mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-23 06:13:41 +00:00
Merge branch 'master' into CoveMiner-patch-1
This commit is contained in:
Jeanie Decker
GitHub
@ -21,40 +21,21 @@ You can enable [Bitlocker device encryption](https://docs.microsoft.com/windows/
|
||||
|
||||
You can use your mobile device management (MDM) provider to apply a policy that requires device encryption. The policy used is the [Security/RequireDeviceEncryption setting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-requiredeviceencryption) in the Policy CSP.
|
||||
|
||||
In the following steps, Microsoft Intune is used as the example. For other MDM tools, see your MDM provider's documentation for instructions.
|
||||
[See instructions for enabling device encryption using Microsoft Intune.](https://docs.microsoft.com/intune/compliance-policy-create-windows#windows-holographic-for-business)
|
||||
|
||||
1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
|
||||
For other MDM tools, see your MDM provider's documentation for instructions. If your MDM provider requires custom URI for device encryption, use the following configuration:
|
||||
|
||||
2. Use **Search** or go to **More services** to open the Intune blade.
|
||||
|
||||
3. Go to **Device configuration > Profiles**, and select **Create profile**.
|
||||
|
||||
|
||||
|
||||
4. Enter a name of your choice, select **Windows 10 and later** for the platform, select **Custom** for the profile type, and then select **Add**.
|
||||
|
||||
|
||||
|
||||
5. In **Add Row OMA-URI Settings**, enter or select the following information:
|
||||
- **Name**: a name of your choice
|
||||
- **Description**: optional
|
||||
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/Security/RequireDeviceEncryption`
|
||||
- **Data type**: integer
|
||||
- **Value**: `1`
|
||||
|
||||
|
||||
|
||||
6. Select **OK**, select **OK**, and then select **Create**. The blade for the profile opens automatically.
|
||||
|
||||
7. Select **Assignments** to assign the profile to a group. After you configure the assignment, select **Save**.
|
||||
|
||||
|
||||
- **Name**: a name of your choice
|
||||
- **Description**: optional
|
||||
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/Security/RequireDeviceEncryption`
|
||||
- **Data type**: integer
|
||||
- **Value**: `1`
|
||||
|
||||
## Enable device encryption using a provisioning package
|
||||
|
||||
Provisioning packages are files created by the Windows Configuration Designer tool that apply a specified configuration to a device.
|
||||
|
||||
### Create a provisioning package that upgrades the Windows Holographic edition
|
||||
### Create a provisioning package that upgrades the Windows Holographic edition and enables encryption
|
||||
|
||||
1. [Create a provisioning package for HoloLens.](hololens-provisioning.md)
|
||||
|
||||
|
||||
@ -14,36 +14,30 @@ ms.date: 04/30/2018
|
||||
|
||||
>**Looking for how to get the latest update? See [Update HoloLens](https://support.microsoft.com/help/12643/hololens-update-hololens).**
|
||||
|
||||
Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. As with desktop devices, administrators can manage updates to the HoloLens operating system using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb).
|
||||
|
||||
>[!NOTE]
|
||||
>HoloLens devices must be [upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md) to manage updates.
|
||||
|
||||
For a complete list of Update policies, see [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business).
|
||||
|
||||
Mobile device management (MDM) providers use the [Policy Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) to enable update management.
|
||||
To configure how and when updates are applied, use the following policies:
|
||||
- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate)
|
||||
- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
|
||||
- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime)
|
||||
|
||||
The Update policies supported for HoloLens are:
|
||||
To turn off the automatic check for updates, set the following policy to value **5** – Turn off Automatic Updates:
|
||||
- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate)
|
||||
|
||||
- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate)
|
||||
- [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice)
|
||||
- [Update/RequireDeferUpgrade](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requiredeferupgrade)
|
||||
- [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval)
|
||||
- [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl)
|
||||
In Microsoft Intune, you can use **Automatic Update Behavior** to change this policy. (See [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure))
|
||||
|
||||
|
||||
|
||||
Typically, devices access Windows Update directly for updates. You can use the following update policies to configure devices to get updates from Windows Server Update Service (WSUS) instead:
|
||||
For devices on Windows 10, version 1607 only: You can use the following update policies to configure devices to get updates from Windows Server Update Service (WSUS) instead of Windows Update:
|
||||
|
||||
- [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice)
|
||||
- [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval)
|
||||
- [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl)
|
||||
|
||||
In Microsoft Intune, use [a custom profile](https://docs.microsoft.com/intune/custom-settings-windows-holographic) to configure devices to get updates from WSUS.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure)
|
||||
- [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business)
|
||||
- [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure)
|
||||
|
||||
@ -91,6 +91,6 @@ Windows 10, version 1803, is the first feature update to Windows Holographic for
|
||||
## Additional resources
|
||||
|
||||
- [Reset or recover your HoloLens](https://developer.microsoft.com/windows/mixed-reality/reset_or_recover_your_hololens)
|
||||
- [Restart, rest, or recover HoloLens](https://support.microsoft.com/help/13452/hololens-restart-reset-or-recover-hololens)
|
||||
- [Restart, reset, or recover HoloLens](https://support.microsoft.com/help/13452/hololens-restart-reset-or-recover-hololens)
|
||||
- [Manage devices running Windows Holographic with Microsoft Intune](https://docs.microsoft.com/intune/windows-holographic-for-business)
|
||||
|
||||
|
||||
@ -75,10 +75,16 @@ From here on, you'll need to finish the account creation process using PowerShel
|
||||
|
||||
In order to run cmdlets used by these PowerShell scripts, the following must be installed for the admin PowerShell console:
|
||||
|
||||
- [Microsoft Online Services Sign-In Assistant for IT Professionals BETA](https://go.microsoft.com/fwlink/?LinkId=718149)
|
||||
- [Microsoft Online Services Sign-In Assistant for IT Professionals RTW](https://www.microsoft.com/en-us/download/details.aspx?id=41950)
|
||||
- [Windows Azure Active Directory Module for Windows PowerShell](https://www.microsoft.com/web/handlers/webpi.ashx/getinstaller/WindowsAzurePowershellGet.3f.3f.3fnew.appids)
|
||||
- [Skype for Business Online, Windows PowerShell Module](https://www.microsoft.com/download/details.aspx?id=39366)
|
||||
|
||||
Install the following module in Powershell
|
||||
``` syntax
|
||||
install-module AzureAD
|
||||
Install-module MsOnline
|
||||
```
|
||||
|
||||
### Connecting to online services
|
||||
|
||||
1. Run Windows PowerShell as Administrator.
|
||||
@ -200,8 +206,7 @@ In order to enable Skype for Business, your environment will need to meet the fo
|
||||
2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
|
||||
|
||||
```PowerShell
|
||||
Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool
|
||||
"sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress
|
||||
Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress
|
||||
```
|
||||
|
||||
If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
|
||||
@ -356,18 +361,22 @@ In order to enable Skype for Business, your environment will need to meet the fo
|
||||
Import-PSSession $cssess -AllowClobber
|
||||
```
|
||||
|
||||
2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
|
||||
2. Retrieve your Surface Hub account Registrar Pool
|
||||
|
||||
If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
|
||||
|
||||
```PowerShell
|
||||
Get-CsOnlineUser -Identity ‘alice@contoso.microsoft.com’| fl *registrarpool*
|
||||
```
|
||||
|
||||
3. To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
|
||||
|
||||
```PowerShell
|
||||
Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool
|
||||
"sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress
|
||||
```
|
||||
|
||||
If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
|
||||
|
||||
```PowerShell
|
||||
Get-CsOnlineUser -Identity ‘alice@contoso.microsoft.com’| fl *registrarpool*
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
],
|
||||
"resource": [
|
||||
{
|
||||
"files": ["**/images/**", "**/*.json"],
|
||||
"files": ["**/images/**"],
|
||||
"exclude": ["**/obj/**"]
|
||||
}
|
||||
],
|
||||
|
||||
@ -7,7 +7,6 @@ ms.sitesec: library
|
||||
author: jdeckerms
|
||||
ms.author: jdecker
|
||||
ms.topic: article
|
||||
ms.date: 01/17/2019
|
||||
---
|
||||
|
||||
# Change history for Surface documentation
|
||||
@ -20,6 +19,8 @@ New or changed topic | Description
|
||||
--- | ---
|
||||
[Surface Brightness Control](microsoft-surface-brightness-control.md) | New
|
||||
[Maintain optimal power settings on Surface devices](maintain-optimal-power-settings-on-Surface-devices.md) | New
|
||||
|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Studio 2 |
|
||||
|
||||
|
||||
## November 2018
|
||||
|
||||
|
||||
@ -9,7 +9,6 @@ ms.mktglfcycl: deploy
|
||||
ms.pagetype: surface, devices
|
||||
ms.sitesec: library
|
||||
author: brecords
|
||||
ms.date: 11/15/2018
|
||||
ms.author: jdecker
|
||||
ms.topic: article
|
||||
---
|
||||
@ -89,6 +88,12 @@ Download the following updates for [Surface Studio from the Microsoft Download C
|
||||
|
||||
* SurfaceStudio_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
|
||||
|
||||
## Surface Studio 2
|
||||
|
||||
Download the following updates for [Surface Studio 2 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=57593).
|
||||
|
||||
* SurfaceStudio2_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
|
||||
|
||||
## Surface Book
|
||||
|
||||
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
],
|
||||
"resource": [
|
||||
{
|
||||
"files": ["**/images/**", "**/*.json"],
|
||||
"files": ["**/images/**"],
|
||||
"exclude": ["**/obj/**"]
|
||||
}
|
||||
],
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 87 KiB After Width: | Height: | Size: 84 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 113 KiB After Width: | Height: | Size: 112 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 113 KiB After Width: | Height: | Size: 116 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 130 KiB After Width: | Height: | Size: 124 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 94 KiB After Width: | Height: | Size: 102 KiB |
@ -57,6 +57,9 @@ Some scenarios where Microsoft Surface Data Eraser can be helpful include:
|
||||
>[!NOTE]
|
||||
>Because the ability to boot to USB is required to run Microsoft Surface Data Eraser, if the device is not configured to boot from USB or if the device is unable to boot or POST successfully, the Microsoft Surface Data Eraser tool will not function.
|
||||
|
||||
>[!NOTE]
|
||||
>Surface Data Eraser on Surface Studio and Surface Studio 2 can take up to 6 minutes to boot into WinPE before disk erasure can occur.
|
||||
|
||||
|
||||
## How to create a Microsoft Surface Data Eraser USB stick
|
||||
|
||||
@ -150,6 +153,22 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
|
||||
|
||||
Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following:
|
||||
|
||||
### Version 3.2.78.0
|
||||
*Release Date: 4 Dec 2018*
|
||||
|
||||
This version of Surface Data Eraser:
|
||||
|
||||
- Includes bug fixes
|
||||
|
||||
|
||||
### Version 3.2.75.0
|
||||
*Release Date: 12 November 2018*
|
||||
|
||||
This version of Surface Data Eraser:
|
||||
|
||||
- Adds support to Surface Studio 2
|
||||
- Fixes issues with SD card
|
||||
|
||||
### Version 3.2.69.0
|
||||
*Release Date: 12 October 2018*
|
||||
|
||||
|
||||
@ -28,12 +28,12 @@ Specifically, SDT for Business enables you to:
|
||||
To run SDT for Business, download the components listed in the following table.
|
||||
|
||||
>[!NOTE]
|
||||
>In contrast to the way you typically install MSI packages, the SDT distributable MSI package can only be created by running Windows Installer (MSI.exe) at a command prompt and setting the custom flag `ADMINMODE = 1`. For details, see [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md).
|
||||
>In contrast to the way you typically install MSI packages, the SDT distributable MSI package can only be created by running Windows Installer (msiexec.exe) at a command prompt and setting the custom flag `ADMINMODE = 1`. For details, see [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md).
|
||||
|
||||
Mode | Primary scenarios | Download | Learn more
|
||||
--- | --- | --- | ---
|
||||
Desktop mode | Assist users in running SDT on their Surface devices to troubleshoot issues.<br>Create a custom package to deploy on one or more Surface devices allowing users to select specific logs to collect and analyze. | SDT distributable MSI package<br>Microsoft Surface Diagnostic Toolkit for Business Installer.MSI<br>[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Use Surface Diagnostic Toolkit in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
|
||||
Command line | Directly troubleshoot Surface devices remotely without user interaction, using standard tools such as Configuration Manager. It includes the following commands:<br>`-DataCollector` collects all log files<br>`-bpa` runs health diagnostics using Best Practice Analyzer.<br>`-windowsupdate` checks Windows update for missing firmware or driver updates.<br><br>**Note:** Support for the ability to confirm warranty information will be available via the command `-warranty` | SDT console app<br>Microsoft Surface Diagnostics App Console.exe<br>[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md)
|
||||
Desktop mode | Assist users in running SDT on their Surface devices to troubleshoot issues.<br>Create a custom package to deploy on one or more Surface devices allowing users to select specific logs to collect and analyze. | SDT distributable MSI package:<br>Microsoft Surface Diagnostic Toolkit for Business Installer<br>[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Use Surface Diagnostic Toolkit in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
|
||||
Command line | Directly troubleshoot Surface devices remotely without user interaction, using standard tools such as Configuration Manager. It includes the following commands:<br>`-DataCollector` collects all log files<br>`-bpa` runs health diagnostics using Best Practice Analyzer.<br>`-windowsupdate` checks Windows update for missing firmware or driver updates.<br><br>**Note:** Support for the ability to confirm warranty information will be available via the command `-warranty` | SDT console app:<br>Microsoft Surface Diagnostics App Console<br>[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md)
|
||||
|
||||
## Supported devices
|
||||
|
||||
@ -64,7 +64,7 @@ To create an SDT package that you can distribute to users in your organization,
|
||||
|
||||
**To install SDT in ADMINMODE:**
|
||||
|
||||
1. Sign into your Surface device using the Administrator account.
|
||||
1. Sign in to your Surface device using the Administrator account.
|
||||
2. Download SDT Windows Installer Package (.msi) from the [Surface Tools for IT download page](https://www.microsoft.com/download/details.aspx?id=46703) and copy it to a preferred location on your Surface device, such as Desktop.
|
||||
3. Open a command prompt and enter:
|
||||
|
||||
|
||||
@ -25,13 +25,18 @@ Download and install SDT app console from the [Surface Tools for IT download pag
|
||||
- Run health diagnostics using Best Practice Analyzer.
|
||||
- Check update for missing firmware or driver updates.
|
||||
|
||||
By default, output files are saved to C:\Administrator\user. Refer to the following table for a complete list of commands.
|
||||
>[!NOTE]
|
||||
>In this release, the SDT app console supports single commands only. Running multiple command line options requires running the console exe separately for each command.
|
||||
|
||||
By default, output files are saved in the same location as the console app. Refer to the following table for a complete list of commands.
|
||||
|
||||
Command | Notes
|
||||
--- | ---
|
||||
-DataCollector "output file" | Collects system details into a zip file. "output file" is the file path to create system details zip file.<br><br>**Example**:<br>`Microsoft.Surface.Diagnostics.App.Console.exe -DataCollector SDT_DataCollection.zip`
|
||||
-bpa "output file" | Checks several settings and health indicators in the device. “output file" is the file path to create the HTML report.<br><br>**Example**:<br>`Microsoft.Surface.Diagnostics.App.Console.exe -bpa BPA.html`
|
||||
-windowsupdate | Checks Windows Update online servers for missing firmware and/or driver updates.<br><br>**Example**:<br>Microsoft.Surface.Diagnostics.App.Console.exe -windowsupdate
|
||||
-warranty "output file" | Checks warranty information on the device (valid or invalid). The optional “output file” is the file path to create the xml file. <br><br>**Example**: <br>Microsoft.Surface.Diagnostics.App.Console.exe –warranty “warranty.xml”
|
||||
|
||||
|
||||
>[!NOTE]
|
||||
>To run the SDT app console remotely on target devices, you can use a configuration management tool such as System Center Configuration Manager. Alternatively, you can create a .zip file containing the console app and appropriate console commands and deploy per your organization’s software distribution processes.
|
||||
@ -140,4 +145,4 @@ You can run BPA tests across key components such as BitLocker, Secure Boot, and
|
||||
<tr><td><strong>Value:</strong></td><td></td></tr>
|
||||
<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
|
||||
<tr><td><strong>Guidance:</strong></td><td>Check with the original equipment manufacturer for compatibility with your Surface device.</td></tr>
|
||||
</table>
|
||||
</table>
|
||||
|
||||
@ -63,7 +63,7 @@ For each test, if functionality does not work as expected and the user clicks **
|
||||
|
||||
1. If the brightness successfully adjusts from 0-100 percent as expected, direct the user to click **Yes** and then click **Continue**.
|
||||
2. If the brightness fails to adjust from 0-100 percent as expected, direct the user to click **No** and then click **Continue**.
|
||||
3. Guide users through remaining tests as appropriate. When finished, SDT automatically provides a high-level summary of the report of the possible causes of any hardware issues along with guidance for resolution.
|
||||
3. Guide users through remaining tests as appropriate. When finished, SDT automatically provides a high-level summary of the report, including the possible causes of any hardware issues along with guidance for resolution.
|
||||
|
||||
|
||||
### Repairing applications
|
||||
|
||||
@ -17,7 +17,7 @@ ms.date: 01/06/2017
|
||||
Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal.
|
||||
|
||||
>[!NOTE]
|
||||
>SEMM is only available on devices with Surface UEFI firmware, such as Surface Pro 4, Surface Book, and Surface Studio. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
|
||||
>SEMM is only available on devices with Surface UEFI firmware such as Surface Pro 4 and later, Surface Go, Surface Laptop, Surface Book, and Surface Studio. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
|
||||
|
||||
When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM.
|
||||
|
||||
@ -25,7 +25,7 @@ There are two administrative options you can use to manage SEMM and enrolled Sur
|
||||
|
||||
## Microsoft Surface UEFI Configurator
|
||||
|
||||
The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied.
|
||||
The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages or WinPE images that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied.
|
||||
|
||||
|
||||
|
||||
@ -74,14 +74,15 @@ You can enable or disable the following devices with SEMM:
|
||||
|
||||
* Docking USB Port
|
||||
* On-board Audio
|
||||
* DGPU
|
||||
* Type Cover
|
||||
* Micro SD or SD Card Slots
|
||||
* Micro SD Card
|
||||
* Front Camera
|
||||
* Rear Camera
|
||||
* Infrared Camera, for Windows Hello
|
||||
* Bluetooth Only
|
||||
* Wi-Fi and Bluetooth
|
||||
* Trusted Platform Module (TPM)
|
||||
* LTE
|
||||
|
||||
You can configure the following advanced settings with SEMM:
|
||||
|
||||
@ -89,9 +90,12 @@ You can configure the following advanced settings with SEMM:
|
||||
* Alternate boot order, where the Volume Down button and Power button can be pressed together during boot, to boot directly to a USB or Ethernet device
|
||||
* Lock the boot order to prevent changes
|
||||
* Support for booting to USB devices
|
||||
* Enable Network Stack boot settings
|
||||
* Enable Auto Power On boot settings
|
||||
* Display of the Surface UEFI **Security** page
|
||||
* Display of the Surface UEFI **Devices** page
|
||||
* Display of the Surface UEFI **Boot** page
|
||||
* Display of the Surface UEFI **DateTime** page
|
||||
|
||||
>[!NOTE]
|
||||
>When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5.
|
||||
@ -116,7 +120,7 @@ These characters are the last two characters of the certificate thumbprint and s
|
||||
>6. **All** or **Properties Only** must be selected in the **Show** drop-down menu.
|
||||
>7. Select the field **Thumbprint**.
|
||||
|
||||
To enroll a Surface device in SEMM or to apply the UEFI configuration from a configuration package, all you need to do is run the .msi file on the intended Surface device. You can use application deployment or operating system deployment technologies such as [System Center Configuration Manager](https://technet.microsoft.com/library/mt346023) or the [Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741). When you enroll a device in SEMM you must be present to confirm the enrollment on the device. User interaction is not required when you apply a configuration to devices that are already enrolled in SEMM.
|
||||
To enroll a Surface device in SEMM or to apply the UEFI configuration from a configuration package, all you need to do is run the .msi file with administrative privileges on the intended Surface device. You can use application deployment or operating system deployment technologies such as [System Center Configuration Manager](https://technet.microsoft.com/library/mt346023) or the [Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741). When you enroll a device in SEMM you must be present to confirm the enrollment on the device. User interaction is not required when you apply a configuration to devices that are already enrolled in SEMM.
|
||||
|
||||
For a step-by-step walkthrough of how to enroll a Surface device in SEMM or apply a Surface UEFI configuration with SEMM, see [Enroll and configure Surface devices with SEMM](https://technet.microsoft.com/itpro/surface/enroll-and-configure-surface-devices-with-semm).
|
||||
|
||||
@ -189,10 +193,43 @@ For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must
|
||||
>[!NOTE]
|
||||
>For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with removable storage, such as a USB stick.
|
||||
|
||||
### Managing certificates FAQ
|
||||
|
||||
The recommended *minimum* length is 15 months. You can use a
|
||||
certificate that expires in less than 15 months or use a certificate
|
||||
that expires in longer than 15 months.
|
||||
|
||||
>[!NOTE]
|
||||
>When a certificate expires, it does not automatically renew.
|
||||
|
||||
**Will existing machines continue to apply the bios settings after 15
|
||||
months?**
|
||||
|
||||
Yes, but only if the package itself was signed when the certificate was
|
||||
valid.
|
||||
|
||||
**Will** **the SEMM package and certificate need to be updated on all
|
||||
machines that have it?**
|
||||
|
||||
If you want SEMM reset or recovery to work, the certificate needs to be
|
||||
valid and not expired. You can use the current valid ownership
|
||||
certificate to sign a package that updates to a new certificate for
|
||||
ownership. You do not need to create a reset package.
|
||||
|
||||
**Can bulk reset packages be created for each surface that we order? Can
|
||||
one be built that resets all machines in our environment?**
|
||||
|
||||
The PowerShell samples that create a config package for a specific
|
||||
device type can also be used to create a reset package that is
|
||||
serial-number independent. If the certificate is still valid, you can
|
||||
create a reset package using PowerShell to reset SEMM.
|
||||
|
||||
## Version History
|
||||
|
||||
### Version 2.26.136.0
|
||||
* Add support to Surface Studio 2
|
||||
|
||||
### Version 2.21.136.9
|
||||
### Version 2.21.136.0
|
||||
* Add support to Surface Pro 6
|
||||
* Add support to Surface Laptop 2
|
||||
|
||||
|
||||
Reference in New Issue
Block a user