deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into jdshacct

Browse Source
This commit is contained in:
jdeckerMS
2017-01-31 08:56:49 -08:00
parent 83076f7bab 0eeb85b9a9
commit d261f407c7
393 changed files with 9058 additions and 2590 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
devices/surface-hub/TOC.md
View File

@ -5,7 +5,8 @@
#### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
#### [Create and test a device account](create-and-test-a-device-account-surface-hub.md)
##### [Online deployment](online-deployment-surface-hub-device-accounts.md)
##### [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md)
##### [On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md)
##### [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md)
##### [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md)
##### [Create a device account using UI](create-a-device-account-using-office-365.md)
##### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)
@ -36,4 +37,5 @@
### [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
### [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)
## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)
## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
## [Change history for Surface Hub](change-history-surface-hub.md)

2
devices/surface-hub/accessibility-surface-hub.md
View File

@ -30,7 +30,7 @@ The full list of accessibility settings are available to IT admins in the **Sett
| Mouse | Defaults selected for **Pointer size**, **Pointer color** and **Mouse keys**. |
| Other options | Defaults selected for **Visual options** and **Touch feedback**. |
Additionally, these accessibility features and apps are returned to default settings when users press [**I'm Done**](i-am-done-finishing-your-surface-hub-meeting.md):
Additionally, these accessibility features and apps are returned to default settings when users press [I'm Done](i-am-done-finishing-your-surface-hub-meeting.md):
- Narrator
- Magnifier
- High contrast

2
devices/surface-hub/admin-group-management-for-surface-hub.md
View File

@ -74,7 +74,7 @@ If your organization is using AD or Azure AD, we recommend you either domain joi
|---------------------------------------------------|-----------------------------------------|-------|
| Create a local admin account | None | The user name and password specified during first run |
| Domain join to Active Directory (AD) | Your organization uses AD | Any AD user from a specific security group in your domain |
| Azure Active Directory (Azure AD) join the device | Your organization uses Azure AD Basic | Global administators only |
| Azure Active Directory (Azure AD) join the device | Your organization uses Azure AD Basic | Global administrators only |
|   | Your organization uses Azure AD Premium or Enterprise Mobility Suite (EMS) | Global administrators and additional administrators |

4
devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
View File

@ -1620,7 +1620,7 @@ In the following cmdlets, `$strPolicy` is the name of the ActiveSync policy, and
Note that in order to run the cmdlets, you need to set up a remote PowerShell session and:
- Your admin account must be remote-PowerShell-enabled. This allows the admin to use the PowerShell cmdlets that are needed by the script. (This permission can be set using set-user `$admin -RemotePowerShellEnabled $true`)
- Your admin account must be remote-PowerShell-enabled. This allows the admin to use the PowerShell cmdlets that are needed by the script. (This permission can be set using `set-user $admin -RemotePowerShellEnabled $true`)
- Your admin account must have the "Reset Password" role if you plan to run the creation scripts. This allows the admin to change the password of the account, which is needed for the script. The Reset Password Role can be enabled using the Exchange Admin Center.
Create the policy.
@ -1667,7 +1667,7 @@ This retrieves device information for every device that the account has been pro
For a device account to automatically accept or decline meeting requests based on its availability, the **AutomateProcessing** attribute must be set to **AutoAccept**. This is recommended as to prevent overlapping meetings.
```PowerShell
Set-CalendarProcessing $ strRoomUpn -AutomateProcessing AutoAccept
Set-CalendarProcessing $strRoomUpn -AutomateProcessing AutoAccept
```
### <a href="" id="accept-ext-meetings-cmdlet"></a>Accepting external meeting requests

10
devices/surface-hub/change-history-surface-hub.md
View File

@ -14,10 +14,20 @@ localizationpriority: medium
This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
## January 2017
| New or changed topic | Description |
| --- | --- |
| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | New |
| [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) | New |
| [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) | Added graphics cards verified to work with 84" Surface Hubs and added information about the lengths of cables. |
| [Online deployment](online-deployment-surface-hub-device-accounts.md) | Updated procedures for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment. |
## December 2016
| New or changed topic | Description|
| --- | --- |
| [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) | Added information about Bluetooth accessories. |
| [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) | Updated example procedures to include screenshots. |
## November 2016

22
devices/surface-hub/connect-and-display-with-surface-hub.md
View File

@ -13,7 +13,7 @@ localizationpriority: medium
# Connect other devices and display with Surface Hub
You can connect other devices to your Microsoft Surface Hub to display content. This topic describes the Guest Mode, Replacement PC Mode, and Video Out functionality available through wired connections.
You can connect other devices to your Microsoft Surface Hub to display content. This topic describes the Guest Mode, Replacement PC Mode, and Video Out functionality available through wired connections, and also lists accessories that you can connect to Surface Hub using [Bluetooth](#bluetooth-accessories).
## Which method should I choose?
@ -251,7 +251,7 @@ In Replacement PC Mode, Surface Hub supports any graphics adapter that can produ
**55" Surface Hubs** - For best experience, use a graphics card capable of 1080p resolution at 120Hz.
**84" Surface Hubs** - For best experience, use a graphics card capable of outputting four DisplayPort 1.2 streams to produce 2160p at 120Hz (3840 x 2160 at 120Hz vertical refresh). We've verified that this works with the NVIDIA Quadro K2200, NVIDIA Quadro K4200, and NVIDIA Quadro M6000. These are not the only graphics cards - others are available from other vendors.
**84" Surface Hubs** - For best experience, use a graphics card capable of outputting four DisplayPort 1.2 streams to produce 2160p at 120Hz (3840 x 2160 at 120Hz vertical refresh). We've verified that this works with the NVIDIA Quadro K2200, NVIDIA Quadro K4200, NVIDIA Quadro M6000, AMD FirePro W5100, AMD FirePro W7100, and AMD FirePro W9100. These are not the only graphics cards - others are available from other vendors.
Check directly with graphics card vendors for the latest drivers.
@ -273,7 +273,7 @@ Check directly with graphics card vendors for the latest drivers.
</tr>
<tr class="even">
<td><p>AMD</p></td>
<td><p>[http://support.amd.com/download](http://support.amd.com/download)</p></td>
<td><p>[http://support.amd.com/en-us/download](http://support.amd.com/en-us/download)</p></td>
</tr>
<tr class="odd">
<td><p>Intel</p></td>
@ -470,3 +470,19 @@ Video Out port on the 84" Surface Hub
</tbody>
</table>
## Cables
Both the 55” and 84” Surface Hub devices have been tested to work with Certified DisplayPort and HDMI cables. While vendors do sell longer cables that may work with the Surface Hub, only those cables that have been certified by testing labs are certain to work with the Hub. For example, DisplayPort cables are certified only up to 3 meters, however many vendors sell cables that are 3 times that length. If a long cable is necessary, we strongly suggest using HDMI. HDMI has many cost-effective solutions for long-haul cables, including the use of repeaters. Nearly every DisplayPort source will automatically switch to HDMI signaling if a HDMI sink is detected.
## Bluetooth accessories
You can connect the following accessories to Surface Hub using Bluetooth:
- Mice
- Keyboards
- Headsets
- Speakers
>[!NOTE]
>After you connect a Bluetooth headset or speaker, you might need to change the [default microphone and speaker settings](local-management-surface-hub-settings.md).

3
devices/surface-hub/create-and-test-a-device-account-surface-hub.md
View File

@ -46,7 +46,8 @@ For detailed steps using PowerShell to provision a device account, choose an opt
| Organization deployment | Description |
|---------------------------------|--------------------------------------|
| [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md) | Your organization's environment is deployed entirely on Office 365. |
| [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync). |
| [On-premises deployment (single-forest)](on-premises-deployment-surface-hub-device-accounts.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync) in a single-forest environment. |
| [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync) in a multi-forest environment. |
| [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365. |
If you prefer to use a graphical user interface, some steps can be done using UI instead of PowerShell.

2
devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
View File

@ -53,7 +53,7 @@ Use this procedure if you use Exchange on-prem.
```ps1
Set-ExecutionPolicy Unrestricted
$cred=Get-Credential -Message "Please use your Office 365 admin credentials"
$sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://outlook.office365.com/ps1-liveid/' -Credential $cred -Authentication Basic -AllowRedirection
$sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://ps.outlook.com/powershell' -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $sess
```

9
devices/surface-hub/index.md
View File

@ -13,7 +13,9 @@ localizationpriority: medium
# Microsoft Surface Hub
Documents related to the Microsoft Surface Hub.
Documents related to deploying and managing the Microsoft Surface Hub in your organization.
>[Looking for the user's guide for Surface Hub?](https://www.microsoft.com/surface/support/surface-hub)
## In this section
@ -34,7 +36,8 @@ Documents related to the Microsoft Surface Hub.
<td align="left"><p>[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)</p></td>
<td align="left"><p>This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.</p></td>
</tr>
<tr><td>[Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)</td><td>This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise.</td></tr><tr>
<td>[Change history for Surface Hub](change-history-surface-hub.md)</td><td>This topic lists new and updated topis in the Surface Hub documentation.</td></tr>
<tr><td>[Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)</td><td>This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise.</td></tr>
<tr><td>[How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)</td><td>This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. </td></tr>
<tr><td>[Change history for Surface Hub](change-history-surface-hub.md)</td><td>This topic lists new and updated topis in the Surface Hub documentation.</td></tr>
</tbody>
</table>

2
devices/surface-hub/manage-windows-updates-for-surface-hub.md
View File

@ -94,7 +94,7 @@ Once you've determined deployment rings for your Surface Hubs, configure update
## Use Windows Server Update Services
You can connect Surface Hub to your indows Server Update Services (WSUS) server to manage updates. Updates will be controlled through approvals or automatic deployment rules configured in your WSUS server, so new upgrades will not be deployed until you choose to deploy them.
You can connect Surface Hub to your Windows Server Update Services (WSUS) server to manage updates. Updates will be controlled through approvals or automatic deployment rules configured in your WSUS server, so new upgrades will not be deployed until you choose to deploy them.
**To manually connect a Surface Hub to a WSUS server:**
1. Open **Settings** on your Surface Hub.

3
devices/surface-hub/monitor-surface-hub.md
View File

@ -101,6 +101,9 @@ This table describes the sample queries in the Surface Hub solution:
For Surface Hub to connect to and register with the OMS service, it must have access to the port number of your domains and the URLs. This table list the ports that OMS needs. For more information, see [Configure proxy and firewall settings in Log Analytics](https://azure.microsoft.com/documentation/articles/log-analytics-proxy-firewall/).
>[!NOTE]
>Surface Hub does not currently support the use of a proxy server to communicate with the OMS service.
| Agent resource | Ports | Bypass HTTPS inspection? |
| --------------------------- | ----- | ------------------------ |
| *.ods.opinsights.azure.com | 443 | Yes |

8
devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
View File

@ -1,5 +1,5 @@
---
title: On-premises deployment (Surface Hub)
title: On-premises deployment single forest (Surface Hub)
description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment.
ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6
keywords: single forest deployment, on prem deployment, device account, Surface Hub
@ -11,12 +11,12 @@ author: TrudyHa
localizationpriority: medium
---
# On-premises deployment (Surface Hub)
# On-premises deployment for Surface Hub in a single-forest environment
This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment.
If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If youre using a multi-forest deployment, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section.
If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If youre using a multi-forest deployment, see [On-premises deployment for Surface Hub in a multi-forest environment](on-premises-deployment-surface-hub-multi-forest.md).
1. Start a remote PowerShell session from a PC and connect to Exchange.
@ -99,7 +99,7 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013
8. OPTIONAL: You can also allow your Surface Hub to make and receive public switched telephone network (PSTN) phone calls by enabling Enterprise Voice for your account. Enterprise Voice isn't a requirement for Surface Hub, but if you want PSTN dialing functionality for the Surface Hub client, here's how to enable it:
```PowerShell
CsMeetingRoom HUB01 -DomainController DC-ND-001.contoso.com
Set-CsMeetingRoom HUB01 -DomainController DC-ND-001.contoso.com
-LineURItel: +14255550555;ext=50555" Set-CsMeetingRoom -DomainController DC-ND-001.contoso.com
-Identity HUB01 -EnterpriseVoiceEnabled $true
```

105
devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md Normal file
View File

@ -0,0 +1,105 @@
---
title: On-premises deployment multi-forest (Surface Hub)
description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment.
ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6
keywords: multi forest deployment, on prem deployment, device account, Surface Hub
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerMS
localizationpriority: medium
---
# On-premises deployment for Surface Hub in a multi-forest environment
This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment.
If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If youre using a single-forest deployment, see [On-premises deployment for Surface Hub in a single-forest environment](on-premises-deployment-surface-hub-device-accounts.md).
1. Start a remote PowerShell session from a PC and connect to Exchange.
Be sure you have the right permissions set to run the associated cmdlets.
Note here that `$strExchangeServer` is the fully qualified domain name (FQDN) of your Exchange server, and `$strLyncFQDN` is the FQDN of your Skype for Business server.
```PowerShell
Set-ExecutionPolicy Unrestricted
$org='contoso.microsoft.com'
$cred=Get-Credential $admin@$org
$sessExchange = New-PSSession -ConfigurationName microsoft.exchange -Credential $cred -AllowRedirection -Authentication Kerberos -ConnectionUri "http://$strExchangeServer/powershell" -WarningAction SilentlyContinue
$sessLync = New-PSSession -Credential $cred -ConnectionURI "https://$strLyncFQDN/OcsPowershell" -AllowRedirection -WarningAction SilentlyContinue
Import-PSSession $sessExchange
Import-PSSession $sessLync
```
2. After establishing a session, create a new mailbox in the Resource Forest. This will allow the account to authenticate into the Surface Hub.
If you're changing an existing resource mailbox:
```PowerShell
New-Mailbox -UserPrincipalName HUB01@contoso.com -Alias HUB01 -Name "Hub-01"
```
3. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy.
Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to **False**. If this isnt set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled.
If you havent created a compatible policy yet, use the following cmdlet-—this one creates a policy called "Surface Hubs". Once its created, you can apply the same policy to other device accounts.
```PowerShell
$easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
```
Once you have a compatible policy, then you will need to apply the policy to the device account.
```PowerShell
Set-CASMailbox $acctUpn -ActiveSyncMailboxPolicy $easPolicy -ActiveSyncEnabled $true
Set-Mailbox $acctUpn -Type Room
```
4. Various Exchange properties can be set on the device account to improve the meeting experience for people. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
```PowerShell
Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false AllowConflicts $false DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
```
5. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information. This should be set in the User Forest.
```PowerShell
Set-AdUser $acctUpn -PasswordNeverExpires $true
```
6. Enable the account in Active Directory so it will authenticate to the Surface Hub. This should be set in the User Forest.
```PowerShell
Set-AdUser $acctUpn -Enabled $true
```
6. You now need to change the room mailbox to a linked mailbox:
```PowerShell
$cred=Get-Credential AuthForest\LinkedRoomTest1
Set-mailbox -Alias LinkedRoomTest1 -LinkedMasterAccount AuthForest\LinkedRoomTest1 -LinkedDomainController AuthForest-4939.AuthForest.extest.contoso.com -Name LinkedRoomTest1 -LinkedCredential $cred -Identity LinkedRoomTest1
```
7. Enable the device account with Skype for Business by enabling your Surface Hub AD account on a Skype for Business Server pool:
```PowerShell
Enable-CsMeetingRoom -SipAddress "sip:HUB01@contoso.com"
-DomainController DC-ND-001.contoso.com -RegistrarPool LYNCPool15.contoso.com
-Identity HUB01
```
You'll need to use the Session Initiation Protocol (SIP) address and domain controller for the Surface Hub, along with your own Skype for Business Server pool identifier and user identity.
 

58
devices/surface-hub/online-deployment-surface-hub-device-accounts.md
View File

@ -54,13 +54,10 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
$easPolicy = New-MobileDeviceMailboxPolicy -Name "SurfaceHubs" -PasswordEnabled $false -AllowNonProvisionableDevices $True
```
Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too.
Once you have a compatible policy, then you will need to apply the policy to the device account.
```PowerShell
Set-Mailbox 'HUB01@contoso.com' -Type Regular
Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.Id
Set-Mailbox 'HUB01@contoso.com' -Type Room
Set-Mailbox 'HUB01@contoso.com' -RoomMailboxPassword (ConvertTo-SecureString -String <password> -AsPlainText -Force) -EnableRoomMailboxAccount $true
```
4. Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
@ -84,7 +81,10 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -PasswordNeverExpires $true
```
7. The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account.
7. Surface Hub requires a license for Skype for Business functionality.
- Your Surface Hub account requires a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
- You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
- If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).
Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant.
@ -98,15 +98,6 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
8. Enable the device account with Skype for Business.
In order to enable Skype for Business, your environment will need to meet the following prerequisites:
- You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
- If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).
- Your tenant users must have Exchange mailboxes.
- Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
<!-- -->
- Start by creating a remote PowerShell session from a PC.
```PowerShell
@ -115,33 +106,30 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
Import-PSSession $cssess -AllowClobber
```
- To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
- Next, if you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet (for example, *alice@contoso.com*):
```PowerShell
Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool
"sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress
Get-CsOnlineUser -Identity alice@contoso.com| fl *registrarpool*
```
If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
OR by setting a variable
```PowerShell
Get-CsOnlineUser -Identity 'alice@contoso.com'| fl *registrarpool*
$strRegistrarPool = (Get-CsOnlineUser -Identity alice@contoso.com).RegistrarPool
```
- Enable the Surface Hub account with the following cmdlet:
```PowerShell
Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool yourRegistrarPool -SipAddressType EmailAddress
```
OR using the $strRegistarPool variable from above
```PowerShell
Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool $strRegistrarPool -SipAddressType EmailAddress
```
9. Assign Skype for Business license to your Surface Hub account.
Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) to the device.
- Login as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app.
- Click on **Users and Groups** and then **Add users, reset passwords, and more**.
- Select the Surface Hub account, and then click or tap the pen icon, which means edit.
- Click on the **Licenses** option.
- In the **Assign licenses** section, you need to select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and what you've decided in terms of needing Enterprise Voice. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub.
- Click **Save** and you're done.
>**Note**: It's also possible to use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
For validation, you should be able to use any Skype for Business client (PC, Android, etc) to log in to this account.
For validation, you should be able to use any Skype for Business client (PC, Android, etc) to sign in to this account.

2
devices/surface-hub/save-bitlocker-key-surface-hub.md
View File

@ -24,7 +24,7 @@ There are several ways to manage your BitLocker key on the Surface Hub.
2. If youve joined the Surface Hub to Azure Active Directory (Azure AD), the BitLocker key will be stored under the account that was used to join the device.
3. If youre using a local admin account to manage the device, you can save the BitLocker key by going to the **Settings** app and navigating to **Update & security** &gt; **Recovery**. Insert a USB drive and select the option to save the BitLocker key. The key will be saved to a text file on the USB drive.
3. If youre using an admin account to manage the device, you can save the BitLocker key by going to the **Settings** app and navigating to **Update & security** &gt; **Recovery**. Insert a USB drive and select the option to save the BitLocker key. The key will be saved to a text file on the USB drive.
## Related topics

121
devices/surface-hub/surface-hub-wifi-direct.md Normal file
View File

@ -0,0 +1,121 @@
---
title: How Surface Hub addresses Wi-Fi Direct security issues
description: This topic provides guidance on Wi-Fi Direct security risks.
keywords: change history
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerMS
localizationpriority: medium
---
# How Surface Hub addresses Wi-Fi Direct security issues
Microsoft Surface Hub is an all-in-one productivity device that enables teams to better brainstorm, collaborate, and share ideas. Surface Hub relies on Miracast for wireless projection by using Wi-Fi Direct.
This topic provides guidance on Wi-Fi Direct security vulnerabilities, how Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. This hardening information will help customers with high security requirements understand how best to protect their Surface Hub connected networks and data in transit.
The intended audiences for this topic include IT and network administrators interested in deploying Microsoft Surface Hub in their corporate environment with optimal security settings.
## Overview
Microsoft Surface Hub's security depends extensively on Wi-Fi Direct / Miracast and the associated 802.11, Wi-Fi Protected Access (WPA2), and Wireless Protected Setup (WPS) standards. Since the device only supports WPS (as opposed to WPA2 Pre-Shared Key (PSK) or WPA2 Enterprise), issues traditionally associated with 802.11 encryption are simplified by design.
It is important to note Surface Hub operates on par with the field of Miracast receivers, meaning that it is protected from, and vulnerable to, a similar set of exploits as all WPS-based wireless network devices. But Surface Hubs implementation of WPS has extra precautions built in, and its internal architecture helps prevent an attacker even after compromising the Wi-Fi Direct / Miracast layer to move past the network interface onto other attack surfaces and connected enterprise networks see [Wi-Fi Direct vulnerabilities and how Surface Hub addresses them](#vulnerabilities).
## Wi-Fi Direct background
Miracast is part of the Wi-Fi Display standard, which itself is supported by the Wi-Fi Direct protocol. These standards are supported in modern mobile devices for screen sharing and collaboration.
Wi-Fi Direct or Wi-Fi "Peer to Peer" (P2P) is a standard released by the Wi-Fi Alliance for "Ad-Hoc" networks. This allows supported devices to communicate directly and create groups of networks without requiring a traditional Wi-Fi Access Point or an Internet connection.
Security for Wi-Fi Direct is provided by WPA2 using the WPS standard. Authentication mechanism for devices can be a numerical pin (WPS-PIN), a physical or virtual Push Button (WPS-PBC), or an out-of-band message such as Near Field Communication (WPS-OOO). The Microsoft Surface Hub supports both Push Button (which is the default) and PIN methods.
In Wi-Fi Direct, groups are created as either "persistent," allowing for automatic reconnection using stored key material, or "temporary," where devices cannot re-authenticate without user intervention or action. Wi-Fi Direct groups will typically determine a Group Owner (GO) through a negotiation protocol, which mimics the "station" or "Access Point" functionality for the established Wi-Fi Direct Group. This Wi-Fi Direct GO provides authentication (via an “Internal Registrar”), and facilitate upstream network connections. For Surface Hub, this GO negotiation does not take place, as the network only operates in "autonomous" mode, where Surface Hub is always the Group Owner. Finally, Surface Hub does not and will not join other Wi-Fi Direct networks itself as a client.
<span id="vulnerabilities" />
## Wi-Fi Direct vulnerabilities and how Surface Hub addresses them
**Vulnerabilities and attacks in the Wi-Fi Direct invitation, broadcast, and discovery process**: Wi-Fi Direct / Miracast attacks may target weaknesses in the group establishment, peer discovery, device broadcast, or invitation processes.
|Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| The discovery process may remain active for an extended period of time, which could allow Invitations and connections to be established without the intent of the device owner. | Surface Hub only operates as the Group Owner (GO), which does not perform the client Discovery or GO negotiation process. Broadcast can be turned off by fully disabling wireless projection. |
| Invitation and discovery using PBC allows an unauthenticated attacker to perform repeated connection attempts or unauthenticated connections are automatically accepted. | By requiring WPS PIN security, Administrators can reduce the potential for such unauthorized connections or "Invitation bombs" (where invitations are repeatedly sent until a user mistakenly accepts one). |
**Wi-Fi Protected Setup (WPS) Push Button Connect (PBC) vs PIN Entry**: Public weaknesses have been demonstrated in WPS-PIN method design and implementation, other vulnerabilities exist within WPS-PBC involving active attacks against a protocol designed for one time use.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| WPS-PBC is vulnerable to active attackers. As stated within the WPS specification: "The PBC method has zero bits of entropy and only protects against passive eavesdropping attacks. PBC protects against eavesdropping attacks and takes measures to prevent a device from joining a network that was not selected by the device owner. The absence of authentication, however, means that PBC does not protect against active attack". Attackers can use selective wireless jamming or other potential denial-of-service vulnerabilities in order to trigger an unintended Wi-Fi Direct GO or connection. Additionally, an active attacker, with only physical proximity, can repeatedly teardown any Wi-Fi Direct group and attempt the described attack until it is successful. |Enable WPS-PIN security within Surface Hubs configuration. As discussed within the Wi-Fi WPS specification: "The PBC method should only be used if no PIN-capable Registrar is available and the WLAN user is willing to accept the risks associated with PBC". |
| WPS-PIN implementations can be brute-forced using a Vulnerability within the WPS standard. Due to the design of split PIN verification, a number of implementation vulnerabilities occurred in the past several years across a wide range of Wi-Fi hardware manufacturers. In 2011 two researchers (Stefan Viehböck and Craig Heffner) released information on this vulnerability and tools such as "Reaver" as a proof of concept. | The Microsoft implementation of WPS within Surface Hub changes the pin every 30 seconds. In order to crack the pin, an attacker must work through the entire exploit in less than 30 seconds. Given the current state of tools and research in this area, a brute-force pin-cracking attack through WPS is unlikely. |
| WPS-PIN can be cracked using an offline attack due to weak initial key (E-S1,E S2) entropy. In 2014, Dominique Bongard discussed a "Pixie Dust" attack where poor initial randomness for the pseudo random number generator (PRNG) within the wireless device lead to the ability to perform an offline brute-force attack. | The Microsoft implementation of WPS within Surface Hub is not susceptible to this offline PIN brute-force attack. The WPS-PIN is randomized for each connection. |
**Unintended exposure of network services**: Network daemons intended for Ethernet or WLAN services may be accidentally exposed due to misconfiguration (such as binding to “all”/0.0.0.0 interfaces), a poorly configured device firewall, or missing firewall rules altogether.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| Misconfiguration binds a vulnerable or unauthenticated network service to "all" interfaces, which includes the Wi-Fi Direct interface. This potentially exposes services not intended to be accessible to Wi-Fi Direct clients, which may be weakly or automatically authenticated. | Within Surface Hub, the default firewall rules only permit the required TCP and UDP network ports and by default deny all inbound connections. Strong authentication can be configured by enabling the WPS-PIN mode. |
**Bridging Wi-Fi Direct and other wired or wireless networks**: While network bridging between WLAN or Ethernet networks is a violation of the Wi-Fi Direct specification, such a bridge or misconfiguration may effectively lower or remove wireless access controls for the internal corporate network.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| Wi-Fi Direct devices could allow unauthenticated or poorly authenticated access to bridged network connections. This may allow Wi-Fi Direct networks to route traffic to internal Ethernet LAN or other infrastructure or enterprise WLAN networks in violation of existing IT security protocols. | Surface Hub cannot be configured to bridge Wireless interfaces or allow routing between disparate networks. The default firewall rules add defense in depth to any such routing or bridge connections. |
**The use of Wi-Fi Direct “legacy” mode**: Exposure to unintended networks or devices when operating in “legacy” mode may present a risk. Device spoofing or unintended connections could occur if WPS-PIN is not enabled.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| By supporting both Wi-Fi Direct and 802.11 infrastructure clients, the system is operating in a "legacy" support mode. This may expose the connection setup phase indefinitely, allowing for groups to be joined or devices invited to connect well after their intended setup phase terminates. | Surface Hub does not support Wi-Fi Direct legacy clients. Only Wi-Fi Direct connections can be made to Surface Hub even when WPS-PIN mode is enabled. |
**Wi-Fi Direct GO negotiation during connection setup**: The Group Owner within Wi-Fi Direct is analogous to the “Access Point” in a traditional 802.11 wireless network. The negotiation can be gamed by a malicious device.
|Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| If groups are dynamically established or if the Wi-Fi Direct device can be made to join new groups, the Group Owner (GO) negotiation can be won by a malicious device that always specifies the max Group Owner "intent" value of 15. (Unless such device is configured to always be a Group Owner, in which case the connection fails.) | Surface Hub takes advantage of Wi-Fi Direct "Autonomous mode", which skips the GO negotiation phase of the connection setup. Surface Hub is always the Group Owner. |
**Unintended or malicious Wi-Fi deauthentication**: Wi-Fi deauthentication is an age-old attack that can be used by a physically local attacker to expedite information leaks against the connection setup process, trigger new four-way handshakes, target Wi-Fi Direct WPS-PBC for active attack, or create denial-of-service attacks.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| Deauthentication packets can be sent by an unauthenticated attacker to cause the station to re-authenticate and sniff the resulting handshake. Cryptographic or brute-force attacks can be attempted on the resulting handshake. Mitigations for these attack include: enforcing length and complexity policies for pre-shared keys; configuring the Access Point (if applicable) to detect malicious levels of deauthentication packets; and using WPS to automatically generate strong keys. In PBC mode the user is interacting with a physical or virtual button to allow arbitrary device association. This process should happen only at setup within a small window, once the button is automatically "pushed", the device will accept any station associating via a canonical PIN value (all zeros). Deauthentication can force a repeated setup process. | The current Surface Hub design uses WPS in PIN or PBC mode. No PSK configuration is permitted, helping enforce the generation of strong keys. It is recommended to enable WPS-PIN. |
| Beyond denial-of-service attacks, deauthentication packets can also be used to trigger a reconnect which re-opens the window of opportunity for active attacks against WPS-PBC. | Enable WPS-PIN security within Surface Hubs configuration. |
**Basic wireless information disclosure**: Wireless networks, 802.11 or otherwise, are inherently sources of information disclosure. Although the information is largely connection or device metadata, it remains an accepted risk for any 802.11 administrator. Wi-Fi Direct with device authentication via WPS-PIN effectively reveals the same information as a PSK or Enterprise 802.11 network.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| During broadcast, connection setup, or even with already encrypted connections, basic information about the devices and packet sizes is wirelessly transmitted. At a basic level, a local attacker within wireless range can determine the names of wireless devices, the MAC addresses of communicating equipment, and possibly other details such as the version of the wireless stack, packet sizes, or the configured Access Point or Group Owner options by examining the relevant 802.11 Information Elements. | The Wi-Fi Direct network employed by Surface Hub cannot be further protected from metadata leaks, in the same way 802.11 Enterprise or PSK wireless networks also leak such metadata. Physical security and removing potential threats from the wireless proximity can be used to reduce any potential information leaks. |
**Wireless evil twin or spoofing attacks**: Spoofing the wireless name is a trivial and known exploit for a physically local attacker in order to lure unsuspecting or mistaken users to connect.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| By spoofing or cloning the wireless name or "SSID" of the target network, an attacker may trick the user into connecting to fake malicious network. By supporting unauthenticated, auto-join Miracast an attacker could capture the intended display materials or attempt to perform network attacks on the connecting device. | While no specific protections against joining a spoofed Surface Hub are in place, this attack is partially mitigated in two ways. First, any potential attack must be physically within Wi-Fi range. Second, this attack is only possible during the very first connection. Subsequent connections use a persistent Wi-Fi Direct group and Windows will remember and prioritize this prior connection during future Hub use. (Note: Spoofing the MAC address, Wi-Fi channel and SSID simultaneously was not considered for this report and may result in inconsistent Wi-Fi behavior.) Overall this weakness is a fundamental problem for any 802.11 wireless network not using Enterprise WPA2 protocols such as EAP-TLS or EAP-PWD, which are not supported in Wi-Fi Direct. |
## Surface Hub hardening guidelines
Surface Hub is designed to facilitate collaboration and allow users to start or join meetings quickly and efficiently. As such, the default Wi-Fi Direct settings for Surface Hub are optimized for this scenario.
For users who require additional security around the wireless interface, we recommend Surface Hub users enable the WPS-PIN security setting. This disables WPS-PBC mode and offers client authentication, and provides the strongest level of protection by preventing any unauthorized connections to Surface Hub.
If concerns remain around authentication and authorization of a Surface Hub, we recommend users connect the device to a separate network, either Wi-Fi (such as a "guest" Wi-Fi network) or using separate Ethernet network (preferably an entirely different physical network, but a VLAN can also provide some added security). Of course, this approach may preclude connections to internal network resources or services, and may require additional network configurations to regain access.
Also recommended:
- [Install regular system updates.](manage-windows-updates-for-surface-hub.md)
- Update the Miracast settings to disable auto-present mode.
## Learn more
- [Wi-Fi Direct specifications](http://www.wi-fi.org/discover-wi-fi/wi-fi-direct)
- [Wireless Protected Setup (WPS) specification](http://www.wi-fi.org/discover-wi-fi/wi-fi-protected-setup)

2
devices/surface-hub/use-room-control-system-with-surface-hub.md
View File

@ -184,7 +184,7 @@ In Replacement PC mode, the power states are only Ready and Off and only change
</tr>
<tr class="even">
<td align="left"><p>5</p></td>
<td align="left"><p>50</p></td>
<td align="left"><p>S0</p></td>
<td align="left"><p>Ready</p></td>
</tr>
</tbody>