
☐ Wall-mounted | |
+|**IP Address**| ☐ Wired — DHCP
☐ Wired — DHCP reservation
☐ Wireless — DHCP
☐ Wireless — DHCP reservation | |
## Surface Hub 2S post-deployment checklist
|**Check**|**Item**|**Response**|**Learn more**|
|:------|:-------|:---------|:----------|
-| ☐ |**Device account syncing**| - Yes
- No | |
-| ☐ |**Bitlocker key**| - Saved to file (no affiliation)
- Saved in Active Directory (AD affiliation)
- Saved in Azure AD (Azure AD affiliation) | |
-| ☐ |**Device OS updates**| - Completed | |
-| ☐ |**Windows Store updates**| - Automatic
- Manual | |
-| ☐ |**Microsoft Teams scheduled meeting**| - Confirmation email received
- Meeting appears on start screen
- One-touch join functions
- Able to join audio
- Able to join video
- Able to share screen ||
-| ☐ |**Skype for Business scheduled meeting**| - Confirmation email received
- Meeting appears on start screen
- One-touch join functions correctly
- Able to join audio
- Able to join video
- Able to share screen
- Able to send/receive IM | |
-| ☐ |**Scheduled meeting when already invited**| - Meeting declined | |
-| ☐ |**Microsoft Teams ad-hoc meeting**| - Invite other users work
- Able to join audio
- Able to join video
- Able to share screen | |
-| ☐ |**Skype for Business scheduled meeting**| - Invite other users work
- Able to join audio
- Able to join video
- Able to share screen
- Able to send/receive IM | |
-| ☐ |**Microsoft Whiteboard**| - Launch from Welcome / Start screen
- Launch from Microsoft Teams | [Microsoft Whiteboard](https://whiteboard.microsoft.com/) |
-| ☐ |**Incoming Skype/Teams call**| - Able to join audio
- Able to join video
- Able to share screen
- Able to send/receive IM (Skype for Business only) | |
-| ☐ |**Incoming live video streams**| - Maximum 2 (Skype for Business)
- Maximum 4 (Microsoft Teams) | |
-| ☐ |**Microsoft Teams Mode 0 behavior**| - Skype for Business tile on Welcome/Start screen
- Can join scheduled Skype for Business meetings (Skype UI)
- Can join scheduled Teams meetings (Teams UI) | |
-| ☐ |**Microsoft Teams Mode 1 behavior**| - Teams tile on Welcome/Start screen
- Can join scheduled Skype for Business meetings (Skype UI)
- Can join scheduled Teams meetings (Teams UI) | |
-| ☐ |**Microsoft Teams Mode 2 behavior**| - Teams tile on Welcome / Start screen
- Can join scheduled Teams meetings
- Fail to join Skype for Business meetings | |
+|**Device account syncing**| ☐ Yes
☐ No | |
+|**Bitlocker key**| ☐ Saved to file (no affiliation)
☐ Saved in Active Directory (AD affiliation)
☐ Saved in Azure AD (Azure AD affiliation) | |
+|**Device OS updates**| ☐ Completed | |
+|**Windows Store updates**| ☐ Automatic
☐ Manual | |
+|**Microsoft Teams scheduled meeting**| ☐ Confirmation email received
☐ Meeting appears on start screen
☐ One-touch join functions
☐ Able to join audio
☐ Able to join video
☐ Able to share screen ||
+|**Skype for Business scheduled meeting**| ☐ Confirmation email received
☐ Meeting appears on start screen
☐ One-touch join functions correctly
☐ Able to join audio
☐ Able to join video
☐ Able to share screen
☐ Able to send/receive IM | |
+|**Scheduled meeting when already invited**| ☐ Meeting declined | |
+|**Microsoft Teams ad-hoc meeting**| ☐ Invite other users work
☐ Able to join audio
☐ Able to join video
☐ Able to share screen | |
+|**Skype for Business scheduled meeting**| ☐ Invite other users work
☐ Able to join audio
☐ Able to join video
☐ Able to share screen
☐ Able to send/receive IM | |
+|**Microsoft Whiteboard**| ☐ Launch from Welcome / Start screen
☐ Launch from Microsoft Teams | [Microsoft Whiteboard](https://whiteboard.microsoft.com/) |
+|**Incoming Skype/Teams call**| ☐ Able to join audio
☐ Able to join video
☐ Able to share screen
☐ Able to send/receive IM (Skype for Business only) | |
+|**Incoming live video streams**| ☐ Maximum 2 (Skype for Business)
☐ Maximum 4 (Microsoft Teams) | |
+|**Microsoft Teams Mode 0 behavior**| ☐ Skype for Business tile on Welcome/Start screen
☐ Can join scheduled Skype for Business meetings (Skype UI)
☐ Can join scheduled Teams meetings (Teams UI) | |
+|**Microsoft Teams Mode 1 behavior**| ☐ Teams tile on Welcome/Start screen
☐ Can join scheduled Skype for Business meetings (Skype UI)
☐ Can join scheduled Teams meetings (Teams UI) | |
+|**Microsoft Teams Mode 2 behavior**| ☐ Teams tile on Welcome / Start screen
☐ Can join scheduled Teams meetings
☐ Fail to join Skype for Business meetings | |
diff --git a/devices/surface-hub/surface-hub-2s-secure-with-uefi-semm.md b/devices/surface-hub/surface-hub-2s-secure-with-uefi-semm.md
index 6c4860e38e..c5b60ade8b 100644
--- a/devices/surface-hub/surface-hub-2s-secure-with-uefi-semm.md
+++ b/devices/surface-hub/surface-hub-2s-secure-with-uefi-semm.md
@@ -42,16 +42,24 @@ Unlike other Surface devices, you cannot use an MSI file or a Win PE image to ap
## To configure UEFI on Surface Hub 2S
-1. Start the UEFI Configurator and on the first screen, choose **Configuration Package**.
-2. To add the certificate to your package, you must have a valid certificate with the private key in a .pfx file format to sign and protect the package. Select **+ Certificate Protection.**
-3. Enter the certificate’s private key’s password.
-4. After importing the private key, continue creating the package.
-5. Choose **Hub** and **Surface Hub 2S** as the target for the UEFI configuration package.
-6. Choose the components and settings you want to activate or deactivate on Surface Hub 2S.
-7. Use the USB option to export the file.
-8. Insert and choose the USB drive you’d like to use for this package. The USB drive will be formatted and you lose any information you have on it.
-
-Upon successful creation of the package, the Configurator will display the last two characters of your certificate’s thumbprint. You need these characters when you import to the configuration to Surface Hub 2S.
+1. Start the UEFI Configurator and on the first screen, choose **Configuration Package**.
+
+2. To add the certificate to your package, you must have a valid certificate with the private key in a .pfx file format to sign and protect the package. Select **+ Certificate Protection.**
+
+3. Enter the certificate’s private key’s password.
+
+4. After importing the private key, continue creating the package.
+
+5. Choose **Hub** and **Surface Hub 2S** as the target for the UEFI configuration package.
+
+6. Choose the components and settings you want to activate or deactivate on Surface Hub 2S.
+
+7. Use the USB option to export the file.
+
+8. Insert and choose the USB drive you’d like to use for this package. The USB drive will be formatted and you lose any information you have on it.
+
+9. Upon successful creation of the package, the Configurator will display the last two characters of your certificate’s thumbprint. You need these characters when you import to the configuration to Surface Hub 2S.
+
## To boot into UEFI