deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 04:13:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/sh-9034221' into sh-1607

Browse Source
This commit is contained in:
Trudy Hakala
2016-10-12 10:22:35 -07:00
parent 2f93197be9 a50e4be86f
commit c7951e3f52
6 changed files with 368 additions and 142 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
devices/surface-hub/images/sh-device-family-availability.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

BIN
devices/surface-hub/images/sh-org-licensing.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 71 KiB

BIN
devices/surface-hub/images/sh-select-template.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 61 KiB

107
devices/surface-hub/install-apps-on-surface-hub.md
View File

@ -13,22 +13,117 @@ localizationpriority: medium
# Install apps on your Microsoft Surface Hub
You can install additional apps on your Surface Hub to fit your team or organization's needs. There are different methods for installing apps depending on if you are developing and testing an app, or deploying a released app. This topic describes methods for installing apps for either scenario.
Admins can install apps can from either the Windows Store or the Windows Store for Business.
A few things to know about apps on Surface Hub:
- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp).
- Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631).
- By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode.
- You need admin credentials to install apps on your Surface Hub. Since the device is designed to be used in communal spaces like meeting rooms, people can't access the Windows Store to download and install apps.
## Using the Windows Store
There are a few different ways to install apps on your Surface Hub depending on whether you are testing apps, or deploying them. This table outlines supported the supported methods:
| Install method | Testing and <br> developing apps | Deploying <br> apps |
| -------------------------- | --------------------------- | -------------- |
| Developer mode | X | |
| Visual Studio | X | |
| Windows Store app | X | |
| Provisioning package | | X |
| Configuration manager | | X |
Admins can install apps on the device using the Windows Store app available in **Settings** &gt; **System** &gt; **Microsoft Surface Hub**. They can start the store app, sign in using their Microsoft account credentials, browse, purchase, and install the apps as with any other Windows device.
## Test and develop apps
While you're developing your own app, or evaluating apps to deploy to your organization, there are a few options for testing apps on Surface Hub.
## Using the Store for Business
### Developer Mode
By default, Surfacve Hub only runs UWP apps that have been published to and signed by the Windows Store. Apps submitted to the Windows Store go through security and compliance tests as part of the app certification process, so this helps safeguard your Surface Hub against malicious apps.
By enabling developer mode, you can also install developer-signed UWP apps.
For apps purchased through the Store for Business, download the Appxbundle, offline license, and the dependencies for the App from the store to a separate PC. Create a provisioning package and copy it to a USB drive. (See [Create a provisioning package](provisioning-packages-for-certificates-surface-hub.md).) Move the USB drive to the Surface Hub, and install the app on the device using the Settings app.
> [!NOTE]
> After developer mode has been enabled, you will need to reset the Surface Hub to disable it. Resetting the device removes all local user files and configurations and then reinstalls Windows.
**To turn on developer mode**
1. From your Surface Hub, start **Settings**.
2. Type the device admin credentials when prompted.
3. Navigate to **Update & security** > **For developers**.
4. Select **Developer mode** and accept the warning prompt.
### Visual Studio
During development, the easiest way to test your app on a Surface Hub is using Visual Studio. Visual Studio's remote debugging feature helps discover issues in your app before deploying it broadly. For more information, see [Test Surface Hub apps using Visual Studio](https://msdn.microsoft.com/windows/uwp/debug-test-perf/test-surface-hub-apps-using-visual-studio).
### Windows Store app
Use Windows Store app to browse and download apps to test them on your Surface Hub.
**To browse the Windows Store on Surface Hub**
1. From your Surface Hub, start **Settings**.
2. Type the device admin credentials when prompted.
3. Navigate to **This device** > **Apps & features**.
4. Select **Open Store**.
Downloading apps from the Store is not the recommended method of deploying apps at scale to your organization:
- Downloading apps from the Store requires you to sign in to the Store app with a Microsoft account or organizational account. However, you can only connect an account to a maximum of 10 devices at once. If you have more than 10 Surface Hubs, you will need to create multiple accounts or remove devices from your account between app installations.
- To install apps, you will need to manually sign in to the Store app on each Surface Hub you own.
### Provisioning package
Use Visual Studio to [create an app package](https://msdn.microsoft.com/library/windows/apps/hh454036.aspx) for your UWP app, signed using a test certificate. Then use Windows Imaging and Configuration Designer (WICD) to create a provisioning package containing the app package and license file. For more information, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md).
## Submit the app to the Windows Store
Once an app is ready for release, developers need to submit and publish it to the Windows Store. For more information, see [Publish Windows apps](https://developer.microsoft.com/store/publish-apps).
During app submission, developers need to set **Device family availability** and **Organizational licensing** options to make sure the app will be available to run on Surface Hub.
**To set device family availability**
- On Device familiy availability, select these options:
- **Windows 10 Desktop** (other device families are optional)
- **Let Microsoft decide whether to make the app available to any future device families**.
![Image showing Device family availability page - part of Windows Store app submission process.](images/sh-device-family-availability.png)
For more information, see [Device family availability](https://msdn.microsoft.com/windows/uwp/publish/upload-app-packages#device-family-availability).
**To set organizational licensing**
- On **Organizational licensing**, select **Allow disconnected (offline) licensing for organizations**.
![Image showing Organizational licensing page - part of Windows Store app submission process.](images/sh-org-licensing.png)
> [!NOTE]
> **Make my app available to organizations with Store-managed (online) volume licensing** is selected by default.
For more information, see [Organizational licensing options](https://msdn.microsoft.com/windows/uwp/publish/organizational-licensing).
Developers can also publish line-of-business apps directly to enterprises without making them broadly available in the Store. For more information, see [Distribute LOB apps to enterprises](https://msdn.microsoft.com/windows/uwp/publish/distribute-lob-apps-to-enterprises).
## Deploy apps to your organization
After you've tested your apps, and submitted them to Windows Store, there are a few options for deploying apps to your organization.
### Download apps from Windows Store for Business
To download the app package you need to install apps on your Surface Hub, visit the [Windows Store for Business](https://www.microsoft.com/business-store). The Store for Business is where you can find, acquire, and manage apps for the Windows 10 devices in your organization, including Surface Hub.
> [!NOTE]
> Currently, Surface Hub only supports offline-licensed apps available through Store for Business. App developers set offline-license avaialability when they submit apps.
Find and acquire the app you want, then download the offline-licensed app package and the encoded license file. For more information, see [Download an offline-licensed app](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app).
### Provisioning package
Use Windows Imaging and Configuration Designer (WICD) to create a provisioning package containing the app package and license file that you downloaded from the Store for Business. For more information, see Create provisioning packages to learn more.
### System Center Configuration Manager
If your organization uses Configuration Manager SP1, System Center 2012 R2 Configuration Manager, or System Center Configuration Manager (current branch), you can use it to deploy apps remotely to Surface Hubs in your organization.
1. Enroll your Surface Hubs to Configuration Manager. For more information, see [Enroll a Surface Hub into MDM](manage-settings-with-mdm-for-surface-hub.md).
2. Create and deploy a Configuration Manager application using your offline-licensed app package and encoded license file. For more information, see [Create and deploy an application with SCCM](https://technet.microsoft.com/library/mt595707.aspx). Use these tips for the Create Application wizard: <br>
- Choose to **Automatically detect information about this application from installation files, and choose Windows app package (*.appx, *.appxbundle)**.
- Point the location to a folder containing the offline-licensed app package and encoded license file that you downloaded from the Store for Business.
- Ensure that you provide an encoded license file.
- In the Summary page of the wizard, ensure that your license file was properly detected.
3. As needed, update the app by downloading a new package from the Store for Business, and publishing an application revision in Configuration Manager. For more information, see [Update and retire applications with SCCM](https://technet.microsoft.com/library/mt595704.aspx).
> [!NOTE]
> If you are using System Center Configuration Manager (current branch), you can bypass the above steps by connecting the Store for Business to Configuration Manager. By doing so, you can synchronize the list of apps you've purchased with Configuration Manager, view these in the Configuration Manager console, and deploy them like you would any other app. For more information, see [Manage apps from the Windows Store for Business with SCCM](https://technet.microsoft.com/library/mt740630.aspx).
## Related topics
[Manage Microsoft Surface Hub](manage-surface-hub.md)
[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

266
devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
View File

@ -13,115 +13,193 @@ localizationpriority: medium
# Manage settings with an MDM provider (Surface Hub)
Surface Hub and other Windows 10 devices allow IT administrators to manage settings and policies using a mobile device management (MDM) provider. A built-in management component communicates with the management server, so there is no need to install additional clients on the device. For more information, see [Windows 10 mobile device management](https://msdn.microsoft.com/library/windows/hardware/dn914769.aspx).
Microsoft Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution.
Surface Hub has been validated with Microsofts first-party MDM providers: Microsoft Intune and System Center Configuration Manager (current branch). You can also manage Surface Hubs using any third-party provider that can communicate with Windows 10 using the MDM protocol.
The Surface Hub operating system has a built-in management component that's used to communicate with the device management server. There are two parts to the Surface Hub management component: the enrollment client, which enrolls and configures the device to communicate with the enterprise management server; and the management client, which periodically synchronizes with the management server to check for and apply updates. Third-party MDM servers can manage Surface Hub devices by using the Mobile Device Management protocol.
## <a href="" id="enroll-into-mdm"></a>Enroll a Surface Hub into MDM
You can enroll your Surface Hubs using automatic, bulk, or manual enrollment.
### Supported services
> [!NOTE]
> You can join your Surface Hub to Azure Active Directory (Azure AD) to manage admin groups on the device. However, Surface Hub does not currently support automatic MDM enrollment through Azure AD join. If your organization automatically enrolls Azure AD joined devices into MDM, you must disable this policy for Surface Hub before joining the device to Azure AD.
Surface Hub management has been validated for the following MDM providers:
### Automatic enrollment
**To configure automatic enrollment**
- For information on configuring automatic enrollment, see [Azure Active Directory enrollment](https://docs.microsoft.com/intune/deploy-use/set-up-windows-phone-management-with-microsoft-intune#azure-active-directory-enrollment).
- Microsoft Intune
- System Center Configuration Manager
### Bulk enrollment
**To configure bulk enrollment**
- Surface Hub supports the [Provisioning CSP](https://msdn.microsoft.com/library/windows/hardware/mt203665.aspx) for bulk enrollment into MDM. For more information, see [Windows 10 bulk enrollment](https://msdn.microsoft.com/library/windows/hardware/mt613115.aspx).<br>
--OR--
- If you have an on-premises System Center Configuration Manager infrastructure, see [How to bulk enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx).
### <a href="" id="enroll-into-mdm"></a>Enroll a Surface Hub into MDM
### Manual enrollment
You can manually enroll with an MDM using **Settings** on your Surface Hub.
If you joined your Surface Hub to an Azure Active Directory (Azure AD) subscription, the device can automatically enroll into MDM and will be ready for remote management.
**To configure manual enrollment**
1. From your Surface Hub, open **Settings**.
2. Type the device admin credentials when prompted.
3. Select **This device**, and navigate to **Device management**.
4. Under **Device management**, select **+ Device management**.
5. Follow the instructions in the dialog to connect to your MDM provider.
Alternatively, the device can be enrolled like any other Windows device by going to **Settings** &gt; **Accounts** &gt; **Work access**.
## Manage Surface Hub settings with MDM
![Image showing enroll in device maagement page.](images/managesettingsmdm-enroll.png)
You can use MDM to manage some [Surface Hub CSP settings](#supported-surface-hub-csp-settings), and some [Windows 10 settings](#supported-windows-10-settings).
### Manage a device through MDM
### Supported Surface Hub CSP settings
The following table lists the device settings that can be managed remotely using MDM, including the OMA URI paths that 3rd party MDM providers need to create policies. Intune and System Center Configuration Manager have special templates to help create policies to manage these settings.
You can configure the Surface Hub settings in the following table using MDM. The table also tells if the setting is supported on Microsoft Intune, System Center Configuration Manager (Configuration Manager), or SyncML.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th align="left"></th>
<th align="left">Setting</th>
<th align="left">OMA URI</th>
<th align="left">Type</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>1</p></td>
<td align="left"><p>Auto Awake when someone is in the room</p></td>
<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/AutoWakeScreen</p></td>
<td align="left"><p>Boolean</p></td>
</tr>
<tr class="even">
<td align="left"><p>2</p></td>
<td align="left"><p>Require that people must enter a PIN when pairing to the Surface Hub</p></td>
<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/PINRequired</p></td>
<td align="left"><p>Boolean</p></td>
</tr>
<tr class="odd">
<td align="left"><p>3</p></td>
<td align="left"><p>Set the maintenance window duration. This time is in minutes. As an example, to set a 3 hour duration, you set the value to 180.</p></td>
<td align="left"><p>./Vendor/MSFT/SurfaceHub/MaintenanceHoursSimple/Hours/Duration</p></td>
<td align="left"><p>Int</p></td>
</tr>
<tr class="even">
<td align="left"><p>4</p></td>
<td align="left"><p>Set the maintenance window start time. This time is in minutes past midnight. To set a 2:00 am start time, set a value of 120, meaning 120 minutes past midnight.</p></td>
<td align="left"><p>./Vendor/MSFT/SurfaceHub/MaintenanceHoursSimple/Hours/StartTime</p></td>
<td align="left"><p>Int</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5</p></td>
<td align="left"><p>The Microsoft Operations Management Suite (OMS) Workspace ID that this device will connect to.</p></td>
<td align="left"><p>./Vendor/MSFT/SurfaceHub/MOMAgent/WorkspaceID</p></td>
<td align="left"><p>String</p></td>
</tr>
<tr class="even">
<td align="left"><p>6</p></td>
<td align="left"><p>The key that must be used when connecting to the specified OMS workspace.</p></td>
<td align="left"><p>./Vendor/MSFT/SurfaceHub/MOMAgent/WorkspaceKey</p></td>
<td align="left"><p>String</p></td>
</tr>
<tr class="odd">
<td align="left"><p>7</p></td>
<td align="left"><p>Choose the meeting information displayed on the welcome screen.</p>
<p>Value : 0 - Show organizer and time only</p>
<p>Value : 1 - Show organizer, time, and subject (subject is hidden for private meetings)</p></td>
<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/MeetingInfoOption</p></td>
<td align="left"><p>Int</p></td>
</tr>
<tr class="even">
<td align="left"><p>8</p></td>
<td align="left"><p>Enable/Disable all Wireless Projection to the Surface Hub</p></td>
<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Enabled</p></td>
<td align="left"><p>Boolean</p></td>
</tr>
<tr class="odd">
<td align="left"><p>9</p></td>
<td align="left"><p>Select a specific wireless channel on which Miracast Receive will operate</p></td>
<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Channel</p></td>
<td align="left"><p>Int</p></td>
</tr>
<tr class="even">
<td align="left"><p>10</p></td>
<td align="left"><p>Change the background image for the welcome screen using a PNG image URL.</p></td>
<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/CurrentBackgroundPath (Note: must be accessed using https.)</p></td>
<td align="left"><p>String</p></td>
</tr>
</tbody>
</table>
For more information, see [Surface Hub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx).
 
| Setting | Supported CSPs | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
| -------------------- | -----------------------|-------------------------- | ---------------------------------------- | ------------------------- |
| Maintenance hours | MaintenanceHoursSimple/Hours/StartTime <br> MaintenanceHoursSimple/Hours/Duration | Yes | Yes | Yes |
| Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes |
| Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes |
| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.<br> Use a custom setting.| Yes |
| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.<br> Use a custom setting.| Yes |
| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID <br> MOMAgent/WorkspaceKey | Yes | Yes.<br> Use a custom setting.| Yes |
| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.<br> Use a custom setting. | Yes |
| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.<br> Use a custom setting. | Yes |
| Friendly name for wireless projection | Properties/FriendlyName | Yes. <br> Use a custom policy | Yes.<br> Use a custom setting.| Yes |
| Device account, including password rotation | Multiple | No | No | Yes |
## Related topics
Refer to documentation from your MDM provider to learn how to create and deploy SyncML.
> [!TIP]
You need to use a settings OMA URI to create a custom policy in Intune, or a custom setting in System Center Configuration Manager.
**To generate the OMA URI for any setting in the CSP documentation**
- Prepend the node path with path of the root node. <br>
For example, the OMA URI for the InBoxApps/WirelessProjection/Enabled setting in the SurfaceHub CSP is “./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Enabled”.
The data type is stated in the CSP documentation. The most common data types are:
- char (string)
- int (integer)
- bool (boolean)
Depending on the MDM provider that you use, you may set these settings using the SyncML nodes defined in the SurfaceHub CSP, or using a built-in user interface. Intune and System Center Configuration Manager provide built-in experiences to help create policy templates for Surface Hub.
### Supported Windows 10 settings
In addition to Surface Hub specific settings, there are numerous settings common to all Windows 10 devices. These settings are defined in the [Configuration service provider reference]().
The following tables include info on Windows 10 settings have been validated with Surface Hub. There is a table with settings for these areas: security, browser, Windows Updates, Windows Defender, remote reboot, certificates, and logs. Each table also tells if the setting is supported on Microsoft Intune, System Center Configuration Manager (Configuration Manager), or SyncML.
**Security settings**
| Setting | Details | CSP documentation reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
| -------- | -------- | --------------------------- |-------------------------- | ---------------------------------------- | ------------------------- |
| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | ./Vendor/MSFT/Policy/Config/Connectivity/AllowBluetooth| Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Various policies in the Policy CSP: ./Vendor/MSFT/Policy/Config/Bluetooth/<name of policy> | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
| Allow camera | Keep this enabled for Skype for Business. | ./Vendor/MSFT/Policy/Config/Camera/AllowCamera| Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
| Allow location | Keep this enabled to support apps such as Maps.| ./Vendor/MSFT/Policy/Config/System/AllowLocation| Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | ./Vendor/MSFT/Policy/Config/System/AllowTelemetry| Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
**Browser settings**
| Setting | Details | CSP documentation reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
| -------- | ---------------- | --------------------------- |-------------------------- | ---------------------------------------- | ------------------------- |
| Homepages | Use to configure the default homepages in Microsoft Edge.| ./Vendor/MSFT/Policy/Config/Browser/Homepages | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. |./Vendor/MSFT/Policy/Config/Browser/AllowCookies | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Allow developer tools | Use to stop users from using F12 Developer Tools.| ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools| Yes. <br> Use a custom policy.| Yes. <br> Use a custom setting.| Yes |
| Allow Do Not Track | Use to enable Do Not Track headers. | ./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Allow pop-ups | Use to block pop-up browser windows. | ./Vendor/MSFT/Policy/Config/Browser/AllowPopups | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Allow search suggestions| Use to block search suggestions in the address bar| ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar| Yes. <br> Use a custom policy.| Yes. <br> Use a custom setting.| Yes |
| Allow SmartScreen | Keep this enabled to turn on SmartScreen| ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen | Yes. <br> Use a custom policy.| Yes. <br> Use a custom setting.| Yes |
| Prevent ignoring SmartScreen Filter warnings for websites| For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites.| ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverride| Yes. <br> Use a custom policy.| Yes. <br> Use a custom setting.| Yes |
| Prevent ignoring SmartScreen Filter warnings for files| For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge.| ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles| Yes. <br> Use a custom policy.| Yes. <br> Use a custom setting.| Yes |
**Windows Update settings**
| Setting | Details | CSP documentation reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
| ----------- | ---------------- | --------------------------- |-------------------------- | ---------------------------------------- | ------------------------- |
| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business see Windows Updates.| ./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel | Yes. Use a custom policy.| Yes. Use a custom setting.| Yes |
| Defer feature updates| See above. | ./Vendor/MSFT/Policy/Config/Update/ DeferFeatureUpdatesPeriodInDays| Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Defer quality updates See above. | ./Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays| Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Pause feature updates| See above. | ./Vendor/MSFT/Policy/Config/PauseFeatureUpdates| Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Pause quality updates| See above. | ./Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates| Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes|
| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update see Windows Updates. | ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | Various policies in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx): <br>./Vendor/MSFT/Policy/Config/DeliveryOptimization/<name of policy>| Yes. <br> Use a custom policy.| Yes. <br> Use a custom setting.| Yes |
**Windows Defender settings**
| Setting | Details | CSP documentation reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
| ----------- | ---------------- | --------------------------- |-------------------------- | ---------------------------------------- | ------------------------- |
| Defender policies. |Use to configure various Defender settings, including a scheduled scan time. | Various policies in [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx): <br> ./Vendor/MSFT/Policy/Config/Defender/<name of policy>. | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes
| Defender status | Use to initiate a Defender scan, force a signature update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | No. | No. | Yes |
**Remote reboot settings**
| Setting | Details | CSP documentation reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
| ----------- | ---------------- | --------------------------- |-------------------------- | ---------------------------------------- | ------------------------- |
| Reboot the device immediately| Use in conjunction with OMS to minimize support costs see Monitoring.| ./Vendor/MSFT/Reboot/RebootNow| No| No| Yes |
| Reboot the device at a scheduled date and time| See above.| ./Vendor/MSFT/Reboot/Schedule/Single | Yes. <br> Use a custom policy.| Yes. <br> Use a custom setting.| Yes |
| Reboot the device daily at a scheduled date and time| See above.| ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent | Yes. <br> Use a custom policy.| Yes. <br> Use a custom setting.| Yes |
**Certficate settings**
| Setting | Details | CSP documentation reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
| ----------- | ---------------- | --------------------------- |-------------------------- | ---------------------------------------- | ------------------------- |
| Install certificates | Use to deploy certificates to the Surface Hub. | [RootCATrustedCertificates CSP](https://msdn.microsoft.com/library/windows/hardware/dn904970.aspx) and [ClientCertificateInstall CSP](https://msdn.microsoft.com/library/windows/hardware/dn920023.aspx) | Yes. <br> See [Secure resource access with certificate profiles](https://docs.microsoft.com/intune/deploy-use/secure-resource-access-with-certificate-profiles). | Yes. <br> See [How to create certificate profiles in Configuration Manager](https://technet.microsoft.com/library/dn270541.aspx). | Yes |
**Log settings**
| Setting | Details | CSP documentation reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
| ----------- | ---------------- | --------------------------- |-------------------------- | ---------------------------------------- | ------------------------- |
| Log collection | Use to remotely collect ETW logs from Surface Hub.| [DiagnosticLog CSP](https://msdn.microsoft.com/library/windows/hardware/mt219118.aspx) | No| No| Yes |
<!-- ## Example: Manage Surface Hub settings with Micosoft Intune
You can Use Intune to create a configuration policy from a template, or create a custom configuration policy to manage some Surface Hub settings.
**To create a configuration policy from a template**
You'll use the **Windows 10 Team general configuration policy** as the template.
1. Access the Intune management portal at [https://manage.microsoft.com](https://manage.microsoft.com).
2. Sign in with your Intune administrator account.
3. On the left-hand navigation menu, click **Policy**.
4. In the Overview page, click **Add Policy**.
5. On **Select a template for the new policy**, expand **Windows**, select **General Configuration (Windows 10 Team and later)**, select **Create and Deploy a Custom Policy**, and then click **Create Policy**.
6. Configure your policy, then click **Save Policy**
7. When prompted, click **Yes** to deploy your new policy to a user or device group.
For more informration, see [Use groups to manage users and devices in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune).
**To create a custom configuration policy**
Youll need to create a custom policy to manage settings that are not available in the template.
1. Access the Intune management portal at [https://manage.microsoft.com](https://manage.microsoft.com).
2. Sign in with your Intune administrator account.
3. On the left-hand navigation menu, click **Policy**.
4. In the Overview page, click **Add Policy**.
5. On **Select a template for the new policy**, expand **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)**, select **Create and Deploy a Custom Policy**, and then click **Create Policy**.
6. Type a name for the policy.
7. Under OMA-URI Settings, click **Add**.
8. Complete the form to create a new setting, and then click **OK**.
9. Repeat Step 8 for each setting you want to configure with this policy.
10. Once you're done, click **Save Policy** and deploy it to a user or device group.
## Example: Manage Surface Hub settings with System Center Configuration Manager
The current branch of System Center Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use System Center Configuration Manager to manage other devices in your organization, you can continue to use the administrative console as your single location for managing Surface Hubs.
> [!NOTE]
> These instructions are based on the current branch of System Center Configuration Manager.
**To create a configuration item for Surface Hub settings**:
1. Open the Configuration Manager console.
2. Under **Assets and Compliance**, expand **Compliance Settings**, and select **Configuration Items**.
3. Click **Create Configuration Item**.
4. Type a name and a description for the configuration item.
5. Under **Settings for devices managed without the Configuration Manager client**, select **Windows 8.1 and Windows 10**, and then click **Next**.
6. On **Supported Platforms**, select **Supported Platforms**, expand **Windows 10**, select **All Windows 10 Team and higher**, and then click **Next**.
7. On **Windows 10 team**, under **Device settings**, select **Windows 10 Team**. A new tab labelled **Windows 10 Team** will appear on the left-hand side. -->
## Related topic
[Manage Microsoft Surface Hub](manage-surface-hub.md)

135
devices/surface-hub/monitor-surface-hub.md
View File

@ -14,71 +14,124 @@ localizationpriority: medium
# Monitor your Microsoft Surface Hub
Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS).
Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS). The [Operations Management Suite (OMS)](https://go.microsoft.com/fwlink/?LinkId=718138) is Microsoft's IT management solution that helps you manage and protect your entire IT infrastructure, including your Surface Hubs.
The [Operations Management Suite (OMS)](https://go.microsoft.com/fwlink/?LinkId=718138) is Microsoft's IT management solution that helps you manage and protect your entire IT infrastructure, including your Surface Hubs. You can use OMS to help you track the health of your Surface Hubs as well as understand how they are being used. Log files are read on the devices and sent to the OMS service. Issues like servers being offline, the calendar not syncing, or the device account being unable to log into Skype are shown in OMS in the Surface Hub dashboard. By using the data in the dashboard, you can identify devices that are not running, or that are having other problems, and potentially apply fixes for the detected issues.
Surface Hub is offered as a Log Analytics solution in OMS, allowing you to collect and view usage and reliability data across all your Surface Hubs. Use the Surface Hub solution to:
- Inventory your Surface Hubs.
- View a snapshot of usage and reliability data for Skype meetings, wired and wireless projection, and apps on your Surface Hubs.
- Create custom alerts to respond quickly if your Surface Hubs report software or hardware issues.
### OMS requirements
## Add Surface Hub to Operations Management Suite
If you are already using OMS, you'll find Surface Hub solutions in the Solutions Gallery. Select the **Surface Hub** tile in the gallery, and then click **Add** in the solution's details page. If you're not using OMS, you'll need to add Surface Hub to the Solutions Gallery. For more information, see [Get Started with Updgrade Analytics](https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-get-started).
In order to manage your Surface Hubs from the Microsoft Operations Management Suite (OMS), you'll need the following:
**To add Surface Hub to Operations Management Suite**
1. **Sign in to Operations Management Suite (OMS)**. You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
2. **Create a new OMS workspace**. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select Create.
3. **Link Azure subscription to your workspace**. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organizations Azure administrator.
> [!NOTE]
> If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens.
4. **Add Surface Hub solution**. In the Solutions Galler, select the Surface Hub tile in the gallery and then select **Add** on the solutions details page. The solution is now visible on your workspace.
- A valid [subscription to OMS](http://www.microsoft.com/server-cloud/operations-management-suite/overview.aspx).
- [Subscription level](https://go.microsoft.com/fwlink/?LinkId=718139) in line with the number of devices. OMS pricing varies depending on how many devices are enrolled, and how much data it processes. You'll want to take this into consideration when planning your Surface Hub rollout.
## Use the Surface Hub dashboard
From the **Overview** page in your OMS workspace, click the Surface Hub tile to see the Surface Hub dashboard. Use the dashboard to get a snapshot of usage and reliability data across your Surface Hubs.
Next, you will either add an OMS subscription to your existing Microsoft Azure subscription or create a new workspace directly through the OMS portal. Detailed instructions for setting up the account can be found at: [Onboard in minutes](https://go.microsoft.com/fwlink/?LinkId=718141). Once the OMS subscription is set up, there are two ways to enroll your Surface Hub devices:
Click into each view on the dashboard to see detailed data, modify the query as desired, export the data to Power BI, and create alerts.
1. Automatically through [InTune](https://go.microsoft.com/fwlink/?LinkId=718150), or
2. Manually through Settings.
> [!NOTE]
> Most of these views show data for the past 30 days, but this is subject to your subscription's data retention policy.
### Setting up monitoring
**Active Surface Hubs**
Use this view to get an inventory of all your Surface Hubs. Once connected to OMS, each Surface Hub periodically sends a "heartbeat" event to the server. This view shows Surface Hubs that have reported a heartbeat in the past 24 hours.
You can monitor health and activity of your Surface Hub using Microsoft Operations Management Suite (OMS). The device can be enrolled in OMS remotely, using InTune, or locally, by using Settings.
**Skype meetings**
Use this view to get usage data for Skype over the past 30 days. The graph shows the total number of Skype Meetings started across your Surface Hubs, and a breakdown between scheduled meetings, ad hoc meetings, and PSTN calls.
### Enrolling devices through InTune
**Wireless projection**
Use this view to get usage and reliability data for wireless projection over the past 30 days. The graph shows the total number of wireless connections across all your Surface Hubs, which provides an indication whether people in your organization are using this feature. If it's a low number, it may suggest a need to provide training to help people in your organization learn how to wirelessly connect to a Surface Hub.
You'll need the workspace ID and primary key for your Surface Hub. You can get those from the OMS portal.
Also, the graph shows a breakdown of successful and unsuccessful connections. If you see a high number of unsuccessful connections, devices may not properly support wireless projection using Miracast. For best performance,Microsoft suggests that devices run a WDI Wi-Fi driver and a WDDM 2.0 graphics driver. Use the details view to learn if wireless projection problems are common.
InTune is a Microsoft product that allows you to centrally manage the OMS configuration settings that will be applied to one or more of your devices. Follow these steps to configure your devices through InTune:
When a connection fails, users can also do the following if they are using a Windows laptop or phone:
- Remove the paired device from Settings > Devices > Connected devices, then try to connect again.
- Reboot the device.
1. Sign in to InTune.
2. Navigate to **Settings** &gt; **Connected Sources**.
3. Create or edit a policy based on the Surface Hub template.
4. Navigate to the OMS section of the policy, and add the **workspace ID** and **primary key** to the policy.
5. Save the policy.
6. Associate the policy with the appropriate group of devices.
**Wired projection**
Use this view to get usage and reliability data for wired projection over the past 30 days. If the graph shows a high number of unsuccessful connections, it may indicate a connectivity issue in your audio-visual pipeline. For example, if you use a HDMI repeater or a center-of-room control panel, they may need to be restarted.
InTune will now sync the OMS settings with the devices in the target group, enrolling them in your OMS workspace.
**Application usage**
Use this view to get usage data for apps on your Surface Hubs over the past 30 days. The data comes from app launches on your Surface Hubs not including Skype for Business. This view helps you understand which Surface Hub apps are the most valuable in your organization. If you are deploying new line-of-business apps in your environment, this can also help you understand how often they are being used.
### Enrolling devices using the Settings app
**Application Crashes**
Use this view to get reliability data for apps on your Surface Hubs over the past 30 days. The data comes from app crashes on your Surface Hubs. This view helps you detect and notify app developers of poorly behaving in-box and line-of-business apps.
You'll need the workspace ID and primary key for your Surface Hub. You can get those from the OMS portal.
**Sample Queries**
Use this to create custom alerts based on a recommended set of queries. Alerts help you respond quickly if your Surface Hubs report software or hardware issues. For more inforamtion, see [Set up alerts using sample queries](#set-up-alerts-with-sample-queries).
If you don't use InTune to manage your environment, you can enroll devices manually through **Settings**:
## Set up alerts with sample queries
1. From your Surface Hub, start **Settings**.
2. Enter the device admin credentials when prompted.
3. Click **System**, and navigate to Microsoft Operations Management Suite.
4. Click **Configure**.
5. Select **Enable monitoring**.
6. In the OMS settings dialog, type the **workspace ID**.
7. Repeat steps 5 and 6 for the **primary key**.
8. Click **OK** to complete the configuration.
Use alerts to respond quickly if your Surface Hubs report software or hardware issues. Alert rules automatically run log searches according to a schedule, and runs one or more actions if the results match specific criteria. For more information, see [Alerts in Log Analytics](https://azure.microsoft.com/documentation/articles/log-analytics-alerts/).
The Surface Hub Log Analytics solution comes with a set of sample queries to help you set up the appropriate alerts and understand how to resolve issues you may encounter. Use them as a starting point to plan your monitoring and support strategy.
This table describes the sample queries in the Surface Hub solution:
| Alert type | Impact | Recommended remediation | Details |
| ---------- | ------ | ----------------------- | ------- |
| Software | Error | **Reboot the device**. <br> Reboot manually, or using Reboot CSP. <br> Suggest doing this between meetings to minimize impact to your people in your organization. | Trigger conditions: <br> - A critical process in the Surface Hub operating system, such as the shell, projection, or Skype, crashes or becomes non-responsive. <br> - The device hasn't reported a heartbeat in the past 24 hours. This may be due to network connectivity issue or network-related hardware failure, or an error with the telemetry reporting system. |
| Software | Error | **Check your Exchange service**. <br> Verify: <br> - The service is available <br> - The device account password is up to date see [Password management](password-management-for-surface-hub-device-accounts.md) for details.| Triggers when there's an error syncing the device calendar with Exchange. |
| Software | Error | **Check your Skype for Business service**. <br> Verify: <br> - The service is available <br> - The device account password is up to date see [Password management](password-management-for-surface-hub-device-accounts.md) for details. <br> - The domain name for Skype for Business is properly configured.| Triggers when Skype fails to sign in. |
| Software | Error | **Reset the device**. <br> This takes some time, so you should take the device offline. <br> For more information, see [Device reset](device-reset-surface-hub.md).| Triggers when there is an error cleaning up user and app data at the end of a session. When this operation repeatedly fails, the device is locked to protect user data. You must reset the device to continue. |
| Hardware | Warning | **None**. Indicates negligible impact to functionality.| Triggers when there is an error with any of the following hardware components: <br> - Virtual pen slots <br> - NFC driver <br> - USB hub driver <br> - Bluetooth driver <br> - Proximity sensor <br> - Graphical performance (video card driver) <br> - Mismatched hard drive <br> - No keyboard/mouse detected |
| Hardware | Warning | **Contact Microsoft support**. Indicates impact to core functionality (such as Skype, projection, touch, and internet connectivity). <br> **Note** Some events, including heartbeat, include the devices serial number that you can use when contacting support.| Triggers when there is an error with any of the following hardware components. <br> **Components that affect Skype**: <br> - Speaker driver <br> - Microphone driver <br> - Camera driver <br> **Components that affect wired and wireless projection**: <br> - Wired touchback driver <br> - Wired ingest driver <br> - Wireless adapter driver <br> - Wi-Fi Direct error <br> **Other components**: <br> - Touch digitizer driver <br> - Network adapter error (not reported to OMS)|
**To set up an alert**:
1. From the Surface Hub solution, select one of the sample queries.
2. Modify the query as desired. See Log Analytics search reference to learn more.
3. Click **Alert** at the top of the page to open the **Add Alert Rule** screen. See Alerts in Log Analytics for details on the options to configure the alert.
4. Click **Save** to complete the alert rule. It will start running immediately.
## Enroll your Surface Hub
For Surface Hub to connect to and register with the OMS service, it must have access to the port number of your domains and the URLs. This table list the ports that OMS needs. For more information, see [Configure proxy and firewall settings in Log Analytics](https://azure.microsoft.com/documentation/articles/log-analytics-proxy-firewall/).
| Agent resource | Ports | Bypass HTTPS insepction? |
| -------------------------- | ----- | ------------------------ |
| *.ods.opinsights.azure.com | 443 | Yes |
| *.oms.opinsights.azure.com | 443 | Yes |
| *.blob.core.windows.net | 443 | Yes |
| ods.systemcenteradvisor.com | 443 | No |
The Microsoft Monitoring Agent, used to connect devicnstall any additional clients to connect Surface Hub to OMS.
Once your OMS workspace is set up, there are several ways to enroll your Surface Hub devices:
- [Settings app](#enroll-using-the-settings-app)
- [Provisioning package](#enroll-using-a-provisioning-package)
- [Management solution](#enroll-using-a-management-solution), such as Microsoft Intune and Configuration Manager
You'll need the workspace ID and primary key of your OMS workspace. You can get these from the OMS portal.
### Enroll using the Settings app
**To Enroll using the settings app**
1. From your Surface Hub, start **Settings**.
2. Enter the device admin credentials when prompted.
3. Select **This device**, and navigate to **Device management**.
4. Under **Monitoring**, select **Configure OMS settings**.
5. In the OMS settings dialog, select **Enable monitoring**.
6. Type the workspace ID and primary key of your OMS workspace. You can get these from the OMS portal.
7. Click **OK** to complete the configuration.
A confirmation dialog will appear telling you whether or not the OMS configuration was successfully applied to the device. If it was, the device will start sending data to OMS.
### Monitoring devices
### Enroll using a provisioning package
You can use a provisioning package to enroll your Surface Hub. For more infomation, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md).
Monitoring your Surface Hubs using OMS is much like monitoring any other enrolled devices.
1. Sign in to the OMS portal.
2. Navigate to the Surface Hub solution pack dashboard.
3. Your device's health will be displayed here.
You can create OMS alerts based on existing or custom queries that use the data collected through OMS.
### Enroll using a management solution
You can enroll Surface Hub into OMS using the SurfaceHub CSP. Intune and Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. For more information, see [Manage Surface Hub settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md).
## Related topics
[Manage Microsoft Surface Hub](manage-surface-hub.md)
[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)