diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md new file mode 100644 index 0000000000..790e48d372 --- /dev/null +++ b/devices/surface-hub/TOC.md @@ -0,0 +1,33 @@ +# [Microsoft Surface Hub](index.md) +## [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) +### [Intro to Microsoft Surface Hub](intro-to-surface-hub.md) +### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md) +### [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) +#### [Create and test a device account](create-and-test-a-device-account-surface-hub.md) +##### [Online deployment](online-deployment-surface-hub-device-accounts.md) +##### [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) +##### [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) +##### [Create a device account using UI](create-a-device-account-using-office-365.md) +##### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) +##### [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md) +##### [Password management](password-management-for-surface-hub-device-accounts.md) +#### [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) +#### [Admin group management](admin-group-management-for-surface-hub.md) +### [Set up Microsoft Surface Hub](set-up-your-surface-hub.md) +#### [Setup worksheet](setup-worksheet-surface-hub.md) +#### [First-run program](first-run-program-surface-hub.md) +### [Manage Microsoft Surface Hub](manage-surface-hub.md) +#### [Accessibility](accessibility-surface-hub.md) +#### [Change the Surface Hub device account](change-surface-hub-device-account.md) +#### [Device reset](device-reset-suface-hub.md) +#### [Install apps on your Surface Hub](install-apps-on-surface-hub.md) +#### [Manage settings with a local admin account](manage-settings-with-local-admin-account-surface-hub.md) +#### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) +#### [Monitor your Surface Hub](monitor-surface-hub.md) +#### [Save your BitLocker key](save-bitlocker-key-surface-hub.md) +#### [Using a room control system](use-room-control-system-with-surface-hub.md) +#### [Windows updates](manage-windows-updates-for-surface-hub.md) +#### [Wireless network management](wireless-network-management-for-surface-hub.md) +### [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) +### [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md) + diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md new file mode 100644 index 0000000000..11b73eecdf --- /dev/null +++ b/devices/surface-hub/accessibility-surface-hub.md @@ -0,0 +1,73 @@ +--- +title: Accessibility (Surface Hub) +description: Accessibility settings for the Microsoft Surface Hub can be changed by using the Settings app. You'll find them under Ease of Access. Your Surface Hub has the same accessibility options as Windows 10. +ms.assetid: 1D44723B-1162-4DF6-99A2-8A3F24443442 +keywords: ["Accessibility settings", "Settings app", "Ease of Access"] +author: TrudyHa +--- + +# Accessibility (Surface Hub) + + +Accessibility settings for the Microsoft Surface Hub can be changed by using the Settings app. You'll find them under **Ease of Access**. Your Surface Hub has the same accessibility options as Windows 10. + +The default accessibility settings for Surface Hub include: + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Accessibility featureDefault setting

Narrator

Off

Magnifier

Off

High contrast

No theme selected

Closed captions

Defaults selected for Font and Background and window.

Keyboard

On-screen Keyboard, Sticky Keys, Toggle Keys, and Filter Keys are all off.

Mouse

Defaults selected for Pointer size, Pointer color and Mouse keys.

+ +  + +You'll find additional settings under **Ease of Access** > **Other options**. + +## Related topics + + +[Manage Microsoft Surface Hub](manage-surface-hub.md) + +[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) + +  + +  + + + + + diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md new file mode 100644 index 0000000000..170f3d1be5 --- /dev/null +++ b/devices/surface-hub/admin-group-management-for-surface-hub.md @@ -0,0 +1,104 @@ +--- +title: Admin group management (Surface Hub) +description: Every Microsoft Surface Hub can be configured individually by opening the Settings app on the device. +ms.assetid: FA67209E-B355-4333-B903-482C4A3BDCCE +keywords: ["admin group management", "Settings app", "configure Surface Hub"] +author: TrudyHa +--- + +# Admin group management (Surface Hub) + + +Every Microsoft Surface Hub can be configured individually by opening the Settings app on the device. However, to prevent people who are not administrators from changing the settings, the Settings app requires administrator credentials to open the app and change settings. + +The Settings app requires local administrator credentials to open the app. +## Admin Group Management + + +You can set up administrator accounts for the device in any of three ways: + +- Create a local admin account. +- Domain join the device to Active Directory (AD). +- Azure Active Directory (Azure AD) join the device. + +### Create a local admin account + +To create a local admin, choose to use a local admin during first run. This will create a single local admin account on the Surface Hub with the username and password of your choice. These same credentials will need to be provided to open the Settings app. + +Note that the local admin account information is not backed by any directory service. We recommend you only choose a local admin if the device does not have access to Active Directory (AD) or Azure Active Directory (Azure AD). If you decide to change the local admin’s password, you can do so in Settings. However, if you want to change from using the local admin account to using a group from your domain or Azure AD organization, then you’ll need to reset the device and go through first-time setup again. + +### Domain join the device to Active Directory (AD) + +You can set a security group from your domain as local administrators on the Surface Hub after you domain join the device to AD. You will need to provide credentials that are capable of joining the domain of your choice. After you domain join successfully, you will be asked to pick an existing security group to be set as the local admins. Anyone who is a member of that security group can enter their credentials and unlock Settings. + +**Note**  Surface Hubs domain join for the single purpose of using a security group as local admins. Group policies are not applied after the device is domain joined. + +  + +**Note**  If your Surface Hub loses trust with the domain (for example, if you remove the Surface Hub from the domain after it is domain joined), you won't be able to authenticate into the device and open up Settings. If you decide to remove the trust relationship of the Surface Hub with your domain, reset the device first. + +  + +### Azure Active Directory (Azure AD) join the device + +You can set up IT pros from your Azure AD organization as local administrators on the Surface Hub after you join the device. The people that are provisioned as local admins on your device depend on what Azure AD subscription you have. You will need to provide credentials that are capable of joining the Azure AD organization of your choice. After you successfully join Azure AD, the appropriate people will be set as local admins on the device. Any user who was set up as a local admin as a result of this process can enter their credentials and unlock the Settings app. + +**Note**  If your Azure AD organization is configured with mobile device management (MDM) enrollment, Surface Hubs will be enrolled into MDM as a result of joining Azure AD. Surface Hubs that have joined Azure AD are subject to receiving MDM policies, and can be managed using the MDM solution that your organization uses. + +  + +### Which should I choose? + +If your organization is using AD or Azure AD, we recommend you either domain join or join Azure AD, primarily for security reasons. People will be able to authenticate and unlock Settings with their own credentials, and can be moved in or out of the security groups associated with you domain or organization. + +We recommend that a local admin be set up only if you do not have Active Directory or Azure AD, or if you cannot connect to your Active Directory or Azure AD during first run. + +### Summary + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
How is the local administrator set up?RequirementsWhich credentials can be used for the Settings app?
A local admin account is created.None.The credentials of the local admin that was created.
The Surface Hub is joined to a domain.Your organization is using Active Directory (AD).Credentials of any AD user from a specified security group
The Surface Hub is joined to Azure Active Directory (Azure AD).Your organization is using Azure AD Basic.Tenant or device admins
Your organization is using Azure AD Premium.Tenant or device admins + additional specified people
+ +  + +  + +  + + + + + diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md new file mode 100644 index 0000000000..e1bce22bd9 --- /dev/null +++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md @@ -0,0 +1,1687 @@ +--- +title: Appendix PowerShell (Surface Hub) +description: PowerShell scripts to help set up and manage your Microsoft Surface Hub . +ms.assetid: 3EF48F63-8E4C-4D74-ACD5-461F1C653784 +keywords: ["PowerShell", "set up Surface Hub", "manage Surface Hub"] +author: TrudyHa +--- + +# Appendix: PowerShell (Surface Hub) + + +PowerShell scripts to help set up and manage your Microsoft Surface Hub . + +- [PowerShell scripts for Surface Hub admins](#scripts-for-admins) + - [Create an on-premise account](#create-on-premise-ps-scripts) + - [Create a device account using Office 365](#create-os356-ps-scripts) + - [Account verification script](#acct-verification-ps-scripts) + - [Enable Skype for Business (EnableSfb.ps1)](#enable-sfb-ps-scripts) +- [Useful cmdlets](#useful-cmdlets) + - [Creating a Surface Hub-compatible Exchange ActiveSync policy](#create-compatible-as-policy) + - [Allowing device IDs for ActiveSync](#whitelisting-device-ids-cmdlet) + - [Auto-accepting and declining meeting requests](#auto-accept-meetings-cmdlet) + - [Accepting external meeting requests](#accept-ext-meetings-cmdlet) + +You can check online for updated versions at [Surface Hub device account scripts](http://aka.ms/surfacehubscripts). + +## PowerShell scripts for Surface Hub administrators + + +What do the scripts do? + +- Create device accounts for setups using pure single-forest on-premises (Microsoft Exchange and Skype 2013 and later only) or online (Microsoft Office 365), that are configured correctly for your Surface Hub. +- Validate existing device accounts for any setup (on-premises, online, or hybrid using Exchange or Lync 2010 or later) to make sure they're compatible with Surface Hub. +- Provide a base template for anyone wanting to create their own device account creation or validation scripts. + +What do you need in order to run the scripts? + +- Remote PowerShell access to your organization's domain or tenant, Exchange servers, and Skype for Business servers. +- Admin credentials for your organization's domain or tenant, Exchange servers, and Skype for Business servers. + +**Note**  Whether you’re creating a new account or modifying an already-existing account, the validation script will verify that your device account is configured correctly. You should always run the validation script before adding a device account to Surface Hub. + +  + +## Running the scripts + + +The account creation scripts will: + +- Ask for administrator credentials +- Create device accounts in your domain/tenant +- Create or assign a Surface Hub-compatible ActiveSync policy to the device account(s) +- Set various attributes for the created account(s) in Exchange and Skype for Business. +- Assign licenses and permissions to the created account(s) + +These are the attributes that are set by the scripts: + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
CmdletAttributeValue

Set-Mailbox

RoomMailboxPassword

User-provided

EnableRoomMailboxAccount

True

Type

Room

Set-CalendarProcessing

AutomateProcessing

AutoAccept

RemovePrivateProperty

False

DeleteSubject

False

DeleteComments

False

AddOrganizerToSubject

False

AddAdditionalResponse

True

AdditionalResponse

"This is a Surface Hub room!"

New-MobileDeviceMailboxPolicy

PasswordEnabled

False

AllowNonProvisionableDevices

True

Enable-CSMeetingRoom

RegistrarPool

User-provided

SipAddress

Set to the User Principal Name (UPN) of the device account

Set-MsolUserLicense (O365 only)

AddLicenses

User-provided

Set-MsolUser (O365 only)

PasswordNeverExpires

True

Set-AdUser (On-prem only)

Enabled

True

Set-AdUser (On-prem only)

PasswordNeverExpires

True

+ +  + +## Account creation scripts + + +These scripts will create a device account for you. You can use the [Account verification script](#acct-verification-ps-scripts) to make sure they ran correctly. + +The account creation scripts cannot modify an already existing account, but can be used to help you understand which cmdlets need to be run to configure the existing account correctly. + +### Create an on-premise account + +Creates an account as described in [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md). + +```PowerShell +# SHAccountCreateOnPrem.ps1 + +$Error.Clear() +$ErrorActionPreference = "Stop" +$status = @{} + +# Cleans up set state such as remote powershell sessions +function Cleanup() +{ + if ($sessExchange) + { + Remove-PSSession $sessExchange + } + if ($sessCS) + { + Remove-PSSession $sessCS + } +} + +function PrintError($strMsg) +{ + Write-Host $strMsg -foregroundcolor Red +} + +function PrintSuccess($strMsg) +{ + Write-Host $strMsg -foregroundcolor Green +} + +function PrintAction($strMsg) +{ + Write-Host $strMsg -ForegroundColor Cyan +} + + +# Cleans up and prints an error message +function CleanupAndFail($strMsg) +{ + if ($strMsg) + { + PrintError($strMsg); + } + Cleanup + exit 1 +} + +# Exits if there is an error set and prints the given message +function ExitIfError($strMsg) +{ + if ($Error) + { + CleanupAndFail($strMsg); + } +} + +## Collect account data ## +$credNewAccount = (Get-Credential -Message "Enter the desired UPN and password for this new account") +$strUpn = $credNewAccount.UserName +$strDisplayName = Read-Host "Please enter the display name you would like to use for $strUpn" +if (!$credNewAccount -Or [System.String]::IsNullOrEmpty($strDisplayName) -Or [System.String]::IsNullOrEmpty($credNewAccount.UserName) -Or $credNewAccount.Password.Length -le 0) +{ + CleanupAndFail "Please enter all of the requested data to continue." + exit 1 +} + + +## Sign in to remote powershell for exchange and lync online ## + +$credExchange = $null +$credExchange=Get-Credential -Message "Enter credentials of an Exchange user with mailbox creation rights" +if (!$credExchange) +{ + CleanupAndFail("Valid credentials are required to create and prepare the account."); +} +$strExchangeServer = Read-Host "Please enter the FQDN of your exchange server (e.g. exch.contoso.com)" + +# Lync info +$credLync = Get-Credential -Message "Enter credentials of a Skype for Business admin (or cancel if they are the same as Exchange)" +if (!$credLync) +{ + $credLync = $credExchange +} +$strLyncFQDN = Read-Host "Please enter the FQDN of your Lync server (e.g. lync.contoso.com) or enter to use [$strExchangeServer]" +if ([System.String]::IsNullOrEmpty($strLyncFQDN)) +{ + $strLyncFQDN = $strExchangeServer +} + + +PrintAction "Connecting to remote sessions. This can occasionally take a while - please do not enter input..." +try +{ + $sessExchange = New-PSSession -ConfigurationName microsoft.exchange -Credential $credExchange -AllowRedirection -Authentication Kerberos -ConnectionUri "http://$strExchangeServer/powershell" -WarningAction SilentlyContinue +} +catch +{ + CleanupAndFail("Failed to connect to exchange. Please check your credentials and try again. If this continues to fail, you may not have permission for remote powershell - if not, please perform the setup manually. Error message: $_") +} +PrintSuccess "Connected to Remote Exchange Shell" + +try +{ + $sessLync = New-PSSession -Credential $credLync -ConnectionURI "https://$strLyncFQDN/OcsPowershell" -AllowRedirection -WarningAction SilentlyContinue +} +catch +{ + CleanupAndFail("Failed to connect to Lync. Please check your credentials and try again. Error message: $_") +} +PrintSuccess "Connected to Lync Server Remote PowerShell" + + +Import-PSSession $sessExchange -AllowClobber -WarningAction SilentlyContinue +Import-PSSession $sessLync -AllowClobber -WarningAction SilentlyContinue + +# In case there was any uncaught errors +ExitIfError("Remote connections failed. Please check your credentials and try again.") + + + +## Create the Exchange mailbox ## +# Note: These exchange commandlets do not always throw their errors as exceptions + +# Because Get-Mailbox will throw an error if the mailbox is not found +$Error.Clear() +PrintAction "Creating a new account..." +try +{ + $mailbox = $null + $mailbox = (New-Mailbox -UserPrincipalName $credNewAccount.UserName -Alias $credNewAccount.UserName.substring(0,$credNewAccount.UserName.indexOf('@')) -room -Name $strDisplayName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true) +} catch { } +ExitIfError "Failed to create a new mailbox on exchange."; +$status["Mailbox Setup"] = "Successfully created a mailbox for the new account" + + +$strEmail = $mailbox.WindowsEmailAddress +PrintSuccess "The following mailbox has been created for this room: $strEmail" + + +## Create or retrieve a policy that will be applied to surface hub devices ## +# The policy disables requiring a device password so that the SurfaceHub does not need to be lockable to use Active Sync +$strPolicy = Read-Host 'Please enter the name for a new Surface Hub ActiveSync policy that will be created and applied to this account. +We will configure that policy to be compatible with Surface Hub devices. +If this script has been used before, please enter the name of the existing policy.' + +$easpolicy = $null +try { + $easpolicy = Get-MobileDeviceMailboxPolicy $strPolicy +} +catch {} + +if ($easpolicy) +{ + if (!$easpolicy.PasswordEnabled -and ($easpolicy.AllowNonProvisionableDevices -eq $null -or $easpolicy.AllowNonProvisionableDevices )) + { + PrintSuccess "An existing policy has been found and will be applied to this account." + } + else + { + PrintError "The policy you provided is incompatible with the surface hub." + $easpolicy = $null + $status["Device Password Policy"] = "Failed to apply the EAS policy to the account because the policy was invalid." + } +} +else +{ + $Error.Clear() + PrintAction "Creating policy..." + $easpolicy = New-MobileDeviceMailboxPolicy -Name $strPolicy -PasswordEnabled $false -AllowNonProvisionableDevices $true + if ($easpolicy) + { + PrintSuccess "A new device policy has been created; you can use this same policy for all future Surface Hub device accounts." + } + else + { + PrintError "Could not create $strPolicy" + } +} + +if ($easpolicy) +{ + # Convert mailbox to user type so we can apply the policy (necessary) + # Sometimes it takes a while for this change to take affect so we have some nasty retry loops + $Error.Clear(); + try + { + Set-Mailbox $credNewAccount.UserName -Type Regular + } catch {} + if ($Error) + { + $Error.Clear() + $status["Device Password Policy"] = "Failed to apply the EAS policy to the account." + } + else + { + # Loop until resource type goes away, up to 5 times + for ($i = 0; $i -lt 5 -And (Get-Mailbox $credNewAccount.UserName).ResourceType; $i++) + { + Start-Sleep -s 5 + } + # If the mailbox is still a Room we cannot apply the policy + if (!((Get-Mailbox $credNewAccount.UserName).ResourceType)) + { + $Error.Clear() + # Set policy for account + Set-CASMailbox $credNewAccount.UserName -ActiveSyncMailboxPolicy $strPolicy + if (!$Error) + { + $status["ActiveSync Policy"] = "Successfully applied $strPolicy to the account" + } + else + { + $status["ActiveSync Policy"] = "Failed to apply the EAS policy to the account." + } + $Error.Clear() + + # Convert back to room mailbox + Set-Mailbox $credNewAccount.UserName -Type Room + # Loop until resource type goes back to room + for ($i = 0; ($i -lt 5) -And ((Get-Mailbox $credNewAccount.UserName).ResourceType -ne "Room"); $i++) + { + Start-Sleep -s 5 + } + if ((Get-Mailbox $credNewAccount.UserName).ResourceType -ne "Room") + { + # A failure to convert the mailbox back to a room is unfortunate but means the mailbox is unusable. + $status["Mailbox Setup"] = "A mailbox was created but we could not set it to a room resource type." + } + else + { + try + { + Set-Mailbox $credNewAccount.UserName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true + } catch { } + if ($Error) + { + $status["Mailbox Setup"] = "A room mailbox was created but we could not set its password." + } + $Error.Clear() + } + + } + } +} +PrintSuccess "Account creation completed." + +PrintAction "Setting calendar processing rules..." + +$Error.Clear(); +## Prepare the calendar for automatic meeting responses ## +try { + Set-CalendarProcessing -Identity $credNewAccount.UserName -AutomateProcessing AutoAccept +} catch { } +if ($Error) +{ + $status["Calendar Acceptance"] = "Failed to configure the account to automatically accept/decline meeting requests" +} +else +{ + $status["Calendar Acceptance"] = "Successfully configured the account to automatically accept/decline meeting requests" +} + + +$Error.Clear() +try { + Set-CalendarProcessing -Identity $credNewAccount.UserName -RemovePrivateProperty $false -AddOrganizerToSubject $false -AddAdditionalResponse $true -DeleteSubject $false -DeleteComments $false -AdditionalResponse "This is a Surface Hub room!" +} catch { } +if ($Error) +{ + $status["Calendar Response Configuration"] = "Failed to configure the account's response properties" +} +else +{ + $status["Calendar Response Configuration"] = "Successfully configured the account's response properties" +} + +$Error.Clear() +## Configure the Account to not expire ## +PrintAction "Configuring password not to expire..." +Start-Sleep -s 20 +try +{ + Set-AdUser $mailbox.Alias -PasswordNeverExpires $true -Enabled $true +} +catch +{ + +} + +if ($Error) +{ + $status["Password Expiration Policy"] = "Failed to set the password to never expire" +} +else +{ + $status["Password Expiration Policy"] = "Successfully set the password to never expire" +} + +PrintSuccess "Completed Exchange configuration" + +## Setup Skype for Business. This is somewhat optional and if it fails we SfbEnable can be used later ## +PrintAction "Configuring account for Skype for Business." + +# Getting registrar pool +$strRegPool = $strLyncFQDN +$Error.Clear() +$strRegPoolEntry = Read-Host "Enter a Skype for Business Registrar Pool, or leave blank to use [$strRegPool]" +if (![System.String]::IsNullOrEmpty($strRegPoolEntry)) +{ + $strRegPool = $strRegPoolEntry +} + +# Try to SfB-enable the account. Note that it may not work right away as the account needs to propogate to active directory +PrintAction "Enabling Skype for Business..." +Start-Sleep -s 10 +$Error.Clear() +try { + Enable-CsMeetingRoom -Identity $credNewAccount.UserName -RegistrarPool $strRegPool -SipAddressType EmailAddress +} +catch { } + +if ($Error) +{ + $status["Skype for Business Account Setup"] = "Failed to setup the Skype for Business meeting room - you can run EnableSfb.ps1 to try again." + $Error.Clear(); +} +else +{ + $status["Skype for Business Account Setup"] = "Successfully enabled account as a Skype for Business meeting room" +} + +Write-Host + +## Cleanup and print results ## +Cleanup +$strDisplay = $mailbox.DisplayName +$strUsr = $credNewAccount.UserName +PrintAction "Summary for creation of $strUsr ($strDisplay)" +if ($status.Count -gt 0) +{ + ForEach($k in $status.Keys) + { + $v = $status[$k] + $color = "yellow" + if ($v[0] -eq "S") { $color = "green" } + elseif ($v[0] -eq "F") + { + $color = "red" + $v += " Go to http://aka.ms/shubtshoot" + } + + Write-Host -NoNewline $k -ForegroundColor $color + Write-Host -NoNewline ": " + Write-Host $v + } +} +else +{ + PrintError "The account could not be created" +} +``` + +### Create a device account using Office 365 + +Creates an account as described in [Create a device account using Office 365](create-a-device-account-using-office-365.md) + +```PowerShell +# SHAccountCreateO365.ps1 + +$Error.Clear() +$ErrorActionPreference = "Stop" +$status = @{} + +# Cleans up set state such as remote powershell sessions +function Cleanup() +{ + if ($sessExchange) + { + Remove-PSSession $sessExchange + } + if ($sessCS) + { + Remove-PSSession $sessCS + } +} + +function PrintError($strMsg) +{ + Write-Host $strMsg -foregroundcolor Red +} + +function PrintSuccess($strMsg) +{ + Write-Host $strMsg -foregroundcolor Green +} + +function PrintAction($strMsg) +{ + Write-Host $strMsg -ForegroundColor Cyan +} + + +# Cleans up and prints an error message +function CleanupAndFail($strMsg) +{ + if ($strMsg) + { + PrintError($strMsg); + } + Cleanup + exit 1 +} + +# Exits if there is an error set and prints the given message +function ExitIfError($strMsg) +{ + if ($Error) + { + CleanupAndFail($strMsg); + } +} + + +## Check dependencies ## +try { + Import-Module LyncOnlineConnector + Import-Module MSOnline +} +catch +{ + PrintError "Some dependencies are missing" + PrintError "Please install the Windows PowerShell Module for Lync Online. For more information go to http://www.microsoft.com/download/details.aspx?id=39366" + PrintError "Please install the Azure Active Directory module for PowerShell from http://go.microsoft.com/fwlink/p/?linkid=236297" + CleanupAndFail +} + + + +## Collect account data ## +$credNewAccount = (Get-Credential -Message "Enter the desired UPN and password for this new account") +$strUpn = $credNewAccount.UserName +$strDisplayName = Read-Host "Please enter the display name you would like to use for $strUpn" +if (!$credNewAccount -Or [System.String]::IsNullOrEmpty($strDisplayName) -Or [System.String]::IsNullOrEmpty($credNewAccount.UserName) -Or $credNewAccount.Password.Length -le 0) +{ + CleanupAndFail "Please enter all of the requested data to continue." + exit 1 +} + + +## Sign in to remote powershell for exchange and lync online ## +$credAdmin = $null +$credAdmin=Get-Credential -Message "Enter credentials of an Exchange and Skype for Business admin" +if (!$credadmin) +{ + CleanupAndFail "Valid admin credentials are required to create and prepare the account." +} +PrintAction "Connecting to remote sessions. This can occasionally take a while - please do not enter input..." +try +{ + $sessExchange = New-PSSession -ConfigurationName microsoft.exchange -Credential $credAdmin -AllowRedirection -Authentication basic -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -WarningAction SilentlyContinue +} +catch +{ + CleanupAndFail "Failed to connect to exchange. Please check your credentials and try again. Error message: $_" +} + +try +{ + $sessCS = New-CsOnlineSession -Credential $credAdmin +} +catch +{ + CleanupAndFail "Failed to connect to Skype for Business Online Datacenter. Please check your credentials and try again. Error message: $_" +} + +try +{ + Connect-MsolService -Credential $credAdmin +} +catch +{ + CleanupAndFail "Failed to connect to Azure Active Directory. Please check your credentials and try again. Error message: $_" +} + +Import-PSSession $sessExchange -AllowClobber -WarningAction SilentlyContinue +Import-PSSession $sessCS -AllowClobber -WarningAction SilentlyContinue + +# In case there was any uncaught errors +ExitIfError "Remote connection failed. Please check your credentials and try again." + + + +## Create the Exchange mailbox ## +# Note: These exchange commandlets do not always throw their errors as exceptions + +# Because Get-Mailbox will throw an error if the mailbox is not found +$Error.Clear() +PrintAction "Creating a new account..." +try +{ + $mailbox = $null + $mailbox = (New-Mailbox -MicrosoftOnlineServicesID $credNewAccount.UserName -room -Name $strDisplayName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true) +} catch { } +ExitIfError "Failed to create a new mailbox on exchange."; +$status["Mailbox Setup"] = "Successfully created a mailbox for the new account" + + +$strEmail = $mailbox.WindowsEmailAddress +PrintSuccess "The following mailbox has been created for this room: $strEmail" + + +## Create or retrieve a policy that will be applied to surface hub devices ## +# The policy disables requiring a device password so that the SurfaceHub does not need to be lockable to use Active Sync +$strPolicy = Read-Host 'Please enter the name for a new Surface Hub ActiveSync policy that will be created and applied to this account. +We will configure that policy to be compatible with Surface Hub devices. +If this script has been used before, please enter the name of the existing policy.' + +$easpolicy = $null +try { + $easpolicy = Get-MobileDeviceMailboxPolicy $strPolicy +} +catch {} + +if ($easpolicy) +{ + if (!$easpolicy.PasswordEnabled -and ($easpolicy.AllowNonProvisionableDevices -eq $null -or $easpolicy.AllowNonProvisionableDevices )) + { + PrintSuccess "An existing policy has been found and will be applied to this account." + } + else + { + PrintError "The policy you provided is incompatible with the surface hub." + $easpolicy = $null + $status["ActiveSync Policy"] = "Failed to apply the EAS policy to the account because the policy was invalid." + } +} +else +{ + $Error.Clear() + PrintAction "Creating policy..." + $easpolicy = New-MobileDeviceMailboxPolicy -Name $strPolicy -PasswordEnabled $false -AllowNonProvisionableDevices $true + if ($easpolicy) + { + PrintSuccess "A new device policy has been created; you can use this same policy for all future Surface Hub device accounts." + } + else + { + PrintError "Could not create $strPolicy" + } +} + +if ($easpolicy) +{ + # Convert mailbox to user type so we can apply the policy (necessary) + # Sometimes it takes a while for this change to take affect so we have some nasty retry loops + $Error.Clear(); + try + { + Set-Mailbox $credNewAccount.UserName -Type Regular + } catch {} + if ($Error) + { + $Error.Clear() + $status["Device Password Policy"] = "Failed to apply the EAS policy to the account." + PrintError "Failed to convert to regular account" + } + else + { + # Loop until resource type goes away, up to 5 times + for ($i = 0; $i -lt 5 -And (Get-Mailbox $credNewAccount.UserName).ResourceType; $i++) + { + Start-Sleep -s 5 + } + # If the mailbox is still a Room we cannot apply the policy + if (!((Get-Mailbox $credNewAccount.UserName).ResourceType)) + { + $Error.Clear() + # Set policy for account + Set-CASMailbox $credNewAccount.UserName -ActiveSyncMailboxPolicy $strPolicy + if (!$Error) + { + $status["Device Password Policy"] = "Successfully applied $strPolicy to the account" + } + else + { + $status["Device Password Policy"] = "Failed to apply the EAS policy to the account." + PrintError "Failed to apply policy" + } + $Error.Clear() + + # Convert back to room mailbox + Set-Mailbox $credNewAccount.UserName -Type Room + # Loop until resource type goes back to room + for ($i = 0; ($i -lt 5) -And ((Get-Mailbox $credNewAccount.UserName).ResourceType -ne "Room"); $i++) + { + Start-Sleep -s 5 + } + if ((Get-Mailbox $credNewAccount.UserName).ResourceType -ne "Room") + { + # A failure to convert the mailbox back to a room is unfortunate but means the mailbox is unusable. + $status["Mailbox Setup"] = "A mailbox was created but we could not set it to a room resource type." + } + else + { + Set-Mailbox $credNewAccount.UserName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true + if ($Error) + { + $status["Mailbox Setup"] = "A room mailbox was created but we could not set its password." + } + $Error.Clear() + } + + } + } +} +else +{ + $status["Device Password Policy"] = "Failed to apply the EAS policy to the account." + PrintError "Failed to obtain policy" +} +PrintSuccess "Account creation completed." + +PrintAction "Setting calendar processing rules..." + +$Error.Clear(); +## Prepare the calendar for automatic meeting responses ## +try { + Set-CalendarProcessing -Identity $credNewAccount.UserName -AutomateProcessing AutoAccept +} catch { } +if ($Error) +{ + $status["Calendar Acceptance"] = "Failed to configure the account to automatically accept/decline meeting requests" +} +else +{ + $status["Calendar Acceptance"] = "Successfully configured the account to automatically accept/decline meeting requests" +} + + +$Error.Clear() +try { + Set-CalendarProcessing -Identity $credNewAccount.UserName -RemovePrivateProperty $false -AddOrganizerToSubject $false -AddAdditionalResponse $true -DeleteSubject $false -DeleteComments $false -AdditionalResponse "This is a Surface Hub room!" +} catch { } +if ($Error) +{ + $status["Calendar Response Configuration"] = "Failed to configure the account's response properties" +} +else +{ + $status["Calendar Response Configuration"] = "Successfully configured the account's response properties" +} + +$Error.Clear() +## Configure the Account to not expire ## +PrintAction "Configuring password not to expire..." +try +{ + Set-MsolUser -UserPrincipalName $credNewAccount.UserName -PasswordNeverExpires $true +} +catch +{ + +} + +if ($Error) +{ + $status["Password Expiration Policy"] = "Failed to set the password to never expire" +} +else +{ + $status["Password Expiration Policy"] = "Successfully set the password to never expire" +} + +PrintSuccess "Completed Exchange configuration" + +## Setup Skype for Business. This is somewhat optional and if it fails we SfbEnable can be used later ## +PrintAction "Configuring account for Skype for Business." + +# Getting registrar pool +$strRegPool = $null +try { + $strRegPool = (Get-CsTenant).TenantPoolExtension +} +catch {} +$Error.Clear() +if (![System.String]::IsNullOrEmpty($strRegPool)) +{ + $strRegPool = $strRegPool.Substring($strRegPool[0].IndexOf(':') + 1) +} +<# +$strRegPoolEntry = Read-Host "Enter a Skype for Business Registrar Pool, or leave blank to use [$strRegPool]" +if (![System.String]::IsNullOrEmpty($strRegPoolEntry)) +{ + $strRegPool = $strRegPoolEntry +} +#> + +# Try to SfB-enable the account. Note that it may not work right away as the account needs to propogate to active directory +PrintAction "Enabling Skype for Business on $strRegPool" +Start-Sleep -s 10 +$Error.Clear() +try { + Enable-CsMeetingRoom -Identity $credNewAccount.UserName -RegistrarPool $strRegPool -SipAddressType EmailAddress +} +catch { } + +if ($Error) +{ + $status["Skype for Business Account Setup"] = "Failed to setup the Skype for Business meeting room - you can run EnableSfb.ps1 to try again." + $Error.Clear(); +} +else +{ + $status["Skype for Business Account Setup"] = "Successfully enabled account as a Skype for Business meeting room" +} + +## Now we need to assign a Skype for Business license to the account ## +# Assign a license to thes +$countryCode = (Get-CsTenant).CountryAbbreviation +$loc = Read-Host "Please enter the usage location for this device account (where the account is being used). This is a 2-character code that is used to assign licenses (e.g. $countryCode)" +try { + $Error.Clear() + Set-MsolUser -UserPrincipalName $credNewAccount.UserName -UsageLocation $loc +} +catch{} +if ($Error) +{ + $status["Office 365 License"] = "Failed to assign an Office 365 license to the account" + $Error.Clear() +} +else +{ + PrintAction "We found the following licenses available for your tenant:" + $skus = (Get-MsolAccountSku | Where-Object { !$_.AccountSkuID.Contains("INTUNE"); }) + $i = 1 + $skus | % { + Write-Host -NoNewline $i + Write-Host -NoNewLine ": AccountSKUID: " + Write-Host -NoNewLine $_.AccountSkuid + Write-Host -NoNewLine " Active Units: " + Write-Host -NoNewLine $_.ActiveUnits + Write-Host -NoNewLine " Consumed Units: " + Write-Host $_.ConsumedUnits + $i++ + } + $iLicenseIndex = 0; + do + { + $iLicenseIndex = Read-Host 'Choose the number for the SKU you want to pick' + } while ($iLicenseIndex -lt 1 -or $iLicenseIndex -gt $skus.Length) + $strLicenses = $skus[$iLicenseIndex - 1].AccountSkuId + + if (![System.String]::IsNullOrEmpty($strLicenses)) + { + try + { + $Error.Clear() + Set-MsolUserLicense -UserPrincipalName $credNewAccount.UserName -AddLicenses $strLicenses + } + catch + { + + } + if ($Error) + { + $Error.Clear() + $status["Office 365 License"] = "Failed to add a license to the account. Make sure you have remaining licenses." + } + else + { + $status["Office 365 License"] = "Successfully added license to the account" + } + } + else + { + $status["Office 365 License"] = "You opted not to install a license on this account" + } +} + + +Write-Host + +## Cleanup and print results ## +Cleanup +$strDisplay = $mailbox.DisplayName +$strUsr = $credNewAccount.UserName +PrintAction "Summary for creation of $strUsr ($strDisplay)" +if ($status.Count -gt 0) +{ + ForEach($k in $status.Keys) + { + $v = $status[$k] + $color = "yellow" + if ($v[0] -eq "S") { $color = "green" } + elseif ($v[0] -eq "F") + { + $color = "red" + $v += " Go to http://aka.ms/shubtshoot for help" + } + + Write-Host -NoNewline $k -ForegroundColor $color + Write-Host -NoNewline ": " + Write-Host $v + } +} +else +{ + PrintError "The account could not be created" +} +``` + +## Account verification script + + +This script will validate the previously-created device account on a Surface Hub, no matter which method was used to create it. This script is basically pass/fail. If one of the test errors out, it will show a detailed error message, but if all tests pass, the end result will be a summary report. For example, you might see: + +``` syntax +15 tests executed +0 failures +2 warnings +15 passed +``` + +Details of specific settings will not be shown. + +```PowerShell +# SHAccountValidate.ps1 + +$Error.Clear() +$ErrorActionPreference = "Stop" + + +# Cleans up set state such as remote powershell sessions +function Cleanup() +{ + if ($sessEx) + { + Remove-PSSession $sessEx + } + if ($sessSfb) + { + Remove-PSSession $sessSfb + } +} + +function PrintError($strMsg) +{ + Write-Host $strMsg -foregroundcolor "red" +} + +function PrintSuccess($strMsg) +{ + Write-Host $strMsg -foregroundcolor "green" +} + +function PrintAction($strMsg) +{ + Write-Host $strMsg -ForegroundColor Cyan +} + + +# Cleans up and prints an error message +function CleanupAndFail($strMsg) +{ + if ($strMsg) + { + PrintError($strMsg); + } + Cleanup + exit 1 +} + +# Exits if there is an error set and prints the given message +function ExitIfError($strMsg) +{ + if ($Error) + { + CleanupAndFail($strMsg); + } +} + +$strUpn = Read-Host "What is the email address of the account you wish to validate?" +if (!$strUpn.Contains('@')) +{ + CleanupAndFail "$strUpn is not a valid email address" +} +$strExServer = Read-Host "What is your exchange server? (leave blank for online tenants)" +if ($strExServer.Equals("")) +{ + $fExIsOnline = $true +} +else +{ + $fExIsOnline = $false +} +$credEx = Get-Credential -Message "Please provide exchange user credentials" + +$strRegistrarPool = Read-Host ("What is the Skype for Business registrar pool for $strUpn" + "? (leave blank for online tenants)") +$fSfbIsOnline = $strRegistrarPool.Equals("") + +$fHasOnPrem = $true +if ($fSfbIsOnline -and $fExIsOnline) +{ + do + { + $strHasOnPrem = (Read-Host "Do you have an on-premises Active Directory (Y/N) (No if your domain services are hosted entirely online)").ToUpper() + } while ($strHasOnPrem -ne "Y" -and $strHasOnPrem -ne "N") + $fHasOnPrem = $strHasOnPrem.Equals("Y") +} + +$fHasOnline = $false +if ($fSfbIsOnline -or $fExIsOnline) +{ + $fHasOnline = $true +} + +if ($fSfbIsOnline) +{ + try { + Import-Module LyncOnlineConnector + } + catch + { + CleanupAndFail "To verify Skype for Business in online tenants you need the Lync Online Connector module from http://www.microsoft.com/download/details.aspx?id=39366" + } +} +else +{ + $credSfb = (Get-Credential -Message "Please enter Skype for Business admin credentials") +} + +if ($fHasOnline) +{ + $credSfb = $credEx + try { + Import-Module MSOnline + } + catch + { + CleanupAndFail "To verify accounts in online tenants you need the Azure Active Directory module for PowerShell from http://go.microsoft.com/fwlink/p/?linkid=236297" + } +} + +PrintAction "Connecting to Exchange Powershell Session..." +[System.Management.Automation.Runspaces.AuthenticationMechanism] $authType = [System.Management.Automation.Runspaces.AuthenticationMechanism]::Kerberos +if ($fExIsOnline) +{ + $authType = [System.Management.Automation.Runspaces.AuthenticationMechanism]::Basic +} +try +{ + $sessEx = $null + if ($fExIsOnline) + { + $sessEx = New-PSSession -ConfigurationName microsoft.exchange -Credential $credEx -AllowRedirection -Authentication $authType -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -WarningAction SilentlyContinue + } + else + { + $sessEx = New-PSSession -ConfigurationName microsoft.exchange -Credential $credEx -AllowRedirection -Authentication $authType -ConnectionUri https://$strExServer/powershell -WarningAction SilentlyContinue + } +} +catch +{ +} + +if (!$sessEx) +{ + CleanupAndFail "Connecting to Exchange Powershell failed, please validate your server is accessible and credentials are correct" +} + +PrintSuccess "Connected to Exchange Powershell Session" + +PrintAction "Connecting to Skype for Business Powershell Session..." + +if ($fSfbIsOnline) +{ + $sessSfb = New-CsOnlineSession -Credential $credSfb +} +else +{ + $sessSfb = New-PSSession -Credential $credSfb -ConnectionURI "https://$strRegistrarPool/OcsPowershell" -AllowRedirection -WarningAction SilentlyContinue +} + +if (!$sessSfb) +{ + CleanupAndFail "Connecting to Skype for Business Powershell failed, please validate your server is accessible and credentials are correct" +} + +PrintSuccess "Connected to Skype for Business Powershell" + +if ($fHasOnline) +{ + $credMsol = $null + if ($fExIsOnline) + { + $credMsol = $credEx + } + elseif ($fSfbIsOnline) + { + $credMsol = $credSfb + } + else + { + CleanupAndFail "Internal error - could not determine MS Online credentials" + } + try + { + PrintAction "Connecting to Azure Active Directory Services..." + Connect-MsolService -Credential $credMsol + PrintSuccess "Connected to Azure Active Directory Services" + } + catch + { + # This really shouldn't happen unless there is a network error + CleanupAndFail "Failed to connect to MSOnline" + } +} + + +PrintAction "Importing remote sessions into the local session..." +try +{ + $importEx = Import-PSSession $sessEx -AllowClobber -WarningAction SilentlyContinue -DisableNameChecking + $importSfb = Import-PSSession $sessSfb -AllowClobber -WarningAction SilentlyContinue -DisableNameChecking +} +catch +{ +} +if (!$importEx -or !$importSfb) +{ + CleanupAndFail "Import failed" +} +PrintSuccess "Import successful" + + +$mailbox = $null +try +{ + $mailbox = Get-Mailbox -Identity $strUpn +} +catch +{ +} + +if (!$mailbox) +{ + CleanupAndFail "Account exists check failed. Unable to find the mailbox for $strUpn - please make sure the Exchange account exists on $strExServer" +} + +$exchange = $null +if (!$fExIsOnline) +{ + $exchange = Get-ExchangeServer + if (!$exchange -or !$exchange.IsE14OrLater) + { + CleanupAndFail "A compatible exchange server version was not found. Please use at least exchange 2010." + } +} + + +$strAlias = $mailbox.Alias +$strDisplayName = $mailbox.DisplayName + +$strLinkedAccount = $strLinkedDomain = $strLinkedUser = $strLinkedServer = $null +$credLinkedDomain = $Null +if (!$fExIsOnline -and ![System.String]::IsNullOrEmpty($mailbox.LinkedMasterAccount) -and !$mailbox.LinkedMasterAccount.EndsWith("\SELF")) +{ + $strLinkedAccount = $mailbox.LinkedMasterAccount + $strLinkedDomain = $strLinkedAccount.substring(0,$strLinkedAccount.IndexOf('\')) + $strLinkedUser = $strLinkedAccount.substring($strLinkedAccount.IndexOf('\') + 1) + $strLinkedServer = Read-Host "What is the domain controller for the $strLinkedDomain" + $credLinkedDomain = (Get-Credential -Message "Please provide credentials for $strLinkedDomain") +} + + + + + + + +Write-Host +Write-Host +Write-Host +PrintAction "Performing verification checks on $strDisplayName..." +$Global:iTotalFailures = 0 +$global:iTotalWarnings = 0 +$Global:iTotalPasses = 0 + +function Validate() +{ + Param( + [string]$Test, + [bool] $Condition, + [string]$FailureMsg, + [switch]$WarningOnly + ) + + Write-Host -NoNewline -ForegroundColor White $Test.PadRight(100,'.') + if ($Condition) + { + Write-Host -ForegroundColor Green "Passed" + $global:iTotalPasses++ + } + else + { + if ($WarningOnly) + { + Write-Host -ForegroundColor Yellow ("Warning: "+$FailureMsg) + $global:iTotalWarnings++ + } + else + { + Write-Host -ForegroundColor Red ("Failed: "+$FailureMsg) + $global:iTotalFailures++ + } + } +} + +## Exchange ## + +Validate -WarningOnly -Test "The mailbox $strUpn is enabled as a room account" -Condition ($mailbox.RoomMailboxAccountEnabled -eq $True) -FailureMsg "RoomMailboxEnabled - without a device account, the Surface Hub will not be able to use various key features." +$calendarProcessing = Get-CalendarProcessing -Identity $strUpn -WarningAction SilentlyContinue -ErrorAction SilentlyContinue +Validate -Test "The mailbox $strUpn is configured to accept meeting requests" -Condition ($calendarProcessing -ne $null -and $calendarProcessing.AutomateProcessing -eq 'AutoAccept') -FailureMsg "AutomateProcessing - the Surface Hub will not be able to send mail or sync its calendar." +Validate -WarningOnly -Test "The mailbox $strUpn will not delete meeting comments" -Condition ($calendarProcessing -ne $null -and !$calendarProcessing.DeleteComments) -FailureMsg "DeleteComments - the Surface Hub may be missing some meeting information on the welcome screen and Skype." +Validate -WarningOnly -Test "The mailbox $strUpn keeps private meetings private" -Condition ($calendarProcessing -ne $null -and !$calendarProcessing.RemovePrivateProperty) -FailureMsg "RemovePrivateProperty - the Surface Hub will make show private meetings." +Validate -Test "The mailbox $strUpn keeps meeting subjects" -Condition ($calendarProcessing -ne $null -and !$calendarProcessing.DeleteSubject) -FailureMsg "DeleteSubject - the Surface Hub will not keep meeting subject information." +Validate -WarningOnly -Test "The mailbox $strUpn does not prepend meeting organizers to subjects" -Condition ($calendarProcessing -ne $null -and !$calendarProcessing.AddOrganizerToSubject) -FailureMsg "AddOrganizerToSubject - the Surface Hub will not display meeting subjects as intended." + +if ($fExIsOnline) +{ + #No online specifics +} +else +{ + #No onprem specifics +} + +#ActiveSync +$casMailbox = Get-Casmailbox $strUpn -WarningAction SilentlyContinue -ErrorAction SilentlyContinue +Validate -Test "The mailbox $strUpn has a mailbox policy" -Condition ($casMailbox -ne $null) -FailureMsg "PasswordEnabled - unable to find policy - the Surface Hub will not be able to send mail or sync its calendar." +if ($casMailbox) +{ + $policy = $null + if ($fExIsOnline -or $exchange.IsE15OrLater) + { + $strPolicy = $casMailbox.ActiveSyncMailboxPolicy + $policy = Get-MobileDeviceMailboxPolicy -Identity $strPolicy -WarningAction SilentlyContinue -ErrorAction SilentlyContinue + Validate -Test "The policy $strPolicy does not require a device password" -Condition ($policy.PasswordEnabled -ne $True) -FailureMsg "PasswordEnabled - policy requires a device password - the Surface Hub will not be able to send mail or sync its calendar." + } + else + { + $strPolicy = $casMailbox.ActiveSyncMailboxPolicy + $policy = Get-ActiveSyncMailboxPolicy -Identity $strPolicy -WarningAction SilentlyContinue -ErrorAction SilentlyContinue + Validate -Test "The policy $strPolicy does not require a device password" -Condition ($policy.PasswordEnabled -ne $True) -FailureMsg "PasswordEnabled - policy requires a device password - the Surface Hub will not be able to send mail or sync its calendar." + } + + if ($policy -ne $null) + { + Validate -Test "The policy $strPolicy allows non-provisionable devices" -Condition ($policy.AllowNonProvisionableDevices -eq $null -or $policy.AllowNonProvisionableDevices -eq $true) -FailureMsg "AllowNonProvisionableDevices - policy will not allow the SurfaceHub to sync" + } + +} + + +# Check the default access level +$orgSettings = Get-ActiveSyncOrganizationSettings +$strDefaultAccessLevel = $orgSettings.DefaultAccessLevel +Validate -Test "ActiveSync devices are allowed" -Condition ($strDefaultAccessLevel -eq 'Allow') -FailureMsg "DeviceType Windows Mail is accessible - devices are not allowed by default - the surface hub will not be able to send mail or sync its calendar." + +# Check if there exists a device access rule that bans the device type Windows Mail +$blockingRules = Get-ActiveSyncDeviceAccessRule | where {($_.AccessLevel -eq 'Block' -or $_.AccessLevel -eq 'Quarantine') -and $_.Characteristic -eq 'DeviceType'-and $_.QueryString -eq 'WindowsMail'} +Validate -Test "Windows mail devices are not blocked or quarantined" -Condition ($blockingRules -eq $null -or $blockingRules.Length -eq 0) -FailureMsg "DeviceType Windows Mail is accessible - devices are blocked or quaratined - the surface hub will not be able to send mail or sync its calendar." + +## End Exchange ## + + + +## SfB ## +$strLyncIdentity = $null +if ($fSfbIsOnline) +{ + $strLyncIdentity = $strUpn +} +else +{ + $strLyncIdentity = $strAlias +} + +$lyncAccount = $null +try { + $lyncAccount = Get-CsMeetingRoom -Identity $strLyncIdentity -WarningAction SilentlyContinue -ErrorAction SilentlyContinue +} catch { + try { + $lyncAccount = Get-CsUser -Identity $strLyncIdentity -WarningAction SilentlyContinue -ErrorAction SilentlyContinue + } catch { } +} +Validate -Test "There is a Lync or Skype for Business account for $strLyncIdentity" -Condition ($lyncAccount -ne $null -and $lyncAccount.Enabled) -FailureMsg "SfB Enabled - there is no Skype for Business account - meetings will not support Skype for Business" +if ($lyncAccount) +{ + Validate -Test "The meeting room has a SIP address" -Condition (![System.String]::IsNullOrEmpty($lyncAccount.SipAddress)) -FailureMsg "SfB Enabled - there is no SIP Address - the device account cannot be used to sign into Skype for Business." +} +## End SFB ## + + +if ($fHasOnline) +{ + #License validation and password expiry + $accountOnline = Get-MsolUser -UserPrincipalName $strUpn -WarningAction SilentlyContinue -ErrorAction SilentlyContinue + Validate -Test "There is an online user account for $strUpn" -Condition ($accountOnline -ne $null) -FailureMsg "Could not find a Microsoft Online account for this user even though some services are online" + if ($accountOnline) + { + Validate -Test "The password for $strUpn will not expire" -Condition ($accountOnline.PasswordNeverExpires -eq $True) -FailureMsg "PasswordNeverExpires - the admin will need to update the device account's password on the Surface Hub when it expires." + if ($fIsSfbOnline -and !$fIsExOnline) + { + $strLicenseFailureMsg = "Has O365 license - The devices will not be able to use Skype for Business services." + } + elseif ($fIsExOnline -and !$fIsSfbOnline) + { + $strLicenseFailureMsg = "Has O365 license - The devices will not be able to use Exchange Online services." + } + else + { + $strLicenseFailureMsg = "Has O365 license - The devices will not be able to use Skype for Business or Exchange Online services." + } + Validate -Test "$strUpn is licensed" -Condition ($accountOnline.IsLicensed -eq $True) -FailureMsg $strLicenseFailureMsg + + Validate -Test "$strUpn is allowed to sign in" -Condition ($accountOnline.BlockCredential -ne $True) -FailureMsg "BlockCredential - This user is not allowed to sign in." + } +} + +#If there is an on-prem component, we can get the authorative AD user from mailbox +if ($fHasOnPrem) +{ + $accountOnPrem = $null + if ($strLinkedAccount) + { + $accountOnPrem = Get-AdUser $strLinkedUser -server $strLinkedServer -credential $credLinkedDomain -properties PasswordNeverExpires -WarningAction SilentlyContinue -ErrorAction SilentlyContinue + } + else + { + #AD User enabled validation + $accountOnPrem = Get-AdUser $strAlias -properties PasswordNeverExpires -WarningAction SilentlyContinue -ErrorAction SilentlyContinue + } + $strOnPremUpn = $accountOnPrem.UserPrincipalName + Validate -Test "There is a user account for $strOnPremUpn" -Condition ($accountOnprem -ne $null) -FailureMsg "Could not find an Active Directory account for this user" + if ($accountOnPrem) + { + Validate -WarningOnly -Test "The password for $strOnPremUpn will not expire" -Condition ($accountOnprem.PasswordNeverExpires -eq $True) -FailureMsg "PasswordNeverExpires - the admin will need to update the device account's password on the Surface Hub when it expires." + Validate -Test "$strOnPremUpn is enabled" -Condition $accountOnPrem.Enabled -FailureMsg "AccountEnabled - this device account will not sign in" + } +} + + +$global:iTotalTests = ($global:iTotalFailures + $global:iTotalPasses + $global:iTotalWarnings) + +Write-Host -NoNewline $global:iTotalTests "tests executed: " +Write-Host -NoNewline -ForegroundColor Red $Global:iTotalFailures "failures " +Write-Host -NoNewline -ForegroundColor Yellow $Global:iTotalWarnings "warnings " +Write-Host -ForegroundColor Green $Global:iTotalPasses "passes " + +Cleanup +``` + +## Enable Skype for Business + + +This script will enable Skype for Business on a device account. Use it only if Skype for Business wasn't previously enabled during account creation. + +```PowerShell +## This script performs only the Enable for Skype for Business step on an account. It should only be run if this step failed in SHAccountCreate and the other steps have been completed ## +# EnableSfb.ps1 + +$Error.Clear() +$ErrorActionPreference = "Stop" + +# Cleans up set state such as remote powershell sessions +function Cleanup() +{ + if ($sessCS) + { + Remove-PSSession $sessCS + } +} + +function PrintError($strMsg) +{ + Write-Host $strMsg -foregroundcolor "red" +} + +function PrintSuccess($strMsg) +{ + Write-Host $strMsg -foregroundcolor "green" +} + +# Cleans up and prints an error message +function CleanupAndFail($strMsg) +{ + if ($strMsg) + { + PrintError($strMsg); + } + Cleanup + exit 1 +} + +# Exits if there is an error set and prints the given message +function ExitIfError($strMsg) +{ + if ($Error) + { + CleanupAndFail($strMsg); + } +} + +## Check dependencies ## + +$input = Read-Host "Is the account you wish to enable part of an online environment (enter O) or on-premises environment (enter P)" +if ($input -eq "P") +{ + $online = $false +} +elseif ($input -eq "O") +{ + $online = $true +} +else +{ + CleanupAndFail "Invalid selection" +} +if ($online) +{ + try { + Import-Module LyncOnlineConnector + } + catch + { + PrintError "Some dependencies are missing" + PrintError "Please install the Windows PowerShell Module for Lync Online. For more information go to http://www.microsoft.com/download/details.aspx?id=39366" + PrintError "Please install the Azure Active Directory module for PowerShell from http://go.microsoft.com/fwlink/p/?linkid=236297" + CleanupAndFail + } +} +else +{ + $strRegPool = Read-Host "Enter the FQDN of your Skype for Business Registrar Pool" +} + + +## Collect account data ## +Write-Host "----------- Enter info for the account to enable -----------." -foregroundcolor "magenta" +$strRoomUri=Read-Host 'Please enter the UPN of the account you are enabling (e.g. confroom@surfacehub.microsoft.com)' + +if ([System.String]::IsNullOrEmpty($strRoomUri)) +{ + CleanupAndFail "Please enter all of the requested data to continue." + exit 1 +} +Write-Host "--------------------------------------------------------------." -foregroundcolor "magenta" + + + +## Sign in to remote powershell for exchange and lync online ## +Write-Host "`n------------------ Establishing connection -----------------." -foregroundcolor "magenta" +$credAdmin=Get-Credential -Message "Enter credentials of a Skype for Business admin" +if (!$credadmin) +{ + CleanupAndFail("Valid admin credentials are required to create and prepare the account."); +} +Write-Host "Connecting to remote sessions. This can occasionally take a while - please do not enter input..." + +try +{ + if ($online) + { + $sessCS = New-CsOnlineSession -Credential $credAdmin + } + else + { + $sessCS = New-PSSession -Credential $credAdmin -ConnectionURI "https://$strRegPool/OcsPowershell" -AllowRedirection -WarningAction SilentlyContinue + } +} +catch +{ + CleanupAndFail("Failed to connect to Skype for Business server. Please check your credentials and try again. Error message: $_") +} + +Import-PSSession $sessCS -AllowClobber + +# In case there was any uncaught errors +ExitIfError("Remote connection failed. Please check your credentials and try again.") +Write-Host "--------------------------------------------------------------." -foregroundcolor "magenta" + +# Getting registrar pool +if ($online) +{ + try { + $strRegPool = $null; + $strRegPool = (Get-CsTenant).TenantPoolExtension + } catch {} + if ($Error) + { + $Error.Clear(); + $strRegPool = ""; + Write-Host "We failed to lookup your Skype for Business Registrar Pool, but you can still enter it manually" + } + else + { + $strRegPool = $strRegPool[0].Substring($strRegPool[0].IndexOf(':') + 1) + } +} + + +$Error.Clear() +try { + Enable-CsMeetingRoom -Identity $strRoomUri -RegistrarPool $strRegPool -SipAddressType EmailAddress +} +catch {} + +ExitIfError("Failed to setup Skype for Business meeting room") + +PrintSuccess "Successfully enabled $strRoomUri as a Skype for Business meeting room" + +Cleanup +``` + +## Useful cmdlets + + +### Creating a Surface Hub-compatible ActiveSync policy + +For Surface Hub to use Exchange services, a device account configured with a compatible ActiveSync policy must be provisioned on the device. This policy has the following requirements: + +``` syntax +PasswordEnabled == 0 +``` + +In the following cmdlets, `$strPolicy` is the name of the ActiveSync policy, and `$strRoomUpn` is the UPN of the device account you want to apply the policy to. + +Note that in order to run the cmdlets, you need to set up a remote PowerShell session and: + +- Your admin account must be remote-PowerShell-enabled. This allows the admin to use the PowerShell cmdlets that are needed by the script. (This permission can be set using set-user `$admin -RemotePowerShellEnabled $true`) +- Your admin account must have the "Reset Password" role if you plan to run the creation scripts. This allows the admin to change the password of the account, which is needed for the script. The Reset Password Role can be enabled using the Exchange Admin Center. + +Create the policy. + +```PowerShell +# Create new policy with PasswordEnabled == false +New-MobileDeviceMailboxPolicy -Name $strPolicy -PasswordEnabled $false –AllowNonProvisionableDevices $true +``` + +To apply the policy, the mailbox cannot be a room type, so it has to be converted into a user first. + +```PowerShell +# Convert user to regular type +Set-Mailbox $strRoomUpn -Type Regular +# Set policy for account +Set-CASMailbox $strRoomUpn -ActiveSyncMailboxPolicy $strPolicy +``` + +Now the device account just needs to be converted back into a room type. + +```PowerShell +# Convert back to room mailbox +Set-Mailbox $strRoomUpn -Type Room +``` + +### Allowing device IDs for ActiveSync + +To allow an account `$strRoomUpn`, run the following command: + +```PowerShell +Set-CASMailbox –Identity $strRoomUpn –ActiveSyncAllowedDeviceIDs “” +``` + +To find a device's ID, run: + +```PowerShell +Get-ActiveSyncDevice -Mailbox $strRoomUpn +``` + +This retrieves device information for every device that the account has been provisioned on, Including the `DeviceId` property. + +### Auto-accepting and declining meeting requests + +For a device account to automatically accept or decline meeting requests based on its availability, the **AutomateProcessing** attribute must be set to **AutoAccept**. This is recommended as to prevent overlapping meetings. + +```PowerShell +Set-CalendarProcessing $ strRoomUpn -AutomateProcessing AutoAccept +``` + +### Accepting external meeting requests + +For a device account to accept external meeting requests (a meeting request from an account not in the same tenant/domain), the device account must be set to allow processing of external meeting requests. Once set, the device account will automatically accept or decline meeting requests from external accounts as well as local accounts. + +**Note**  If the **AutomateProcessing** attribute is not set to **AutoAccept**, then setting this will have no effect. + +  + +```PowerShell +Set-CalendarProcessing $strRoomUpn -ProcessExternalMeetingMessages $true +``` + +  + +  + + + + + diff --git a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md new file mode 100644 index 0000000000..6a123919fd --- /dev/null +++ b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md @@ -0,0 +1,36 @@ +--- +title: Applying ActiveSync policies to device accounts (Surface Hub) +description: The Microsoft Surface Hub's device account uses ActiveSync to sync mail and calendar. This allows people to join and start scheduled meetings from the Surface Hub, and allows them to email any whiteboards they have made during their meeting. +ms.assetid: FAABBA74-3088-4275-B58E-EC1070F4D110 +keywords: ["Surface Hub", "ActiveSync policies"] +author: TrudyHa +--- + +# Applying ActiveSync policies to device accounts (Surface Hub) + + +The Microsoft Surface Hub's device account uses ActiveSync to sync mail and calendar. This allows people to join and start scheduled meetings from the Surface Hub, and allows them to email any whiteboards they have made during their meeting. + +For these features to work, the ActiveSync policies for your organization must be configured as follows: + +- There can't be any global policies that block synchronization of the resource mailbox that's being used by the Surface Hub’s device account. If there is such a blocking policy, you need to whitelist the Surface Hub as an allowed device. +- You must set a mobile device mailbox policy where the **PasswordEnabled** setting is set to False. Other mobile device mailbox policy settings are not compatible with the Surface Hub. + +## Whitelisting the DeviceID + + +Your organization may have a global policy that prevents syncing of device accounts provisioned on Surface Hubs. To configure this property, see [Allowing device IDs for ActiveSync](appendix-a-powershell-scripts-for-surface-hub.md#whitelisting-device-ids-cmdlet). + +## Setting PasswordEnabled + + +The device account must have an ActiveSync policy where the **PasswordEnabled** attribute is set to False or 0. To configure this property, see [Creating a Surface Hub-compatible Microsoft Exchange ActiveSync policy](appendix-a-powershell-scripts-for-surface-hub.md#create-compatible-as-policy). + +  + +  + + + + + diff --git a/devices/surface-hub/change-surface-hub-device-account.md b/devices/surface-hub/change-surface-hub-device-account.md new file mode 100644 index 0000000000..44ad0b01d5 --- /dev/null +++ b/devices/surface-hub/change-surface-hub-device-account.md @@ -0,0 +1,85 @@ +--- +title: Change the Microsoft Surface Hub device account +description: You can change the device account in Settings to either add an account if one was not already provisioned, or to change any properties of an account that was already provisioned. +ms.assetid: AFC43043-3319-44BC-9310-29B1F375E672 +keywords: ["change device account", "change properties", "Surface Hub"] +author: TrudyHa +--- + +# Change the Microsoft Surface Hub device account + + +You can change the device account in Settings to either add an account if one was not already provisioned, or to change any properties of an account that was already provisioned. + +## Details + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ValueDescription

User Principal Name

The user principal name (UPN) of the device account.

Password

The corresponding password of the device account.

Domain

The domain that the device account belongs to. This field does not need to be provided for Office 365 accounts.

User name

The user name of the device account. This field does not need to be provided for Office 365 accounts.

Session Initiation Protocol (SIP) address

The SIP address of the device account.

Microsoft Exchange server

This is the Exchange server of the device account. The device account’s username and password must be able to authenticate to the specified Exchange server.

Enable Exchange services

When checked, all Exchange services will be enabled (for example, calendar on the welcome screen, emailing whiteboards). When not checked, all Exchange services will be disabled, and the Exchange server does not need to be provided.

+ +  + +## What happens? + + +The UPN and password are used to validate the account in AD or Azure AD. If the validation fails, you may need to provide the domain and user name. + +Using the credentials provided, we will try to discover the SIP address. If a SIP address can't be found, then Skype for Business will use the UPN as the SIP address. If this is not the SIP address for the account, you will need to provide the SIP address. + +The Exchange server address will need to be provided if the device can't find a server associated with the login credentials. Microsoft Surface Hub will use the Exchange server to talk to ActiveSync, which enables several key features on the device. + +## Related topics + + +[Manage Microsoft Surface Hub](manage-surface-hub.md) + +[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) + +  + +  + + + + + diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md new file mode 100644 index 0000000000..084758aa68 --- /dev/null +++ b/devices/surface-hub/create-a-device-account-using-office-365.md @@ -0,0 +1,405 @@ +--- +title: Create a device account using UI (Surface Hub) +description: If you prefer to use a graphical user interface, you can create a device account for your Microsoft Surface Hub with either the Office 365 UI or the Exchange Admin Center. +ms.assetid: D11BCDC4-DABA-4B9A-9ECB-58E02CC8218C +keywords: ["create device account", "Office 365 UI", "Exchange Admin center", "Office 365 admin center", "Skype for Business", "mobile device mailbox policy"] +author: TrudyHa +--- + +# Create a device account using UI (Surface Hub) + + +If you prefer to use a graphical user interface, you can create a device account for your Microsoft Surface Hub with either the [Office 365 UI](#create-device-acct-o365) or the [Exchange Admin Center](#create-device-acct-eac). + +## Create a device account using Office 365 + + +1. [Create the account in the Office 365 Admin Center](#create-device-acct-o365-admin-ctr). +2. [Create a mobile device mailbox (ActiveSync) policy from the Microsoft Exchange Admin Center](#create-device-acct-o365-mbx-policy). +3. [Use PowerShell to complete device account creation](#create-device-acct-o365-complete-acct). +4. [Use PowerShell to configure Exchange properties of the account](#create-device-acct-o365-configure-exch-prop). +5. [Enable the account with Skype for Business](#create-device-acct-o365-skype-for-business). + +### Create the account in the Office 365 Admin Center + +1. Sign in to Office 365 by visiting http://portal.office.com/admin/ +2. Provide the admin credentials for your Office 365 tenant. This will take you to your Office 365 Admin Center. + + ![office 365 admin center. ](images/setupdeviceaccto365-02.png) + +3. Once you are at the Office 365 Admin Center, navigate to **Users** in the left panel, and then click **Active Users**. + + ![office 365 admin center dashboard shwoing active users.](images/setupdeviceaccto365-03.png) + +4. On the controls above the list of users, click **+** to create a new user. You'll need to enter a **Display name**, **User name**, **Password** and an email address for the recipient of the password. Optionally you can change the password manually, but we recommend that you use the auto-generated option. You also need to assign this account a license that gives the account access to Exchange and Skype for Business services. + + ![screen to create a new user account. ](images/setupdeviceaccto365-04.png) + + Click **Create**. + +5. Once the account has been successfully created, click **Close** on the resulting dialog box, and you will see the admin center Active Users list again. + + ![confirmation screen for creating a new account. ](images/setupdeviceaccto365-05.png) + +6. Select the user you just created from the **Active Users** list. You need to disable the Skype for Business license, because you can’t create a Skype Meeting Room with this option. + + ![office 365 admin center showing properties for the new user account. ](images/setupdeviceaccto365-06.png) + + In the right panel you can see the account properties and several optional actions. The process so far has created a regular Skype account for this user, which you need to disable. Click **Edit** for the **Assigned license** section, then click the dropdown arrow next to the license to expand the details. + + ![assign license for skype for business online.](images/setupdeviceaccto365-07.png) + + From the list, uncheck **Skype for Business Online (plan 2)** (this license may vary depending on your organization), and click **SAVE**. + +### Create a mobile device mailbox (ActiveSync) policy from the Exchange Admin Center + +1. In the Office 365 Admin Center’s left panel, click **ADMIN**, and then click **Exchange**. + + ![office 365 admin center, showing exchange active users. ](images/setupdeviceaccto365-08.png) + +2. This will open another tab on your browser to take you to the Exchange Admin Center, where you can create and set the Mailbox Setting for Surface Hub. + + ![exchange admin center. ](images/setupdeviceaccto365-09.png) + +3. To create a Mobile Device Mailbox Policy, click **Mobile** from the left panel and then click **Mobile device mailbox policies**. Surface Hubs require an account with a mobile device mailbox policy that does not require a password, so if you already have an existing policy that matches this requirement, you can apply that policy to the account. Otherwise use the following steps to create a new one to be used only for Surface Hub device accounts. + + ![excahnge admin center - creating a mobile device mailbox policy. ](images/setupdeviceaccto365-10.png) + +4. To create a New Surface Hub mobile device mailbox policy, click the **+** button from the controls above the list of policies to add a new policy. For the name, provide a name that will help you distinguish this policy from other device accounts (for example, *SurfaceHubDeviceMobilePolicy*). Make sure the policy does not require a password for the devices assigned to, so make sure **Require a Password** remains unchecked, then click **Save**. + + ![image showing new mobile device policy](images/setupdeviceaccto365-11.png) + +5. After you have created the new mobile device mailbox policy, go back to the **Exchange Admin Center** and you will see the new policy listed. + + ![image with new mobile device mailbox policy in exchange admin center. ](images/setupdeviceaccto365-12.png) + +6. Now, to apply the ActiveSync policy without using PowerShell, you can do the following: In the EAC, click **Recipients** > **Mailboxes** and then select a mailbox. + + ![image showing mailbox in exchange admin center. ](images/setupdeviceaccto365-13.png) + +7. In the Details pane, scroll to **Phone and Voice Features** and click **View details** to display the **Mobile Device Details** screen. + + ![image showing mobile device details for the mailbox. ](images/setupdeviceaccto365-14.png) + +8. The mobile device mailbox policy that’s currently assigned is displayed. To change the mobile device mailbox policy, click **Browse**. + + ![image with details for the mobile device policy. ](images/setupdeviceaccto365-15.png) + +9. Choose the appropriate mobile device mailbox policy from the list, click **OK** and then click **Save**. + + ![image showing multiple mobile device mailbox policies. ](images/setupdeviceaccto365-16.png) + +### Use PowerShell to complete device account creation + +From here on, you'll need to finish the account creation process using PowerShell to set up some configuration. + +In order to run cmdlets used by these PowerShell scripts, the following must be installed for the admin PowerShell console: + +- [Microsoft Online Services Sign-In Assistant for IT Professionals BETA](http://go.microsoft.com/fwlink/?LinkId=718149) +- [Windows Azure Active Directory Module for Windows PowerShell](http://go.microsoft.com/fwlink/p/?linkid=236297) +- [Skype for Business Online, Windows PowerShell Module](http://www.microsoft.com/download/details.aspx?id=39366) + +### Connecting to online services + +1. Run Windows PowerShell as Administrator. + + ![image showing how to start windows powershell and run as administrator. ](images/setupdeviceaccto365-17.png) + +2. Create a Credentials object, then create a new session that connects to Skype for Business Online, and provide the global tenant administrator account, then click **OK**. + + ![image for windows powershell credential request. ](images/setupdeviceaccto365-18.png) + +3. To connect to Microsoft Online Services, run: + + ``` syntax + Connect-MsolService -Credential $Cred + ``` + + ![image showing powershell cmdlet.](images/setupdeviceaccto365-19.png) + +4. Now to connect to Skype for Business Online Services, run: + + ``` syntax + $sfbsession = New-CsOnlineSession -Credential $cred + ``` + + ![image showing powershell cmdlet.](images/setupdeviceaccto365-20.png) + +5. Finally, to connect to Exchange Online Services, run: + + ``` syntax + $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri + "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" –AllowRedirection + ``` + + ![image showing powershell cmdlet.](images/setupdeviceaccto365-21.png) + +6. Now you have to import the Skype for Business Online Session and the Exchange Online session you have just created, which will import the Exchange and Skype Commands so you can use them locally. + + ``` syntax + Import-PSSession $exchangesession -AllowClobber -WarningAction SilentlyContinue + Import-PSSession $sfbsession -AllowClobber -WarningAction SilentlyContinue + ``` + + Note that this could take a while to complete. + + ![image showing powershell cmdlet.](images/setupdeviceaccto365-22.png) + +7. Once you’re connected to the online services you need to run a few more cmdlets to configure this account as a Surface Hub device account. + +### Use PowerShell to configure Exchange properties of the account + +Now that you're connected to the online services, you can finish setting up the device account. You'll use the device account email address to: + +- Change the mailbox type from regular to room. +- Set the password and enable the room mailbox account +- Change various Exchange properties +- Set the user account password to never expire. + +1. You’ll need to enter the account’s mail address and create a variable with that value: + + ``` syntax + $mailbox = (Get-Mailbox ) + ``` + + To store the value get it from the mailbox: + + ``` syntax + $strEmail = $mailbox.WindowsEmailAddress + ``` + + Print the value: + + ``` syntax + $strEmail + ``` + + You will see the correct email address. + + ![image showing powershell cmdlet.](images/setupdeviceaccto365-23.png) + +2. You need to convert the account into to a room mailbox, so run: + + ![image showing powershell cmdlet.](images/setupdeviceaccto365-24.png) + + ``` syntax + Set-Mailbox $strEmail -Type Room + ``` + +3. In order for the device account to be authenticated on a Surface Hub, you need to enable the room mailbox account and set a password, so the account can be used by the device to get meeting information using ActiveSync and log in to Skype for Business. + + ``` syntax + Set-Mailbox $strEmail -RoomMailboxPassword (ConvertTo-SecureString -String "" -AsPlainText -Force) -EnableRoomMailboxAccount $true + ``` + + ![image showing powershell cmdlet.](images/setupdeviceaccto365-25.png) + +4. Various Exchange properties can be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. + + ``` syntax + Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false + Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a room!" + ``` + + ![image showing powershell cmdlet.](images/setupdeviceaccto365-26.png) + +5. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information. + + ``` syntax + Set-MsolUser -UserPrincipalName $strEmail -PasswordNeverExpires $True + ``` + +### Enable the account with Skype for Business + +Enable the device account with Skype for Business. + +In order to enable Skype for Business, your environment will need to meet the following prerequisites: + +- You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability. +- If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3). +- Your tenant users must have Exchange mailboxes. +- Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license. + +1. Start by creating a remote PowerShell session from a PC. + + ```PowerShell + Import-Module LyncOnlineConnector + $cssess=New-CsOnlineSession -Credential $cred + Import-PSSession $cssess -AllowClobber + ``` + +2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: + + ```PowerShell + Enable-CsMeetingRoom -Identity $rm -RegistrarPool + "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress + ``` + + If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: + + ```PowerShell + Get-CsOnlineUser -Identity ‘alice@contoso.microsoft.com’| fl *registrarpool* + ``` + +## Create a device account using the Exchange Admin Center + + +You can use the Exchange Admin Center to create a device account: + +1. [Create an account and mailbox with the Exchange Admin Center](#create-device-acct-exch-admin-ctr). +2. [Create a mobile device mailbox policy from the Exchange Admin Center](#create-device-acct-exch-mbx-policy). +3. [Use PowerShell to configure the account](#create-device-acct-exch-powershell-conf). +4. [Enable the account with Skype for Business](#create-device-acct-exch-skype-for-business). + +### Create an account and mailbox with the Exchange Admin Center + +1. Sign in to your Exchange Admin Center using Exchange admin credentials. +2. Once you are at the Exchange Admin Center (EAC), navigate to **Recipients** in the left panel. + + ![image showing mailboxes in exchange admin center. ](images/setupdeviceacctexch-01.png) + +3. On the controls above the list of mailboxess, choose **+** to create a new one, and provide a **Display name**, **Name**, and **User logon name**, and then click **Save**. + + ![image showing creating a new mailbox. ](images/setupdeviceacctexch-02.png) + +### Create a mobile device mailbox policy from the Exchange Admin Center + +**Note**  If you want to create and assign a policy to the account you created, and are using Exchange 2010, look up the corresponding information regarding policy creation and policy assignment when using the EMC (Exchange management console). + +  + +1. Go to the Exchange Admin Center. + + ![image showing exchange admin center. ](images/setupdeviceacctexch-03.png) + +2. To create a mobile device mailbox policy, click **Mobile** from the left panel, then **Mobile device mailbox policies**. Surface Hubs require an account with a mobile device mailbox policy that does not require a password, so if you already have an existing policy that matches this requirement, you can apply that policy to the account. Otherwise use the following steps to create a new one to be used only for Surface Hub device accounts. + + ![image showing using exchange admin center to create a mobile device mailbox policy. ](images/setupdeviceacctexch-05.png) + +3. To create a new mobile device account mailbox policy, click the **+** button from the controls above the list of policies to add a new policy. For the name provide a name that will help you distinguish this policy from other device accounts (for example, *SurfaceHubDeviceMobilePolicy*). The policy must not be password-protected, so make sure **Require a Password** remains unchecked, then click **Save**. + + ![image showing new mobile device mailbox policy. ](images/setupdeviceacctexch-06.png) + +4. After you have created the new mobile device mailbox policy, go back to the Exchange Admin Center and you will see the new policy listed. + + ![image showing new mobile device mailbox policy in exchange admin center. ](images/setupdeviceacctexch-07.png) + +5. To apply the ActiveSync policy without using PowerShell, you can do the following: + + - In the EAC, click **Recipients** > **Mailboxes** and select a mailbox. + + ![image showing exchange admin center. ](images/setupdeviceacctexch-08.png) + + - In the **Details** pane, scroll to **Phone and Voice Features** and click **View details** to display the **Mobile Device Details** screen. + + ![image showing mailbox details. ](images/setupdeviceacctexch-09.png) + + - The mobile device mailbox policy that’s currently assigned is displayed. To change the mobile device mailbox policy, click **Browse**. + + ![image showing the currently assigned mobile device mailbox policy. ](images/setupdeviceacctexch-10.png) + + - Choose the appropriate mobile device mailbox policy from the list, click **OK** and then click **Save**. + + ![image showing list of mobile device mailbox policies. ](images/setupdeviceacctexch-11.png) + +### Use PowerShell to configure the account + +Now that you're connected to the online services, you can finish setting up the device account. You'll use the device account email address to: + +- Change the mailbox type from regular to room. +- Change various Exchange properties +- Set the user account password to never expire. + +1. You’ll need to enter the account’s mail address and create a variable with that value: + + ``` syntax + $mailbox = (Get-Mailbox ) + ``` + + To store the value got it from the mailbox: + + ``` syntax + $strEmail = $mailbox.WindowsEmailAddress + ``` + + Print the value by running: + + ``` syntax + $strEmail + ``` + + You will see the correct email address. + +2. You need to convert the account into to a room mailbox, so run: + + ``` syntax + Set-Mailbox $strEmail -Type Room + ``` + +3. In order for the device account to be authenticated on a Surface Hub, you need to enable the room mailbox account and set a password, so the account can be used by the device to get meeting information using ActiveSync and log in to Skype for Business. + + ``` syntax + Set-Mailbox $strEmail -RoomMailboxPassword (ConvertTo-SecureString -String "" -AsPlainText -Force) -EnableRoomMailboxAccount $true + ``` + +4. Various Exchange properties can be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. + + ``` syntax + Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false + Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a room!" + ``` + +5. Now we have to set some properties in AD. To do that, you need the alias of the account (this is the part of the UPN that becomes before the “@”). + + ``` syntax + $strAlias = “” + ``` + +6. The user needs to be enabled in AD before it can authenticate with a Surface Hub. Run: + + ``` syntax + Set-ADUser $strAlias -Enabled $True + ``` + +7. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information. + + ``` syntax + Set-ADUser $strAlias -PasswordNeverExpires $True + ``` + +### Enable the account with Skype for Business + +Enable the device account with Skype for Business. + +In order to enable Skype for Business, your environment will need to meet the following prerequisites: + +- You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability. +- If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3). +- Your tenant users must have Exchange mailboxes. +- Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license. + +1. Start by creating a remote PowerShell session from a PC. + + ```PowerShell + Import-Module LyncOnlineConnector + $cssess=New-CsOnlineSession -Credential $cred + Import-PSSession $cssess -AllowClobber + ``` + +2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: + + ```PowerShell + Enable-CsMeetingRoom -Identity $rm -RegistrarPool + "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress + ``` + + If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: + + ```PowerShell + Get-CsOnlineUser -Identity ‘alice@contoso.microsoft.com’| fl *registrarpool* + ``` + + + + + diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md new file mode 100644 index 0000000000..ae3b772bd4 --- /dev/null +++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md @@ -0,0 +1,186 @@ +--- +title: Create and test a device account (Surface Hub) +description: This topic introduces how to create and test the device account that Microsoft Surface Hub uses to communicate with Microsoft Exchange and Skype. +ms.assetid: C8605B5F-2178-4C3A-B4E0-CE32C70ECF67 +keywords: ["create and test device account", "device account", "Surface Hub and Microsoft Exchange", "Surface Hub and Skype"] +author: TrudyHa +--- + +# Create and test a device account (Surface Hub) + + +This topic introduces how to create and test the device account that Microsoft Surface Hub uses to communicate with Microsoft Exchange and Skype. + +A "device account" is an account that the Microsoft Surface Hub uses to: + +- sync its meeting calendar, +- send mail, +- and enable Skype for Business compatibility. + +People can book this account by scheduling a meeting with it. The Surface Hub will be able to join that meeting and provide various features to the meeting attendees. + +**Important**  Without a device account, none of these features will work. + +  + +Every device account is unique to a single Surface Hub, and requires some setup: + +- The device account must be configured correctly, as described in the folllowing sections. +- Your infrastructure must be configured to allow the Surface Hub to validate the device account, and to reach the appropriate Microsoft services. + +You can think of a device account as the resource account that people recognize as a conference room’s or meeting space’s account. When you want to schedule a meeting using that conference room, you invite the account to that meeting. In order to use the Surface Hub most effectively, you do the same with the device account that's assigned to each one. + +If you already have a resource mailbox account set up for the meeting space where you’re putting a Surface Hub, you can change that resource account into a device account. Once that’s done, all you need to do is add the device account to a Surface Hub. See step 2 of either [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) or [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md). + +The following sections will describe how to create and test a device account before configuring your Surface Hub. + +### Basic configuration + +These properties represent the minimum configuration for a device account to work on a Surface Hub. Your device account may require further setup, which is covered in [Advanced configuration](#advanced-config). + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyPurpose

Exchange mailbox (Exchange 2010 or later, or Exchange Online)

Enabling the account with an Exchange mailbox gives the device account the capability to receive and send both mail and meeting requests, and to display a meetings calendar on the Surface Hub’s welcome screen. The Surface Hub mailbox must be a room mailbox.

Skype for Business-enabled (Lync/Skype for Business 2010 or later or Skype for Business Online)

Skype for Business must be enabled in order to use various conferencing features, like video calls, IM, and screen-sharing.

Password-enabled

The device account must be enabled with a password, or it cannot authenticate with either Exchange or Skype for Business.

Compatible EAS policies

The device account must use a compatible EAS policy in order for it to sync its mail and calendar. In order to implement this policy, the PasswordEnabled property must be set to False. If an incompatible EAS policy is used, the Surface Hub will not be able to use any services provided by Exchange and ActiveSync.

+ +  + +### Advanced configuration + +While the properties for the basic configuration will allow the device account to be set up in a simple environment, it is possible your environment has other restrictions on directory accounts that must be met in order for the Surface Hub to successfully use the device account. + + ++++ + + + + + + + + + + + + + + + + +
PropertyPurpose

Certificate-based authentication

Certificates may be required for both ActiveSync and Skype for Business. To deploy certificates, you need to use provisioning packages or an MDM solution.

+

See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details.

Allowed device IDs (ActiveSync Device ID)

Your Exchange ActiveSync setup may require that an account must whitelist device IDs so that ActiveSync can retrieve the device account’s mail and calendar. You must ensure that the Surface Hub’s device ID is added to this whitelist. This can either be configured using PowerShell (by setting the ActiveSyncAllowedDeviceIDs property) or the Exchange administrative portal.

+

You can find out how to find and whitelist a device ID with PowerShell in [Allowing device IDs for ActiveSync](appendix-a-powershell-scripts-for-surface-hub.md#whitelisting-device-ids-cmdlet).

+ +  + +### How do I set up the account? + +The best way to set up device accounts is to configure them using remote PowerShell. We provide several PowerShell scripts that will help create new device accounts, or validate existing resource accounts you have in order to help you turn them into compatible Surface Hub device accounts. These PowerShell scripts, and instructions for their use, are in [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md). + +You can check online for updated versions at [Surface Hub device account scripts](http://aka.ms/surfacehubscripts). + +### Device account configuration + +Your infrastructure will likely fall into one of three configurations. Which configuration you have will affect how you prepare for device setup. + +![](images/deploymentoptions-01.png) + +- [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md): Your organization’s environment is deployed entirely on Office 365. +- [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md): Your organization has servers that it controls, where Active Directory, Exchange, and Skype for Business (or Lync) are hosted. +- [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md): Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365. + +If you prefer to use the Office 365 UI over PowerShell cmdlets, some steps can be performed manually. See [Creating a device account using Office 365](create-a-device-account-using-office-365.md). + +### Device account resources + +These sections describe resources used by the Surface Hub device account. + +- [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md): The Exchange properties of the device account must be set to particular values for the Surface Hub to work properly. +- [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md): The Surface Hub uses ActiveSync to sync both mail and its meeting calendar. +- [Password management](password-management-for-surface-hub-device-accounts.md): Every device account requires a password to authenticate. This section describes your options for managing this password. + +## In this section + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TopicDescription

[Online deployment](online-deployment-surface-hub-device-accounts.md)

This topic has instructions for adding a device account for your Surface Hub when you have a pure, online deployment.

[On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md)

This topic explains how you add a device account for your Surface Hub when you have a single-forest, on-premises deployment.

[Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md)

A hybrid deployment requires special processing in order to set up a device account for your Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#hybrid-exchange-on-prem), and [Exchange hosted online](#hybrid-exchange-online). Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided PowerShell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)

[Create a device account using UI](create-a-device-account-using-office-365.md)

If you prefer to use a graphical user interface, you can create a device account for your Surface Hub with either the [Office 365 UI](#create-device-acct-o365) or the [Exchange Admin Center](#create-device-acct-eac).

[Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)

Some Exchange properties of the device account must be set to particular values to have the best meeting experience on Surface Hub. The following table lists various Exchange properties based on PowerShell cmdlet parameters, their purpose, and the values they should be set to.

[Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md)

The Surface Hub's device account uses ActiveSync to sync mail and calendar. This allows people to join and start scheduled meetings from the Surface Hub, and allows them to email any whiteboards they have made during their meeting.

[Password management](password-management-for-surface-hub-device-accounts.md)

Every Surface Hub device account requires a password to authenticate and enable features on the device.

+ +  + +  + +  + + + + + diff --git a/devices/surface-hub/device-reset-suface-hub.md b/devices/surface-hub/device-reset-suface-hub.md new file mode 100644 index 0000000000..449deca360 --- /dev/null +++ b/devices/surface-hub/device-reset-suface-hub.md @@ -0,0 +1,44 @@ +--- +title: Device reset (Surface Hub) +description: You may wish to reset your Microsoft Surface Hub. +ms.assetid: 44E82EEE-1905-464B-A758-C2A1463909FF +keywords: ["reset Surface Hub"] +author: TrudyHa +--- + +# Device reset (Surface Hub) + + +You may wish to reset your Microsoft Surface Hub. + +Typical reasons for a reset include: + +- The device isn’t running well after installing an update. +- You’re repurposing the device for a new meeting space and want to reconfigure it. +- You want to change how you locally manage the device. + +Initiating a reset will return the device to the last cumulative Windows update, and remove all local user files and configuration, including: + +- The device account +- MDM enrollment +- Domain join or Azure AD join information +- Local admins on the device +- Configurations from MDM or the Settings app. + +After the reset, you'll be taken through the [first run program](first-run-program-surface-hub.md) again. + +## Related topics + + +[Manage Microsoft Surface Hub](manage-surface-hub.md) + +[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) + +  + +  + + + + + diff --git a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md new file mode 100644 index 0000000000..a9a913e3bd --- /dev/null +++ b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md @@ -0,0 +1,96 @@ +--- +title: Microsoft Exchange properties (Surface Hub) +description: Some Microsoft Exchange properties of the device account must be set to particular values to have the best meeting experience on Microsoft Surface Hub. +ms.assetid: 3E84393B-C425-45BF-95A6-D6502BA1BF29 +keywords: ["Microsoft Exchange properties", "device account", "Surface Hub", "Windows PowerShell cmdlet"] +author: TrudyHa +--- + +# Microsoft Exchange properties (Surface Hub) + + +Some Microsoft Exchange properties of the device account must be set to particular values to have the best meeting experience on Microsoft Surface Hub. The following table lists various Exchange properties based on PowerShell cmdlet parameters, their purpose, and the values they should be set to. + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionValueImpact

AutomateProcessing

The AutomateProcessing parameter enables or disables calendar processing on the mailbox.

AutoAccept

The Surface Hub will be able to automatically accept or decline meeting requests based on its availability.

AddOrganizerToSubject

The AddOrganizerToSubject parameter specifies whether the meeting organizer's name is used as the subject of the meeting request.

$False

The welcome screen will not show the meeting organizer twice (instead of showing it as both the organizer and in the meeting subject).

AllowConflicts

The AllowConflicts parameter specifies whether to allow conflicting meeting requests.

$False

The Surface Hub will decline meeting requests that conflict with another meeting’s time.

DeleteComments

The DeleteComments parameter specifies whether to remove or keep any text in the message body of incoming meeting requests.

$False

The message body of meetings can be retained and retrieved from a Surface Hub if you need it during a meeting.

DeleteSubject

The DeleteSubject parameter specifies whether to remove or keep the subject of incoming meeting requests.

$False

Meeting request subjects can be shown on the Surface Hub.

RemovePrivateProperty

The RemovePrivateProperty parameter specifies whether to clear the private flag for incoming meeting requests.

$False

Private meeting subjects will show as Private on the welcome screen.

AddAdditionalResponse

The AddAdditionalResponse parameter specifies whether additional information will be sent from the resource mailbox when responding to meeting requests.

$True

When a response is sent to a meeting request, custom text will be provided in the response.

AdditionalResponse

The AdditionalResponse parameter specifies the additional information to be included in responses to meeting requests.

+
+Note  This text will not be sent unless AddAdditionalResponse is set to $True. +
+
+  +

Your choice—the additional response can be used to inform people how to use a Surface Hub or point them towards resources.

Adding an additional response message can provide people an introduction to how they can use a Surface Hub in their meeting.

+ +  + +  + +  + + + + + diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md new file mode 100644 index 0000000000..4a45985296 --- /dev/null +++ b/devices/surface-hub/first-run-program-surface-hub.md @@ -0,0 +1,435 @@ +--- +title: First-run program (Surface Hub) +description: The term \ 0034;first run \ 0034; refers to the series of steps you'll go through the first time you power up your Microsoft Surface Hub, and means the same thing as \ 0034;out-of-box experience \ 0034; (OOBE). This section will walk you through the process. +ms.assetid: 07C9E84C-1245-4511-B3B3-75939AD57C49 +keywords: ["first run", "Surface Hub", "out-of-box experience", "OOBE"] +author: TrudyHa +--- + +# First-run program (Surface Hub) + + +The term "first run" refers to the series of steps you'll go through the first time you power up your Microsoft Surface Hub, and means the same thing as "out-of-box experience" (OOBE). This section will walk you through the process. + +By now, you should have gone through all of the previous steps: + +- [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) +- [Physically install your Surface Hub device](physically-install-your-surface-hub-device.md), and +- [Setup worksheet](setup-worksheet-surface-hub.md) + +Assuming that's the case, first run should be both simple and quick. +The normal procedure goes through six steps: + +1. [Hi there page](#first-page) +2. [Set up for you page](#set-up-for-you) +3. [Device account page](#device-account) +4. [Name this device page](#name-this-device) +5. [Set up admins for this device page](#setup-admins) +6. [Update the Surface Hub](#update-surface-hub) + +Each of these sections also contains information about paths you might take when something is different. For example, most Surface Hubs will use a wired network connection, but some of them will be set up with wireless instead. Details are described where appropriate. + +**Note**  You should have the separate keyboard that came with your Surface Hub set up and ready before beginning. See the Surface Hub Setup Guide for details. + +  + +## Hi there page + + +This is the first screen you'll see when you power up the Surface Hub for the first time. It's where you input localization information for your device. + +**Note**  This is also where you begin the optional process of deploying a provisioning package. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) if that's what you're doing. + +  + +![icd options checklist](images/setuplocale.png) + +### Details + +If the default values shown are correct, then you can click **Next** to go on. Otherwise, you'll need to enter data in the appropriate boxes. + +- **Country/region:** Select the country or region where the Surface Hub will be used. +- **App language:** Apps and features will display in this language and language format. +- **Keyboard layout:** Select the keyboard layout for the on-screen and physical keyboards that will be used with your device. +- **Time zone:** Select the time zone where the Surface Hub will be used. + +### What happens? + +**Note**  Once the settings on this page are entered, you can't come back to this screen unless you reset the device (see [Device reset](device-reset-suface-hub.md)). Make sure that the settings are properly configured before proceeding. + +  + +When the settings are accepted, the device will check for a wired network connection. If the connection is fine, it will display the [Set up for you page](#set-up-for-you). If there is a problem with the wired connection, the device will display the [Network setup page](#network-setup). + +If no wired connection can be found, then the device will attempt to set up a wireless connection, and will display the [Network setup page](#network-setup). + +## Network setup page + + +If your device does not detect a wired connection that it can use to connect to a network or the Internet, you will see this page. Here you can either connect to a wireless network, or skip making the network connection. + +![](images/setupnetworksetup-1.png) + +### Details + +This screen is shown only if the device fails to detect a wired network. If you see this screen, you have three choices: + +- You can select one of the wireless networks shown. If the network is secured, you'll be taken to a login page. See [Wireless network setup](#wireless) for details. +- Click **Skip this step** to skip connecting to a network. You'll be taken to the [Set up for you page](#set-up-for-you). + **Note**  If you skip this, the device will not have a network connection, and nothing that requires a network connection will work on your Surface Hub, including system updates and email and calendar synchronization. You can connect to a wireless network later using Settings (see [Wireless network managment](wireless-network-management-for-surface-hub.md)). + +   + +- You can plug in a network cable while this screen is visible. The device will detect it, and will add **Next** to the screen. Click **Next** to continue with making the wired connection. + +### What happens? + +If the device has a wired connection when it starts, and can establish a network or Internet connection, then this page will not be displayed. If you want to connect the device to a wireless connection, make sure no Ethernet cable is plugged in at first run, which will bring you to this screen. No matter what you choose to set up now, you can [use Settings](wireless-network-management-for-surface-hub.md) to set up different connections later. + +If you want to connect to a secured wireless network from this page, click on the network of your choice, and then provide the necessary information (password or account credentials) to connect. See [Wireless network setup](#wireless). + +## Wireless network setup + + +This page will be shown when you've selected a secured wireless network. + +![](images/setupnetworksetup-3.png) + +### Details + +- **User name:** Enter the user name for the selected wireless network. +- **Password:** This is the password for the network. + +### What happens? + +The device will attempt to connect to the specified network. If it's successful, you'll be taken to the [Set up for you page](#set-up-for-you). + +## Network proxy setup + + +This page will be shown when the device detects a wired connection with limited connectivity. You have three options: + +- You can select a wireless network to use instead of the limited wired connection. +- You can skip connecting to a network by selecting **Skip this step**. You'll be taken to the [Set up for you page](#set-up-for-you). + **Note**  If you skip this, the device will not have a network connection, and nothing that requires a network connection will work on your Surface Hub, including things like email and calendar synchronization. You can connect to a wireless network later using Settings (see [Wireless network managment](wireless-network-management-for-surface-hub.md)). + +   + +- You can select **Enter proxy settings** which will allow you to specify how to use the network proxy. You'll be taken to the next screen. + +![](images/setupnetworksetup-2.png) + +This is the screen you'll see if you clicked **Enter proxy settings** on the previous screen. + +![](images/setupnetworksetup-4.png) + +### Details + +In order to make a network connection, you'll need to fill in either a script name, or the proxy server and port info. + +- **Proxy script:** Provide the address of a proxy script. +- **Proxy server and port:** You can provide the proxy server address and port. + +### What happens? + +When you click **Next**, the device will attempt to connect to the proxy server. If successful, you'll be taken to the [Set up for you page](#set-up-for-you). + +You can skip connecting to a network by selecting **Skip this step**. You'll be taken to the [Set up for you page](#set-up-for-you). + +**Note**  If you skip this, the device will not have a network connection, and nothing that requires a network connection will work on your Surface Hub, including things like email and calendar synchronization. You can connect to a wireless network later using Settings (see [Wireless network managment](wireless-network-management-for-surface-hub.md)). + +  + +## Set up for you page + + +This screen is purely informational, and shows which recommended settings have been enabled by default. + +![](images/setupsetupforyou.png) + +### Details + +You should read this screen and note which services have been enabled by default. All of them can be changed using the Settings app if need be, but you should be careful about the effects of doing so. For example, Cortana depends on some of these settings, and may not work if you disable them. See [Intro to Surface Hub](intro-to-surface-hub.md) for details. + +Once you're done reviewing the settings, click **Next** to go on. + +### What happens? + +The settings shown on the page have already been made, and can't be changed until after first run is completed. + +## Device account page + + +On this page, the Surface Hub will ask for credentials for the device account that you previously configured. (See [Create and test a device account](create-and-test-a-device-account-surface-hub.md).) The Surface Hub will attempt to discover various properties of the account, and may ask for more information on another page if it does not succeed. + +**Note**  This section does not cover specific errors that can happen during first run. See [Troubleshoot Surface Hub](troubleshoot-surface-hub.md) for more information on errors. + +  + +![icd options checklist](images/setupdeviceacct.png) + +### Details + +Use either a **user principal name (UPN)** or a **domain\\user name** as the account identifier in the first entry field. + +- **User principal name:** This is the UPN of the device account for this Surface Hub. If you’re using Azure Active Directory (Azure AD) or a hybrid deployment, then you must enter the UPN of the device account. +- **Domain\\user name:** This is the identity of the device account for this Surface Hub, in domain\\user name format. If you’re using an Active Directory (AD) deployment, then you must enter the account in this format. +- **Password:** Enter the device account password. + +Click **Skip setting up a device account** to skip setting up a device account. However, if you don't set up a device account, the device will not be fully integrated into your infrastructure. For example, people won't be able to: + +- See a meeting calendar on the Welcome screen +- Start a meeting from the Welcome screen +- Start a meeting using Cortana +- Email whiteboards from OneNote +- Use Skype for Business for meetings. + +If you skip setting it up now, you can add a device account later by using the Settings app. + +If you click **Skip setting up a device account**, the device will display a dialog box showing what will happen if the device doesn't have a device account. If you choose **Yes, skip this**, you will be sent to the [Name this device page](#name-this-device). + +![icd options checklist](images/setupskipdeviceacct.png) + +### What happens? + +The device will use the UPN or DOMAIN\\User name and password for the device account to do the following: + +- Check if the account exists in Active Directory (AD) or Azure Active Directory (Azure AD): + + - If a UPN was entered: the device will look for the account in Azure AD. + - If a DOMAIN\\User name was entered: the device will look for the account in AD. +- Look up the Microsoft Exchange server for the account’s mailbox. +- Look up the Session Initiation Protocol (SIP) address for the account. +- Pull the account’s display name and alias attributes. + +## Exchange server page + + +This page will only be shown if there's a problem. Typically, it means that the device account that you provided was found in Active Directory (AD) or Azure Active Directory (Azure AD), but the Exchange server for the account was not discovered. + +![icd options checklist](images/setupexchangeserver-01.png) + +### Details + +Enter the name of the Exchange server where the device account's mailbox is hosted. + +Click **Skip setting up Exchange services** to skip this step. If you do, people will not be able to: + +- See a meeting calendar on the welcome screen. +- Start a meeting from the welcome screen. +- Start a meeting using Cortana. +- Email whiteboards from OneNote. + +See [Intro to Surface Hub](intro-to-surface-hub.md) for details on setup dependencies. + +You can enable Exchange services for a device account later by using the Settings app. + +If you click **Skip setting up Exchange services**, the device will display a dialog showing what will happen. If you choose **Yes, skip this**, then Exchange services will not be set up. + +![icd options checklist](images/setupexchangeserver-02.png) + +### What happens? + +The Surface Hub will attempt to validate the device account on the Exchange server that you enter here. If the Exchange server can be reached and validates, then first run will proceed. + +If you choose to skip setting up Exchange services, the Surface Hub will stop looking for the Exchange server, and no Exchange services (mail and calendar) will be enabled. + +## Exchange policies page + + +This page will be shown when: + +- The device account is using an Exchange Active Sync (EAS) policy where the PasswordEnabled policy is set to 1. +- There’s no connection to Exchange. +- Exchange returns a status code indicating an error. (For example: The account has been provisioned to too many devices.) +- Exchange supported protocols are not supported by the Surface Hub. +- Exchange returns incorrect XML. + +![icd options checklist](images/setupexchangepolicies.png) + +### Details + +This page is purely informational, so no input is required. However, you have two options for proceeding: either skipping ahead or retrying the validation that caused the error. Before deciding which option is best, please read the following **What happens?** section. You may be able to fix the problem elsewhere before you click on one of the options. + +- **Click here to continue using unsupported policies**: click on this to continue first run. The Surface Hub will not be able to use Exchange services, or sync. +- **Retry**: check the policy on the Exchange server again. + +### What happens? + +The Surface Hub checks whether the device account’s EAS policy has the PasswordEnabled policy set to 0 (False). If this is not the case, mail and calendar can't be synced and the Surface Hub can't use any Exchange services. You can use your Exchange management tools from a PC to check that the device account has the PasswordEnabled policy set to 0. If that's not the case, you can reconfigure the account and click **Retry** here. + +If the policy has already been configured properly, check that your device is properly connected to the network or Internet, and can reach your Exchange server, because this page will also be shown if the Surface Hub can't reach the Exchange server. + +Another possible reason for not being able to reach Exchange is because of certificate-based authentication. You may wind up on this page because of certificate issues. Note that if the device displays error codes 0x80072F0D or 0X800C0019, then a certificate is required. Because provisioning is done on the first page of the first run process, you must disable Exchange services by clicking **Click here to continue using unsupported policies**, and then install the correct certificates through the Settings app. + +If you choose to skip this check, the Surface Hub will stop looking for the Exchange server and validating EAS policies, and no Exchange services will be enabled. See [Intro to Surface Hub](intro-to-surface-hub.md) for details on setup dependencies. + +## Name this device page + + +This page asks you to provide two names that will be used for identifying the Surface Hub. + +![icd options checklist](images/setupnamedevice.png) + +### Details + +If the default values shown are correct, then you can click **Next** to go on. Otherwise, enter data in one or both of the text boxes. + +- **Friendly name:** This is the name that people will see when they want to wirelessly connect to the Surface Hub. +- **Device name:** Can be set to any unique name as described on the screen. + +As long as both names are within the length requirements and do not use restricted characters, clicking **Next** will take you to the next page, [Set up admins for this device](#setup-admins). + +### What happens? + +The Surface Hub requires two names for the device, which will default to: + +- **Friendly name:** Defaults to the Display Name of the device account +- **Device name:** Defaults to the alias of the device account + +While either of the names can be changed later, keep in mind that: + +- The friendly name should be recognizable and different so that people can distinguish one Surface Hub from another when trying to wirelessly connect. +- If you decide to domain join the device, the device name must not be the same as any other device on the account’s Active Directory domain. The device can't join the domain if it is using the same name as another domain-joined device. + +## Set up admins for this device page + + +On this page, you will choose from several options for how you want to set up admin accounts to locally manage your device. + +Because every Surface Hub can be used by any number of authenticated employees, settings are locked down so that they can't change from session to session. Only admins can configure the settings on the device, and on this page, you’ll choose which type of admins have that privilege. + +**Note**  The purpose of this page is primarily to determine who can configure the device from the device’s UI; that is, who can actually visit a device, log in, open up the Settings app, and make changes to the Settings. + +  + +![icd options checklist](images/setupsetupadmins.png) + +### Details + +Choose one of the three available options: + +- **Use Microsoft Azure Active Directory** +- **Use Active Directory Domain Services** +- **Use a local admin** + +### What happens? + +This is what happens when you choose an option. + +- **Use Microsoft Azure Active Directory** + + Clicking this option allows you to join the device to Azure AD. Once you click **Next**, the device will restart to apply some settings, and then you’ll be taken to the [Use Microsoft Azure Active Directory](#use-microsoft-azure) page and asked to enter credentials that can allow you to join Azure AD. After joining, admins from the joined organization will be able to use the Settings app. The specific people that will be allowed depends on your Azure AD subscription and how you’ve configured the settings for your Azure AD organization. + +- **Use Active Directory Domain Services** + + Click this option to join the device to AD. Once you click **Next**, you’ll be taken to the [Use Active Directory Domain Services](#use-active-directory) page and asked to enter credentials that allow you to join the specified domain. After joining, you can pick a security group from the joined domain, and people from that security group will be able to use the Settings app. + +- **Use a local admin** + + Choosing this option will allow you to create a single local admin. This admin won’t be backed by any directory service, so we recommend you only choose this case if the device does not have access to Azure AD or AD. Once you create an admin’s user name and password on the [Use a local admin](#use-a-local-admin) page, you will need to re-enter those same credentials whenever you open the Settings app. + + Note that a local admin must have physical access to the Surface Hub to log in. + +**Note**  After you finish this process, you won't be able to change the device's admin option unless you reset the device. + +  + +### Use Microsoft Azure Active Directory + +If you've decided to join your Surface Hub to Azure Active Directory (Azure AD), you'll see this **What happens next** page. Read it and click **Next** to go to the **Let's get you signed in page**. + +Joining Azure AD has two primary benefits: + +1. Some employees from your organization will be able to access the device as admins, and will be able to start the Settings app and configure the device. People that have admin permissions will be defined in your Azure AD subscription. +2. If your Azure AD is connected to a mobile device management (MDM) solution, the device will enroll with that MDM solution so you can apply policies and configuration. + +![](images/setupjoiningazuread-1.png) + +### Details + +The following input is required: + +- **User's UPN:** The user principal name (UPN) of an account that can join Azure AD. +- **Password:** The password of the account you’re using to join Azure AD. + +![](images/setupjoiningazuread-2.png) + +If you get to this point and don't have valid credentials for an Azure AD account, the device will allow you to continue by creating a local admin account. Click **Set up Windows with a local account instead**. + +![](images/setupjoiningazuread-3.png) + +### What happens? + +Once you enter valid Azure AD account credentials, the device will try to join the associated Azure AD organization. If this succeeds, then the device will provision employees in that organization to be local admins on the device. If your Azure AD tenant was configured for it, the device will also enroll into MDM. + +### Use Active Directory Domain Services + +This page will ask for credentials to join a domain so that the Surface Hub can provision a security group as administrators of the device. + +Once the device has been domain joined, you must specify a security group from the domain you joined. This security group will be provisioned as administrators on the Surface Hub, and anyone from the security group can enter their domain credentials to access Settings. + +![icd options checklist](images/setupdomainjoin.png) + +### Details + +The following input is required: + +- **Domain:** This is the fully qualified domain name (FQDN) of the domain that you want to join. A security group from this domain can be used to manage the device. +- **User name:** The user name of an account that has sufficient permission to join the specified domain. +- **Password:** The password for the account. + +After the credentials are verified, you will be asked to type a security group name. This input is required. + +![icd options checklist](images/setupsecuritygroup-1.png) + +### What happens? + +Using the provided domain, account credentials from the [Use Active Directory Domain Services page](#use-active-directory) and the device name from the [Name this device](#name-this-device) page, the Surface Hub will attempt to join the domain. If the join is successful, first run will continue, and will ask for a security group. If the join is not successful, first run will halt and ask you to change the information provided. + +If the join is successful, you'll see the **Enter a security group** page. When you click the **Select** button on this page, the device will search for the specified security group on your domain. If found, the group will be verified. Click **Finish** to complete the first run process. + +**Note**  If you domain join the Surface Hub, you can't unjoin the device without resetting it. + +  + +### Use a local admin + +If you decide not to use Azure Active Directory (Azure AD) or Active Directory (AD) to manage the Surface Hub, you'll need to create a local admin account. + +![](images/setuplocaladmin.png) + +### Details + +The following input is required: + +- **User name:** This is the user name of the local admin account that will be created for this Surface Hub. +- **Password:** This is the password of the device account. +- **Re-enter password:** Verifying the password as in the previous box. + +### What happens? + +This page will attempt to create a new admin account using the credentials that you enter here. If it's successful, then first run will end. If not, you'll be asked for different credentials. + +## Update the Surface Hub + + +**Important**  Before you do the updates, make sure you read [Save your BitLocker key](save-bitlocker-key-surface-hub.md) in order to make sure you have a backup of the key. + +  + +In order to get the latest features and fixes, you should update your Surface Hub as soon as you finish all of the preceding first-run steps. + +1. Make sure the device has access to the Windows Update servers or to Windows Server Update Services (WSUS). To configure WSUS, see [Using WSUS](manage-windows-updates-for-surface-hub.md#using-wsus). +2. Open Settings, click **Update & security**, then **Windows Update**, and then click **Check for updates**. +3. If updates are available, they will be downloaded. Once downloading is complete, click the **Update now** button to install the updates. +4. Follow the onscreen prompts after the updates are installed. You may need to restart the device. + +  + +  + + + + + diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md new file mode 100644 index 0000000000..5a5b929a2f --- /dev/null +++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md @@ -0,0 +1,311 @@ +--- +title: Hybrid deployment (Surface Hub) +description: A hybrid deployment requires special processing in order to set up a device account for your Microsoft Surface Hub. +ms.assetid: 7BFBB7BE-F587-422E-9CE4-C9DDF829E4F1 +keywords: ["hybrid deployment", "device account for Surface Hub", "Exchange hosted on-prem", "Exchange hosted online"] +author: TrudyHa +--- + +# Hybrid deployment (Surface Hub) +A hybrid deployment requires special processing in order to set up a device account for your Microsoft Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#hybrid-exchange-on-prem), and [Exchange hosted online](#hybrid-exchange-online). Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use ps1 (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided ps1 script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).) + +## Exchange on-prem +Use this procedure if you use Exchange on-prem. + +1. For this procedure, you'll be using AD admin tools to add an email address for your on-prem domain account. This account will be synced to Office 365. + + - In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**. + - Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**.

+ + ![new object box for creating a new user in active directory](images/hybriddeployment-01a.png) + + - Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected. + + **Important**
Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account. + + ![image showing password dialog box](images/hybriddeployment-02a.png) + + - Click **Finish** to create the account. + + ![image with account name, logon name, and password options for new user](images/hybriddeployment-03a.png) + +2. After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Office 365 admin center and verify that the account created in the previous steps has merged to online. + +3. Enable the remote mailbox. + + Open your on-prem Exchange Management Shell with administrator permissions, and run this cmdlet. + + ```ps1 + Enable-Mailbox 'HUB01@contoso.com' -RemoteRoutingAddress 'HUB01@contoso.com' -Room + ``` + +5. Connect to Microsoft Exchange Online and set some properties for the account in Office 365. + + Start a remote ps1 session on a PC and connect to Microsoft Exchange. Be sure you have the right permissions set to run the associated cmdlets. + + The next steps will be run on your Office 365 tenant. + + ```ps1 + Set-ExecutionPolicy Unrestricted + $org='contoso.com' + $cred=Get-Credential $admin@$org + $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://outlook.office365.com/ps1-liveid/' -Credential $cred -Authentication Basic -AllowRedirection + Import-PSSession $sess + ``` + +5. Create a new Exchange ActiveSync policy, or use a compatible existing policy. + + Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled. + + If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts. + + ```ps1 + $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false + ``` + + Once you have a compatible policy, then you will need to apply the policy to the device account. + + ```ps1 + Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy + ``` + +6. Set Exchange properties. + + Setting Exchange properties on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. + + ```ps1 + Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false + Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse 'This is a Surface Hub room!' + ``` + +7. Connect to Azure AD. + + You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect. + + ```ps1 + Connect-MsolService -Credential $cred + ``` + +8. Assign an Office 365 license. + + The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account. + + Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant. + + Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*). + + ```ps1 + Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation 'US' + Get-MsolAccountSku + Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense + ``` + +9. Enable the device account with Skype for Business. + + In order to enable Skype for Business, your environment will need to meet the following prerequisites: + - You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability. + + - If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3). + + - Your tenant users must have Exchange mailboxes. + + - Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license. + + - Start by creating a remote ps1 session from a PC. + + ```ps1 + Import-Module LyncOnlineConnector + $cssess=New-CsOnlineSession -Credential $cred + Import-PSSession $cssess -AllowClobber + ``` + + - To enable your Surface Hub account for Skype for Business Server, run this cmdlet: + + ```ps1 + Enable-CsMeetingRoom -Identity $rm -RegistrarPool + 'sippoolbl20a04.infra.lync.com' -SipAddressType EmailAddress + ``` + + If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: + + ```ps1 + Get-CsOnlineUser -Identity ‘alice@contoso.com’| fl *registrarpool* + ``` + +10. Assign Skype for Business license to your Surface Hub account. + + Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) to the device. + - Login as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app. + + - Click on **Users and Groups** and then **Add users, reset passwords, and more**. + + - Click the Surface Hub account, and then click the pen icon to edit the account information. + + - Click **Licenses**. + + - In **Assign licenses**, select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub. + + - Click **Save**. + + **Note**
You can also use the Windows Azure Active Directory Module for Windows Powershell to run the cmdlets needed to assign one of these licenses, but that's not covered here. + +For validation, you should be able to use any Skype for Business client (PC, Android, etc) to log in to this account. + +## Exchange online +Use this procedure if you use Exchange online. + +1. Create an email account in Office 365. + + Start a remote ps1 session on a PC and connect to Exchange. Be sure you have the right permissions set to run the associated cmdlets. + + ```ps1 + Set-ExecutionPolicy Unrestricted + $org='contoso.microsoft.com + $cred=Get-Credential $admin@$org + $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/ps1-liveid/ -Credential $cred -Authentication Basic -AllowRedirection + Import-PSSession $sess + ``` + +2. Set up mailbox. + + After establishing a session, you’ll either create a new mailbox and enable it as a RoomMailboxAccount, or change the settings for an existing room mailbox. This will allow the account to authenticate into the Surface Hub. + + If you're changing an existing resource mailbox: + + ```ps1 + Set-Mailbox -Identity 'HUB01' -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) + ``` + + If you’re creating a new resource mailbox: + + ```ps1 + New-Mailbox -MicrosoftOnlineServicesID 'HUB01@contoso.com' -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) + ``` + +3. Create Exchange ActiveSync policy. + + After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy. + + Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled. + + If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts. + + ```ps1 + $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false + ``` + + Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too. + + ```ps1 + Set-Mailbox $acctUpn -Type Regular + Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy + Set-Mailbox 'HUB01@contoso.com' -Type Room + Set-Mailbox 'HUB01@contoso.com' -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true + ``` + +4. Set Exchange properties. + + Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. + + ```ps1 + Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false + Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!" + ``` + +5. Add email address for your on-prem domain account. + + For this procedure, you'll be using AD admin tools to add an email address for your on-prem domain account. + + - In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**. + - Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**. + + ![new object box for creating a new user in active directory](images/hybriddeployment-01a.png) + + - Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected. + + **Important**
Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account. + + ![image showing password dialog box](images/hybriddeployment-02a.png) + + - Click **Finish** to create the account. + + ![image with account name, logon name, and password options for new user](images/hybriddeployment-03a.png) + +6. Directory synchronization. + + After you've created the account, run a directory synchronization. When it's complete, go to the users page and verify that the two accounts created in the previous steps have merged. + +7. Connect to Azure AD. + + You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect. + + ```ps1 + Connect-MsolService -Credential $cred + ``` + +8. Assign an Office 365 license. + + The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account. + + Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant. + + Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*). + + ```ps1 + Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation 'US' + Get-MsolAccountSku + Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense + ``` + +9. Enable the device account with Skype for Business. + + In order to enable Skype for Business, your environment will need to meet the following prerequisites: + + - You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability. + + - If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3). + + - Your tenant users must have Exchange mailboxes. + + - Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license. + + Start by creating a remote ps1 session from a PC. + + ```ps1 + Import-Module LyncOnlineConnector + $cssess=New-CsOnlineSession -Credential $cred + Import-PSSession $cssess -AllowClobber + ``` + + To enable your Surface Hub account for Skype for Business Server, run this cmdlet: + + ```ps1 + Enable-CsMeetingRoom -Identity $rm -RegistrarPool + 'sippoolbl20a04.infra.lync.com' -SipAddressType EmailAddress + ``` + + If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: + + ```ps1 + Get-CsOnlineUser -Identity ‘alice@contoso.com’| fl *registrarpool* + ``` + +10. Assign Skype for Business license to your Surface Hub account + + Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) to the device. + + - Login as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app. + + - Click on **Users and Groups** and then **Add users, reset passwords, and more**. + + - Click the Surface Hub account, and then click the pen icon to edit the account information. + + - Click **Licenses**. + + - In **Assign licenses**, select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub. + + - Click **Save**. + + **Note**
You can also use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here. + +For validation, you should be able to use any Skype for Business client (PC, Android, etc) to log in to this account. \ No newline at end of file diff --git a/devices/surface-hub/images/deploymentoptions-01.png b/devices/surface-hub/images/deploymentoptions-01.png new file mode 100644 index 0000000000..05a5eb45c6 Binary files /dev/null and b/devices/surface-hub/images/deploymentoptions-01.png differ diff --git a/devices/surface-hub/images/hybriddeployment-01a.png b/devices/surface-hub/images/hybriddeployment-01a.png new file mode 100644 index 0000000000..9eb84f777f Binary files /dev/null and b/devices/surface-hub/images/hybriddeployment-01a.png differ diff --git a/devices/surface-hub/images/hybriddeployment-02a.png b/devices/surface-hub/images/hybriddeployment-02a.png new file mode 100644 index 0000000000..85229d2d0d Binary files /dev/null and b/devices/surface-hub/images/hybriddeployment-02a.png differ diff --git a/devices/surface-hub/images/hybriddeployment-03a.png b/devices/surface-hub/images/hybriddeployment-03a.png new file mode 100644 index 0000000000..42cd08d900 Binary files /dev/null and b/devices/surface-hub/images/hybriddeployment-03a.png differ diff --git a/devices/surface-hub/images/idcfeatureschecklist.png b/devices/surface-hub/images/idcfeatureschecklist.png new file mode 100644 index 0000000000..a58d20fcb2 Binary files /dev/null and b/devices/surface-hub/images/idcfeatureschecklist.png differ diff --git a/devices/surface-hub/images/managesettingsmdm-enroll.png b/devices/surface-hub/images/managesettingsmdm-enroll.png new file mode 100644 index 0000000000..fe33277b4e Binary files /dev/null and b/devices/surface-hub/images/managesettingsmdm-enroll.png differ diff --git a/devices/surface-hub/images/networkmgtwired-01.png b/devices/surface-hub/images/networkmgtwired-01.png new file mode 100644 index 0000000000..bbf7930292 Binary files /dev/null and b/devices/surface-hub/images/networkmgtwired-01.png differ diff --git a/devices/surface-hub/images/networkmgtwired-02.png b/devices/surface-hub/images/networkmgtwired-02.png new file mode 100644 index 0000000000..1ab3eddb4e Binary files /dev/null and b/devices/surface-hub/images/networkmgtwired-02.png differ diff --git a/devices/surface-hub/images/networkmgtwireless-01.png b/devices/surface-hub/images/networkmgtwireless-01.png new file mode 100644 index 0000000000..5fadeb5d48 Binary files /dev/null and b/devices/surface-hub/images/networkmgtwireless-01.png differ diff --git a/devices/surface-hub/images/networkmgtwireless-02.png b/devices/surface-hub/images/networkmgtwireless-02.png new file mode 100644 index 0000000000..8f8f84602a Binary files /dev/null and b/devices/surface-hub/images/networkmgtwireless-02.png differ diff --git a/devices/surface-hub/images/networkmgtwireless-03.png b/devices/surface-hub/images/networkmgtwireless-03.png new file mode 100644 index 0000000000..33954daf1a Binary files /dev/null and b/devices/surface-hub/images/networkmgtwireless-03.png differ diff --git a/devices/surface-hub/images/networkmgtwireless-04.png b/devices/surface-hub/images/networkmgtwireless-04.png new file mode 100644 index 0000000000..9fb5a315e3 Binary files /dev/null and b/devices/surface-hub/images/networkmgtwireless-04.png differ diff --git a/devices/surface-hub/images/provisioningpackageoobe-01.png b/devices/surface-hub/images/provisioningpackageoobe-01.png new file mode 100644 index 0000000000..72774987c7 Binary files /dev/null and b/devices/surface-hub/images/provisioningpackageoobe-01.png differ diff --git a/devices/surface-hub/images/provisioningpackageoobe-02.png b/devices/surface-hub/images/provisioningpackageoobe-02.png new file mode 100644 index 0000000000..43d283a316 Binary files /dev/null and b/devices/surface-hub/images/provisioningpackageoobe-02.png differ diff --git a/devices/surface-hub/images/provisioningpackageoobe-03.png b/devices/surface-hub/images/provisioningpackageoobe-03.png new file mode 100644 index 0000000000..84b037292f Binary files /dev/null and b/devices/surface-hub/images/provisioningpackageoobe-03.png differ diff --git a/devices/surface-hub/images/provisioningpackageoobe-04.png b/devices/surface-hub/images/provisioningpackageoobe-04.png new file mode 100644 index 0000000000..9c854e8084 Binary files /dev/null and b/devices/surface-hub/images/provisioningpackageoobe-04.png differ diff --git a/devices/surface-hub/images/provisioningpackagesettings-01.png b/devices/surface-hub/images/provisioningpackagesettings-01.png new file mode 100644 index 0000000000..b42614c566 Binary files /dev/null and b/devices/surface-hub/images/provisioningpackagesettings-01.png differ diff --git a/devices/surface-hub/images/provisioningpackagesettings-02.png b/devices/surface-hub/images/provisioningpackagesettings-02.png new file mode 100644 index 0000000000..f6cae68e8b Binary files /dev/null and b/devices/surface-hub/images/provisioningpackagesettings-02.png differ diff --git a/devices/surface-hub/images/provisioningpackagesettings-03.png b/devices/surface-hub/images/provisioningpackagesettings-03.png new file mode 100644 index 0000000000..e4538d7368 Binary files /dev/null and b/devices/surface-hub/images/provisioningpackagesettings-03.png differ diff --git a/devices/surface-hub/images/roomcontrolwiring.png b/devices/surface-hub/images/roomcontrolwiring.png new file mode 100644 index 0000000000..78da10ce77 Binary files /dev/null and b/devices/surface-hub/images/roomcontrolwiring.png differ diff --git a/devices/surface-hub/images/setupdeviceacct.png b/devices/surface-hub/images/setupdeviceacct.png new file mode 100644 index 0000000000..8eefaa51f7 Binary files /dev/null and b/devices/surface-hub/images/setupdeviceacct.png differ diff --git a/devices/surface-hub/images/setupdeviceacctexch-01.png b/devices/surface-hub/images/setupdeviceacctexch-01.png new file mode 100644 index 0000000000..10710fa4ca Binary files /dev/null and b/devices/surface-hub/images/setupdeviceacctexch-01.png differ diff --git a/devices/surface-hub/images/setupdeviceacctexch-02.png b/devices/surface-hub/images/setupdeviceacctexch-02.png new file mode 100644 index 0000000000..b55cb6b87e Binary files /dev/null and b/devices/surface-hub/images/setupdeviceacctexch-02.png differ diff --git a/devices/surface-hub/images/setupdeviceacctexch-03.png b/devices/surface-hub/images/setupdeviceacctexch-03.png new file mode 100644 index 0000000000..4f15b6e025 Binary files /dev/null and b/devices/surface-hub/images/setupdeviceacctexch-03.png differ diff --git a/devices/surface-hub/images/setupdeviceacctexch-05.png b/devices/surface-hub/images/setupdeviceacctexch-05.png new file mode 100644 index 0000000000..40dced3c01 Binary files /dev/null and b/devices/surface-hub/images/setupdeviceacctexch-05.png differ diff --git a/devices/surface-hub/images/setupdeviceacctexch-06.png b/devices/surface-hub/images/setupdeviceacctexch-06.png new file mode 100644 index 0000000000..f4f1686037 Binary files /dev/null and b/devices/surface-hub/images/setupdeviceacctexch-06.png differ diff --git a/devices/surface-hub/images/setupdeviceacctexch-07.png b/devices/surface-hub/images/setupdeviceacctexch-07.png new file mode 100644 index 0000000000..aebb0ae29e Binary files /dev/null and b/devices/surface-hub/images/setupdeviceacctexch-07.png differ diff --git a/devices/surface-hub/images/setupdeviceacctexch-08.png b/devices/surface-hub/images/setupdeviceacctexch-08.png new file mode 100644 index 0000000000..85c013f98d Binary files /dev/null and b/devices/surface-hub/images/setupdeviceacctexch-08.png differ diff --git a/devices/surface-hub/images/setupdeviceacctexch-09.png b/devices/surface-hub/images/setupdeviceacctexch-09.png new file mode 100644 index 0000000000..f36fb9817c Binary files /dev/null and b/devices/surface-hub/images/setupdeviceacctexch-09.png differ diff --git a/devices/surface-hub/images/setupdeviceacctexch-10.png b/devices/surface-hub/images/setupdeviceacctexch-10.png new file mode 100644 index 0000000000..4a5d1aaee4 Binary files /dev/null and b/devices/surface-hub/images/setupdeviceacctexch-10.png differ diff --git a/devices/surface-hub/images/setupdeviceacctexch-11.png b/devices/surface-hub/images/setupdeviceacctexch-11.png new file mode 100644 index 0000000000..03d320cd55 Binary files /dev/null and b/devices/surface-hub/images/setupdeviceacctexch-11.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-02.png b/devices/surface-hub/images/setupdeviceaccto365-02.png new file mode 100644 index 0000000000..e0694bac42 Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-02.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-03.png b/devices/surface-hub/images/setupdeviceaccto365-03.png new file mode 100644 index 0000000000..f93f0f1594 Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-03.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-04.png b/devices/surface-hub/images/setupdeviceaccto365-04.png new file mode 100644 index 0000000000..8484394faa Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-04.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-05.png b/devices/surface-hub/images/setupdeviceaccto365-05.png new file mode 100644 index 0000000000..51150e3bcb Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-05.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-06.png b/devices/surface-hub/images/setupdeviceaccto365-06.png new file mode 100644 index 0000000000..3f6567feca Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-06.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-07.png b/devices/surface-hub/images/setupdeviceaccto365-07.png new file mode 100644 index 0000000000..4b4bebff94 Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-07.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-08.png b/devices/surface-hub/images/setupdeviceaccto365-08.png new file mode 100644 index 0000000000..e174c7d54c Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-08.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-09.png b/devices/surface-hub/images/setupdeviceaccto365-09.png new file mode 100644 index 0000000000..4820c18f0f Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-09.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-10.png b/devices/surface-hub/images/setupdeviceaccto365-10.png new file mode 100644 index 0000000000..bb461ddf8d Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-10.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-11.png b/devices/surface-hub/images/setupdeviceaccto365-11.png new file mode 100644 index 0000000000..f88d1246aa Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-11.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-12.png b/devices/surface-hub/images/setupdeviceaccto365-12.png new file mode 100644 index 0000000000..29a2fa31d3 Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-12.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-13.png b/devices/surface-hub/images/setupdeviceaccto365-13.png new file mode 100644 index 0000000000..3e079c3092 Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-13.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-14.png b/devices/surface-hub/images/setupdeviceaccto365-14.png new file mode 100644 index 0000000000..da2175f3d1 Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-14.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-15.png b/devices/surface-hub/images/setupdeviceaccto365-15.png new file mode 100644 index 0000000000..00e066f97e Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-15.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-16.png b/devices/surface-hub/images/setupdeviceaccto365-16.png new file mode 100644 index 0000000000..b6e467c72f Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-16.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-17.png b/devices/surface-hub/images/setupdeviceaccto365-17.png new file mode 100644 index 0000000000..e1501c92a1 Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-17.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-18.png b/devices/surface-hub/images/setupdeviceaccto365-18.png new file mode 100644 index 0000000000..8f1f3aba04 Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-18.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-19.png b/devices/surface-hub/images/setupdeviceaccto365-19.png new file mode 100644 index 0000000000..3e9b2a86fc Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-19.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-20.png b/devices/surface-hub/images/setupdeviceaccto365-20.png new file mode 100644 index 0000000000..210cfb54c8 Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-20.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-21.png b/devices/surface-hub/images/setupdeviceaccto365-21.png new file mode 100644 index 0000000000..6ea80e548d Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-21.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-22.png b/devices/surface-hub/images/setupdeviceaccto365-22.png new file mode 100644 index 0000000000..cacd3294ad Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-22.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-23.png b/devices/surface-hub/images/setupdeviceaccto365-23.png new file mode 100644 index 0000000000..f15727c542 Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-23.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-24.png b/devices/surface-hub/images/setupdeviceaccto365-24.png new file mode 100644 index 0000000000..a335591f17 Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-24.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-25.png b/devices/surface-hub/images/setupdeviceaccto365-25.png new file mode 100644 index 0000000000..b49e3e9066 Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-25.png differ diff --git a/devices/surface-hub/images/setupdeviceaccto365-26.png b/devices/surface-hub/images/setupdeviceaccto365-26.png new file mode 100644 index 0000000000..5a2841ec32 Binary files /dev/null and b/devices/surface-hub/images/setupdeviceaccto365-26.png differ diff --git a/devices/surface-hub/images/setupdomainjoin.png b/devices/surface-hub/images/setupdomainjoin.png new file mode 100644 index 0000000000..88f74a2d30 Binary files /dev/null and b/devices/surface-hub/images/setupdomainjoin.png differ diff --git a/devices/surface-hub/images/setupexchangepolicies.png b/devices/surface-hub/images/setupexchangepolicies.png new file mode 100644 index 0000000000..63a4396364 Binary files /dev/null and b/devices/surface-hub/images/setupexchangepolicies.png differ diff --git a/devices/surface-hub/images/setupexchangeserver-01.png b/devices/surface-hub/images/setupexchangeserver-01.png new file mode 100644 index 0000000000..d70eaa91cf Binary files /dev/null and b/devices/surface-hub/images/setupexchangeserver-01.png differ diff --git a/devices/surface-hub/images/setupexchangeserver-02.png b/devices/surface-hub/images/setupexchangeserver-02.png new file mode 100644 index 0000000000..2de288fb19 Binary files /dev/null and b/devices/surface-hub/images/setupexchangeserver-02.png differ diff --git a/devices/surface-hub/images/setupjoiningazuread-1.png b/devices/surface-hub/images/setupjoiningazuread-1.png new file mode 100644 index 0000000000..4d5cc1cc3d Binary files /dev/null and b/devices/surface-hub/images/setupjoiningazuread-1.png differ diff --git a/devices/surface-hub/images/setupjoiningazuread-2.png b/devices/surface-hub/images/setupjoiningazuread-2.png new file mode 100644 index 0000000000..15c92a9413 Binary files /dev/null and b/devices/surface-hub/images/setupjoiningazuread-2.png differ diff --git a/devices/surface-hub/images/setupjoiningazuread-3.png b/devices/surface-hub/images/setupjoiningazuread-3.png new file mode 100644 index 0000000000..a3e8dcd971 Binary files /dev/null and b/devices/surface-hub/images/setupjoiningazuread-3.png differ diff --git a/devices/surface-hub/images/setuplocaladmin.png b/devices/surface-hub/images/setuplocaladmin.png new file mode 100644 index 0000000000..aa6caf16f0 Binary files /dev/null and b/devices/surface-hub/images/setuplocaladmin.png differ diff --git a/devices/surface-hub/images/setuplocale.png b/devices/surface-hub/images/setuplocale.png new file mode 100644 index 0000000000..3c0b6361b0 Binary files /dev/null and b/devices/surface-hub/images/setuplocale.png differ diff --git a/devices/surface-hub/images/setupnamedevice.png b/devices/surface-hub/images/setupnamedevice.png new file mode 100644 index 0000000000..5c09a6b786 Binary files /dev/null and b/devices/surface-hub/images/setupnamedevice.png differ diff --git a/devices/surface-hub/images/setupnetworksetup-1.png b/devices/surface-hub/images/setupnetworksetup-1.png new file mode 100644 index 0000000000..49dfbde566 Binary files /dev/null and b/devices/surface-hub/images/setupnetworksetup-1.png differ diff --git a/devices/surface-hub/images/setupnetworksetup-2.png b/devices/surface-hub/images/setupnetworksetup-2.png new file mode 100644 index 0000000000..4d96e95782 Binary files /dev/null and b/devices/surface-hub/images/setupnetworksetup-2.png differ diff --git a/devices/surface-hub/images/setupnetworksetup-3.png b/devices/surface-hub/images/setupnetworksetup-3.png new file mode 100644 index 0000000000..62d6e0a772 Binary files /dev/null and b/devices/surface-hub/images/setupnetworksetup-3.png differ diff --git a/devices/surface-hub/images/setupnetworksetup-4.png b/devices/surface-hub/images/setupnetworksetup-4.png new file mode 100644 index 0000000000..836bb208fb Binary files /dev/null and b/devices/surface-hub/images/setupnetworksetup-4.png differ diff --git a/devices/surface-hub/images/setupsecuritygroup-1.png b/devices/surface-hub/images/setupsecuritygroup-1.png new file mode 100644 index 0000000000..fb5c6f7de2 Binary files /dev/null and b/devices/surface-hub/images/setupsecuritygroup-1.png differ diff --git a/devices/surface-hub/images/setupsetupadmins.png b/devices/surface-hub/images/setupsetupadmins.png new file mode 100644 index 0000000000..3429407953 Binary files /dev/null and b/devices/surface-hub/images/setupsetupadmins.png differ diff --git a/devices/surface-hub/images/setupsetupforyou.png b/devices/surface-hub/images/setupsetupforyou.png new file mode 100644 index 0000000000..9c86134ed6 Binary files /dev/null and b/devices/surface-hub/images/setupsetupforyou.png differ diff --git a/devices/surface-hub/images/setupskipdeviceacct.png b/devices/surface-hub/images/setupskipdeviceacct.png new file mode 100644 index 0000000000..55cf72fe7f Binary files /dev/null and b/devices/surface-hub/images/setupskipdeviceacct.png differ diff --git a/devices/surface-hub/images/wicd-screen-apps-02a.png b/devices/surface-hub/images/wicd-screen-apps-02a.png new file mode 100644 index 0000000000..caf88b011e Binary files /dev/null and b/devices/surface-hub/images/wicd-screen-apps-02a.png differ diff --git a/devices/surface-hub/images/wicd-screen-apps-03a.png b/devices/surface-hub/images/wicd-screen-apps-03a.png new file mode 100644 index 0000000000..20d4218c6b Binary files /dev/null and b/devices/surface-hub/images/wicd-screen-apps-03a.png differ diff --git a/devices/surface-hub/images/wicd-screen-apps-04a.png b/devices/surface-hub/images/wicd-screen-apps-04a.png new file mode 100644 index 0000000000..494a661420 Binary files /dev/null and b/devices/surface-hub/images/wicd-screen-apps-04a.png differ diff --git a/devices/surface-hub/images/wicd-screen-apps-06a.png b/devices/surface-hub/images/wicd-screen-apps-06a.png new file mode 100644 index 0000000000..44e6e2cee7 Binary files /dev/null and b/devices/surface-hub/images/wicd-screen-apps-06a.png differ diff --git a/devices/surface-hub/images/wicd-screen-apps-08a.png b/devices/surface-hub/images/wicd-screen-apps-08a.png new file mode 100644 index 0000000000..19ce342449 Binary files /dev/null and b/devices/surface-hub/images/wicd-screen-apps-08a.png differ diff --git a/devices/surface-hub/images/wicd-screen-apps-10a.png b/devices/surface-hub/images/wicd-screen-apps-10a.png new file mode 100644 index 0000000000..820fd3efff Binary files /dev/null and b/devices/surface-hub/images/wicd-screen-apps-10a.png differ diff --git a/devices/surface-hub/images/wicd-screen-apps-11a.png b/devices/surface-hub/images/wicd-screen-apps-11a.png new file mode 100644 index 0000000000..2bf0a692ef Binary files /dev/null and b/devices/surface-hub/images/wicd-screen-apps-11a.png differ diff --git a/devices/surface-hub/images/wicd-screen-apps-12a.png b/devices/surface-hub/images/wicd-screen-apps-12a.png new file mode 100644 index 0000000000..8ab9d524f4 Binary files /dev/null and b/devices/surface-hub/images/wicd-screen-apps-12a.png differ diff --git a/devices/surface-hub/images/wicd-screen01a.png b/devices/surface-hub/images/wicd-screen01a.png new file mode 100644 index 0000000000..34b528951e Binary files /dev/null and b/devices/surface-hub/images/wicd-screen01a.png differ diff --git a/devices/surface-hub/images/wicd-screen02a.png b/devices/surface-hub/images/wicd-screen02a.png new file mode 100644 index 0000000000..f76eec1efb Binary files /dev/null and b/devices/surface-hub/images/wicd-screen02a.png differ diff --git a/devices/surface-hub/images/wicd-screen02b.png b/devices/surface-hub/images/wicd-screen02b.png new file mode 100644 index 0000000000..258ebfae82 Binary files /dev/null and b/devices/surface-hub/images/wicd-screen02b.png differ diff --git a/devices/surface-hub/images/wicd-screen02c.png b/devices/surface-hub/images/wicd-screen02c.png new file mode 100644 index 0000000000..eb8fd6b307 Binary files /dev/null and b/devices/surface-hub/images/wicd-screen02c.png differ diff --git a/devices/surface-hub/images/wicd-screen03a.png b/devices/surface-hub/images/wicd-screen03a.png new file mode 100644 index 0000000000..afec8ef352 Binary files /dev/null and b/devices/surface-hub/images/wicd-screen03a.png differ diff --git a/devices/surface-hub/images/wicd-screen04a.png b/devices/surface-hub/images/wicd-screen04a.png new file mode 100644 index 0000000000..62ea7e595c Binary files /dev/null and b/devices/surface-hub/images/wicd-screen04a.png differ diff --git a/devices/surface-hub/images/wicd-screen06a.png b/devices/surface-hub/images/wicd-screen06a.png new file mode 100644 index 0000000000..53c223746b Binary files /dev/null and b/devices/surface-hub/images/wicd-screen06a.png differ diff --git a/devices/surface-hub/images/wicd-screen07a.png b/devices/surface-hub/images/wicd-screen07a.png new file mode 100644 index 0000000000..e44f5cf0b7 Binary files /dev/null and b/devices/surface-hub/images/wicd-screen07a.png differ diff --git a/devices/surface-hub/images/wicd-screen08a.png b/devices/surface-hub/images/wicd-screen08a.png new file mode 100644 index 0000000000..7a2b5bbefb Binary files /dev/null and b/devices/surface-hub/images/wicd-screen08a.png differ diff --git a/devices/surface-hub/images/wicd-screen09a.png b/devices/surface-hub/images/wicd-screen09a.png new file mode 100644 index 0000000000..29e14902bd Binary files /dev/null and b/devices/surface-hub/images/wicd-screen09a.png differ diff --git a/devices/surface-hub/images/wicd-screen10a.png b/devices/surface-hub/images/wicd-screen10a.png new file mode 100644 index 0000000000..556c9fbdb5 Binary files /dev/null and b/devices/surface-hub/images/wicd-screen10a.png differ diff --git a/devices/surface-hub/images/wicd-screen11a.png b/devices/surface-hub/images/wicd-screen11a.png new file mode 100644 index 0000000000..9f7bf2ba64 Binary files /dev/null and b/devices/surface-hub/images/wicd-screen11a.png differ diff --git a/devices/surface-hub/images/wicd-screen12a.png b/devices/surface-hub/images/wicd-screen12a.png new file mode 100644 index 0000000000..7c55111ae4 Binary files /dev/null and b/devices/surface-hub/images/wicd-screen12a.png differ diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md new file mode 100644 index 0000000000..f60a86c42a --- /dev/null +++ b/devices/surface-hub/index.md @@ -0,0 +1,44 @@ +--- +title: Microsoft Surface Hub +description: Documents related to the Microsoft Surface Hub. +ms.assetid: 69C99E91-1441-4318-BCAF-FE8207420555 +author: TrudyHa +--- + +# Microsoft Surface Hub + + +Documents related to the Microsoft Surface Hub. + +## In this section + + + ++++ + + + + + + + + + + + + +
TopicDescription

[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.

+ +  + +  + +  + + + + + diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md new file mode 100644 index 0000000000..fb6bd9e507 --- /dev/null +++ b/devices/surface-hub/install-apps-on-surface-hub.md @@ -0,0 +1,38 @@ +--- +title: Install apps on your Microsoft Surface Hub +description: Admins can install apps can from either the Windows Store or the Windows Store for Business. +ms.assetid: 3885CB45-D496-4424-8533-C9E3D0EDFD94 +keywords: ["install apps", "Windows Store", "Windows Store for Business"] +author: TrudyHa +--- + +# Install apps on your Microsoft Surface Hub + + +Admins can install apps can from either the Windows Store or the Windows Store for Business. + +## Using the Windows Store + + +Admins can install apps on the device using the Windows Store app available in **Settings** > **System** > **Microsoft Surface Hub**. They can start the store app, sign in using their Microsoft account credentials, browse, purchase, and install the apps as with any other Windows device. + +## Using the Store for Business + + +For apps purchased through the Store for Business, download the Appxbundle, offline license, and the dependencies for the App from the store to a separate PC. Create a provisioning package and copy it to a USB drive. (See [Create a provisioning package](provisioning-packages-for-certificates-surface-hub.md).) Move the USB drive to the Surface Hub, and install the app on the device using the Settings app. + +## Related topics + + +[Manage Microsoft Surface Hub](manage-surface-hub.md) + +[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) + +  + +  + + + + + diff --git a/devices/surface-hub/intro-to-surface-hub.md b/devices/surface-hub/intro-to-surface-hub.md new file mode 100644 index 0000000000..dcfea76b5b --- /dev/null +++ b/devices/surface-hub/intro-to-surface-hub.md @@ -0,0 +1,156 @@ +--- +title: Intro to Microsoft Surface Hub +description: Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. +ms.assetid: 5DAD4489-81CF-47ED-9567-A798B90C7E76 +keywords: ["Surface Hub", "productivity", "collaboration", "presentations", "setup"] +author: TrudyHa +--- + +# Intro to Microsoft Surface Hub + + +Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. This guide describes what needs to be done both before and during setup in order to help you optimize your use of the device. + +### Surface Hub features and interactions with other services + +The capabilities of your Surface Hub will depend on what other Microsoft products and technologies are available to it in your infrastructure. The products listed in the following table each support specific features in Surface Hub. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ScenarioRequirement

One-touch meeting join, meetings calendar, and email (for example, sending whiteboards)

Device account with Microsoft Exchange 2010 or later, or Exchange Online and a network connection to where the account is hosted.

Meetings using Skype for Business

Device account with Skype for Business (Lync 2010 or later) or Skype for Business Online, and a network connection so the account can be accessed.

Web browsing through Microsoft Edge

Internet connectivity.

Cortana meeting room assistant (voice commands, search)

Internet connectivity needed to process questions and do searches.

Remote and multi-device management

Supported mobile device management (MDM) solutions (Microsoft Intune, System Center 2012 R2 Configuration Manager, or supported third-party solution).

Group-based local management (directory of employees who can manage a device)

Active Directory or Azure Active Directory (Azure AD).

Universal Windows app installation

Windows Imaging and Configuration Designer (ICD) or supported MDM solutions (Intune, Configuration Manager, or supported third-party solution).

OS updates

Internet connectivity or Windows Server Update Services (WSUS).

Device monitoring and health

Microsoft Operations Management Suite (OMS).

+ +  + +You’ll need to understand how each of these services interacts with Surface Hub. See [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) for details. + +### Surface Hub Setup dependencies + +Review these dependencies to make sure Surface Hub features will work in your environment. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
DependencyPurpose

Active Directory (if using an on-premises deployment)

The Surface Hub must be able to connect to the domain controller in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and Session Initiation Protocol (SIP) address.

Microsoft Office 365 (if using an online deployment)

The Surface Hub must have Internet access in order to reach your Office 365 tenant. The device will connect to the Office 365 in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and SIP address.

Device account

The device account is an Active Directory and/or Azure AD account that enables several key features for the Surface Hub. Learn more about device accounts in [Create and test a device account](create-and-test-a-device-account-surface-hub.md).

Exchange and Exchange ActiveSync

The Surface Hub must be able to reach the device account’s Exchange servers. Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join.

+

ActiveSync is used to sync the device account’s calendar and mail to the Surface Hub. If the device cannot use ActiveSync, it will not show meetings on the welcome screen, and joining meetings and emailing whiteboards will not be enabled.

Skype for Business

The Surface Hub must be able to reach the device account’s Skype for Business servers. Skype for Business is used for various conferencing features, like video calls, IM, and screen sharing.

Certificate-based authentication

If certificate-based authentication is required to establish a connection with Exchange ActiveSync or Skype for Business, those certificates must be deployed to each Surface Hub.

Dynamic IP

The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address. Network or Internet access is required, depending on the configuration of your topology (on-premises or online respectively) in order to validate the device account.

Proxy servers

If your topology requires a connection to a proxy server to reach Active Directory, Microsoft Online Services, or your Exchange or Skype for Business servers, then you can configure it during first run, or in Settings.

Mobile device management (MDM) solution provider

If you want to manage devices remotely and by groups (apply settings or policies to multiple devices at a time), you must set up a MDM solution and enroll the device to that solution.

Microsoft Operations Management Suite (OMS)

OMS is used to monitor Surface Hub devices.

+ +  + +### Surface Hub setup process + +In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Read through all the info before you start. Here’s the general order of things you’ll need to do: + +1. [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) +2. [Physically install your Surface Hub device](physically-install-your-surface-hub-device.md) +3. [Run the Surface Hub first-run setup program (OOBE)](first-run-program-surface-hub.md) + +After you have your Surface Hub running in your organization, you’ll need info about: + +- [Device maintenance and management](manage-surface-hub.md) + +In the unlikely event that you run into problems, see [Troubleshoot Surface Hub](troubleshoot-surface-hub.md). + +  + +  + + + + + diff --git a/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md b/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md new file mode 100644 index 0000000000..17628909b6 --- /dev/null +++ b/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md @@ -0,0 +1,117 @@ +--- +title: Manage settings with a local admin account (Surface Hub) +description: A local admin account will be set up on every Microsoft Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device. +ms.assetid: B4B3668B-985D-427E-8495-E30ABEECA679 +keywords: ["local admin account", "Surface Hub", "change local admin options"] +author: TrudyHa +--- + +# Manage settings with a local admin account (Surface Hub) + + +A local admin account will be set up on every Microsoft Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device. + +Every device can be configured individually by opening the Settings app on the device you want to configure. However, to prevent people who are not administrators from changing the devices’ settings, the Settings app requires local administrator credentials to open the app and change settings. + +You can set up a local administrator in one of three ways (see [Setting up admins for this device](first-run-program-surface-hub.md#setup-admins)): + +1. Create a local admin +2. Domain join the device (AD) +3. Azure Active Directory (Azure AD) join the device. + +### Which method should I choose? + +If your organization is using Active Directory or Azure AD, we recommend you either domain join or join Azure AD, primarily for security reasons. People will be able to authenticate and unlock Settings with their own credentials, and can be moved in or out of the security groups associated with your domain or organization. + +Preferably, a local admin is set up only if you do not have Active Directory or Azure AD, or if you cannot connect to your Active Directory or Azure AD during first run. + +### Summary table + + + + + + + + + + + + + + + + + + + + + + + + + + +
How is the local admin set up?RequirementsWhich credentials will open Settings?
A local admin was created

+		 +

None

+		 +

The credentials of the local admin account.

+
+

The device is joined to a domain (AD)

+		 +

Your organization is using Active Directory

+		 +

Credentials of any Active Directory account from the security group that was specified furing first run.

+
+

The device is joined to Azure AD

+		 +

Your organization is using Azure AD Basic

+		 +

Tenant or device admins

+
+

Your organization is using Azure AD Premium

+		 +

Tenant or device admins, plus additional specified employees

+
+ +### Create a local admin + +To create a local admin, choose to use a local admin during first run. This will create a single local admin account on the Surface Hub with the username and password of your choice. These same credentials will unlock the Settings app (see [Setting up admins for this device](first-run-program-surface-hub.md#setup-admins)). Note that the local admin account information is not backed by any directory service. We recommend you only choose a local admin if the device does not have access to Active Directory or Azure Active Directory. If you decide to change the local admin’s password, you can do so in Settings. However, if you want to change from a local admin you created to a group from your domain or Azure AD organization, then you’ll need to reset the device and go through first-time setup again. + +### Domain join the device + +After you domain join the device, you can set up a security group from your domain as local administrators on the Surface Hub. You will need to provide credentials that are capable of joining the domain of your choice. After you domain join successfully, you will be asked to pick an existing security group to be set as the local admins. When the Setting app is opened, any user who is a member of that security group can enter their credentials and unlock Settings. + +**Note**  Surface Hubs domain join for the sole purpose of using a security group as local admins. Group policies are not applied after the device is domain joined. + +  + +### Azure AD join the device + +You can set up people from your Azure Active Directory (Azure AD) organization as local administrators on the Surface Hub after you Azure AD join the device. The people that are provisioned as local admins on your device depend on what Azure AD subscription you have. You will need to provide credentials that are capable of joining the Azure AD organization of your choice. After you join Azure AD successfully, the appropriate people will be set as local admins on the device. When the Setting app is opened, any user who was set up as a local admin as a result of joining Azure AD can enter their credentials and unlock Settings. We recommend that you use the device account to join Azure AD. + +Otherwise, if you don’t want to use the device account to join Azure AD, you can use either of the following accounts: + +- The org account of an admin who will manage the device, or +- A separate account that is part of your organization and used only for joining Surface Hubs. + +**Note**  If your Azure AD organization is also configured with MDM enrollment, Surface Hubs will also be enrolled into MDM as a result of joining Azure AD. Surface Hubs that have joined Azure AD are subject to receiving MDM policies, and can be widely managed using an MDM solution, which opts these devices into remote management. You may want to choose an account to join Azure AD that benefits how you manage devices—you find more info about this in the [Enroll a Surface Hub into MDM](manage-settings-with-mdm-for-surface-hub.md#enroll-into-mdm) section. + +  + +## Related topics + + +[Manage Microsoft Surface Hub](manage-surface-hub.md) + +[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) + +  + +  + + + + + diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md new file mode 100644 index 0000000000..b5d58ebb5f --- /dev/null +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -0,0 +1,132 @@ +--- +title: Manage settings with an MDM provider (Surface Hub) +description: Microsoft Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution. +ms.assetid: 18EB8464-6E22-479D-B0C3-21C4ADD168FE +keywords: ["mobile device managemen", "MDM", "manage policies"] +author: TrudyHa +--- + +# Manage settings with an MDM provider (Surface Hub) + + +Microsoft Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution. + +The Surface Hub operating system has a built-in management component that's used to communicate with the device management server. There are two parts to the Surface Hub management component: the enrollment client, which enrolls and configures the device to communicate with the enterprise management server; and the management client, which periodically synchronizes with the management server to check for and apply updates. Third-party MDM servers can manage Surface Hub devices by using the Mobile Device Management protocol. + +### Supported services + +Surface Hub management has been validated for the following MDM providers: + +- Microsoft Intune +- System Center Configuration Manager + +### Enroll a Surface Hub into MDM + +If you joined your Surface Hub to an Azure Active Directory (Azure AD) subscription, the device can automatically enroll into MDM and will be ready for remote management. + +Alternatively, the device can be enrolled like any other Windows device by going to **Settings** > **Accounts** > **Work access**. + +![image showing enroll in device maagement page. ](images/managesettingsmdm-enroll.png) + +### Manage a device through MDM + +The following table lists the device settings that can be managed remotely using MDM, including the OMA URI paths that 3rd party MDM providers need to create policies. Intune and SCCM have special templates to help create policies to manage these settings. + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SettingOMA URIType

1

Auto Awake when someone is in the room

./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/AutoWakeScreen

Boolean

2

Require that people must enter a PIN when pairing to the Surface Hub

./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/PINRequired

Boolean

3

Set the maintenance window duration. This time is in minutes. As an example, to set a 3 hour duration, you set the value to 180.

./Vendor/MSFT/SurfaceHub/MaintenanceHoursSimple/Hours/Duration

Int

4

Set the maintenance window start time. This time is in minutes past midnight. To set a 2:00 am start time, set a value of 120, meaning 120 minutes past midnight.

./Vendor/MSFT/SurfaceHub/MaintenanceHoursSimple/Hours/StartTime

Int

5

The Microsoft Operations Management Suite (OMS) Workspace ID that this device will connect to.

./Vendor/MSFT/SurfaceHub/MOMAgent/WorkspaceID

String

6

The key that must be used when connecting to the specified OMS workspace.

./Vendor/MSFT/SurfaceHub/MOMAgent/WorkspaceKey

String

7

Choose the meeting information displayed on the welcome screen.

+

Value : 0 - Show organizer and time only

+

Value : 1 - Show organizer, time, and subject (subject is hidden for private meetings)

./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/MeetingInfoOption

Int

8

Enable/Disable all Wireless Projection to the Surface Hub

./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Enabled

Boolean

9

Select a specific wireless channel on which Miracast Receive will operate

./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Channel

Int

10

Change the background image for the welcome screen using a PNG image URL.

./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/CurrentBackgroundPath (Note: must be accessed using https.)

String

+ +  + +## Related topics + + +[Manage Microsoft Surface Hub](manage-surface-hub.md) + +[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) + +  + +  + + + + + diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md new file mode 100644 index 0000000000..213492014b --- /dev/null +++ b/devices/surface-hub/manage-surface-hub.md @@ -0,0 +1,219 @@ +--- +title: Manage Microsoft Surface Hub +description: How to manage your Surface Hub after finishing the first-run program. +ms.assetid: FDB6182C-1211-4A92-A930-6C106BCD5DC1 +keywords: ["manage Surface Hub"] +author: TrudyHa +--- + +# Manage Microsoft Surface Hub + + +How to manage your Surface Hub after finishing the first-run program. + +## Introduction + + +After initial setup of Microsoft Surface Hub, the device’s settings and configuration can be modified or changed in several ways: + +- Local management: using the Settings app on the device +- Remote management: using a mobile device management (MDM) solution, like Microsoft Intune, AirWatch, or System Center 2012 R2 Configuration Manager. + +For locally-managed devices, administrator credentials are required to use the Settings app. These can be login credentials for Active Directory, Azure Active Directory (Azure AD), or a local admin account. One of these will have been selected during first run (see [Set up admins for this device](first-run-program-surface-hub.md#setup-admins)). + +For remotely-managed devices, the device must be enrolled into an MDM solution, either during first run or in the Settings app. + +Be aware that the two management methods are not mutually exclusive—every device will have the capability to be locally managed, and devices can be remotely managed if you choose. + +**Note**  If a device is remotely managed, then any changes to local settings that are also remotely managed will only persist until the next time your Surface Hub syncs with your MDM solution. Once a sync occurs, the settings and policies defined on your MDM solution will be pushed to the device, overwriting the local changes. + +  + +## Surface Hub-only settings + + +Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SettingLocationDescription

Change friendly name

System - About

Set the Surface Hub name that people will see when connecting wirelessly.

Collect logs

System - About

Collect logs to give to Microsoft Support.

Change meeting info shown on the welcome screen

System – Microsoft Surface Hub

Choose whether meeting organizer, time, and subject show up on the welcome screen.

Session time out

System – Microsoft Surface Hub

Choose how long the device needs to be inactive before returning to the welcome screen.

Turn on screen with motion sensors

System – Microsoft Surface Hub

Choose whether the screen turns on when motion is detected.

Configure Microsoft Operational Management Suite (MOMS)

System – Microsoft Surface Hub

Add information to set up monitoring using MOMS.

Change Skype for Business fully qualified domain name (FQDN)

System – Microsoft Surface Hub

Add the FQDN for a Skype for Business certificate.

Save BitLocker key

System – Microsoft Surface Hub

Set the default destination for saving the BitLocker recovery key to a USB drive.

Turn off wireless projection using Miracast

Devices - Connect

Choose whether presenters can wirelessly project to the Surface Hub using Miracast.

Require a PIN for wireless projection

Devices - Connect

Choose whether people are required to enter a PIN before they use wireless projection.

Wireless projection (Miracast) channel

Devices - Connect

Change the channel for Miracast projection.

Change device account

Accounts - All accounts

Change the Surface Hub's device account.

Check sync status

Accounts - All accounts

Check the sync status of the device account’s mail and calendar on the Surface Hub.

Turn on password rotation

Accounts - All accounts

Choose whether the device account’s password will automatically change every day (Active Directory only).

Edit admin account

Accounts - All accounts

Change the password for the local admin account.

Change maintenance hours

Updates & security – Windows Update – Advanced settings

Set the hours when updates can be installed.

Configure Windows Server Update Services (WSUS) server

Updates & security – Windows Update – Advanced settings

Change whether the device receives updates from the WSUS you choose.

+ +  + +## Which should I choose? + + +If you plan to deploy multiple Surface Hubs, we recommend that you manage your devices remotely. This requires that your organization use an MDM solution to deploy policies. + +Every Surface Hub can be managed locally by an admin who physically logs in to the device. Which method is used to log in is decided during first run (see [Set up admins for this device](first-run-program-surface-hub.md#setup-admins)). + +## In this section + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TopicDescription

[Accessibility](accessibility-surface-hub.md)

Accessibility settings for the Surface Hub can be changed by using the Settings app. You'll find them under Ease of Access. Your Surface Hub has the same accessibility options as Windows 10.

[Change the Surface Hub device account](change-surface-hub-device-account.md)

You can change the device account in Settings to either add an account if one was not already provisioned, or to change any properties of an account that was already provisioned.

[Device reset](device-reset-suface-hub.md)

You may wish to reset your Surface Hub.

[Install apps on your Surface Hub](install-apps-on-surface-hub.md)

Admins can install apps can from either the Windows Store or the Windows Store for Business.

[Manage settings with a local admin account](manage-settings-with-local-admin-account-surface-hub.md)

A local admin account will be set up on every Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device.

[Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)

Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution.

[Monitor your Surface Hub](monitor-surface-hub.md)

Monitoring for Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS).

[Save your BitLocker key](save-bitlocker-key-surface-hub.md)

Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.

[Using a room control system](use-room-control-system-with-surface-hub.md)

Room control systems can be used with your Surface Hub.

[Windows updates](manage-windows-updates-for-surface-hub.md)

You can manage Windows updates on your Surface Hub by setting the maintenance window, deferring updates, or using WSUS.

[Wireless network management](wireless-network-management-for-surface-hub.md)

Surface Hub offers two options for network connectivity to your corporate network and Internet: wireless, and wired. While both provide network access, we recommend you use a wired connection.

+ +  + +  + +  + + + + + diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md new file mode 100644 index 0000000000..d97e75cffd --- /dev/null +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -0,0 +1,68 @@ +--- +title: Windows updates (Surface Hub) +description: You can manage Windows updates on your Microsoft Surface Hub by setting the maintenance window, deferring updates, or using Windows Server Update Services (WSUS). +ms.assetid: A737BD50-2D36-4DE5-A604-55053D549045 +keywords: ["manage Windows updates", "Surface Hub", "Windows Server Update Services", "WSUS"] +author: TrudyHa +--- + +# Windows updates (Surface Hub) + + +You can manage Windows updates on your Microsoft Surface Hub by setting the maintenance window, deferring updates, or using Windows Server Update Services (WSUS). + +### Maintenance window + +A default maintenance window is set for all new Surface Hubs: + +- Start time: 3:00 AM +- Duration: 1 hour + +Most Windows updates are downloaded and installed automatically by Surface Hub. You can change the maintenance window to limit when the device can be automatically rebooted after a Windows update installation. For those updates that require a reboot of the device, the update installation will be postponed until the maintenance window begins. If a meeting is scheduled to start during the maintenance window, or if the Surface Hub sensors detect that the device is being used, the pending installation will be postponed to the next maintenance window. + +**Note**  : If an update installation has been pending for 28 days, on the 28th day the update will be forcibly installed. The device will ignore meetings or sensor status and reboot during the maintenance window. + +  + +To change the default maintenance window: + +1. Open the Settings app. +2. Navigate to **Update and Security** > **Advanced Options**. +3. Under **Maintenance hours**, click **Change**. + +### Deferring Windows updates + +You can choose to defer downloading or installing updates that install new Windows features. When you do, new Windows features won’t be downloaded or installed for up to several months. Deferring updates doesn’t affect security updates, which will be downloaded and installed as usual. + +To defer Windows feature updates: + +1. Open the Settings app. +2. Navigate to **Update and Security** > **Advanced Options**. +3. Click on the checkbox for **Defer upgrades**. + +### Using WSUS + +You can use WSUS to manage the download and installation of Windows updates on your Surface Hub. + +To connect a Surface Hub to a WSUS server: + +1. Open the Settings app. +2. Navigate to **Update and Security** > **Advanced Options**. +3. Click on the checkbox for **Configure Windows Server Update Services (WSUS) server**. +4. Check the box for **Use WSUS Server to download updates** and enter the WSUS endpoint. + +## Related topics + + +[Manage Microsoft Surface Hub](manage-surface-hub.md) + +[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) + +  + +  + + + + + diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md new file mode 100644 index 0000000000..d27435da83 --- /dev/null +++ b/devices/surface-hub/monitor-surface-hub.md @@ -0,0 +1,88 @@ +--- +title: Monitor your Microsoft Surface Hub +description: Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS). +ms.assetid: 1D2ED317-DFD9-423D-B525-B16C2B9D6942 +keywords: ["monitor Surface Hub", "Microsoft Operations Management Suite", "OMS"] +author: TrudyHa +--- + +# Monitor your Microsoft Surface Hub + + +Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS). + +The [Operations Management Suite (OMS)](http://go.microsoft.com/fwlink/?LinkId=718138) is Microsoft's IT management solution that helps you manage and protect your entire IT infrastructure, including your Surface Hubs. You can use OMS to help you track the health of your Surface Hubs as well as understand how they are being used. Log files are read on the devices and sent to the OMS service. Issues like servers being offline, the calendar not syncing, or the device account being unable to log into Skype are shown in OMS in the Surface Hub dashboard. By using the data in the dashboard, you can identify devices that are not running, or that are having other problems, and potentially apply fixes for the detected issues. + +### OMS requirements + +In order to manage your Surface Hubs from the Microsoft Operations Management Suite (OMS), you'll need the following: + +- A valid [subscription to OMS](http://www.microsoft.com/server-cloud/operations-management-suite/overview.aspx). +- [Subscription level](http://go.microsoft.com/fwlink/?LinkId=718139) in line with the number of devices. OMS pricing varies depending on how many devices are enrolled, and how much data it processes. You'll want to take this into consideration when planning your Surface Hub rollout. + +Next, you will either add an OMS subscription to your existing Microsoft Azure subscription or create a new workspace directly through the OMS portal. Detailed instructions for setting up the account can be found at: [Onboard in minutes](http://go.microsoft.com/fwlink/?LinkId=718141). Once the OMS subscription is set up, there are two ways to enroll your Surface Hub devices: + +1. Automatically through [InTune](http://go.microsoft.com/fwlink/?LinkId=718150), or +2. Manually through Settings. + +### Setting up monitoring + +You can monitor health and activity of your Surface Hub using Microsoft Operations Management Suite (OMS). The device can be enrolled in OMS remotely, using InTune, or locally, by using Settings. + +### Enrolling devices through InTune + +You'll need the workspace ID and primary key for your Surface Hub. You can get those from the OMS portal. + +InTune is a Microsoft product that allows you to centrally manage the OMS configuration settings that will be applied to one or more of your devices. Follow these steps to configure your devices through InTune: + +1. Sign in to InTune. +2. Navigate to **Settings** > **Connected Sources**. +3. Create or edit a policy based on the Surface Hub template. +4. Navigate to the OMS section of the policy, and add the **workspace ID** and **primary key** to the policy. +5. Save the policy. +6. Associate the policy with the appropriate group of devices. + +InTune will now sync the OMS settings with the devices in the target group, enrolling them in your OMS workspace. + +### Enrolling devices using the Settings app + +You'll need the workspace ID and primary key for your Surface Hub. You can get those from the OMS portal. + +If you don't use InTune to manage your environment, you can enroll devices manually through **Settings**: + +1. From your Surface Hub, start **Settings**. +2. Enter the device admin credentials when prompted. +3. Click **System**, and navigate to Microsoft Operations Management Suite. +4. Click **Configure**. +5. Select **Enable monitoring**. +6. In the OMS settings dialog, type the **workspace ID**. +7. Repeat steps 5 and 6 for the **primary key**. +8. Click **OK** to complete the configuration. + +A confirmation dialog will appear telling you whether or not the OMS configuration was successfully applied to the device. If it was, the device will start sending data to OMS. + +### Monitoring devices + +Monitoring your Surface Hubs using OMS is much like monitoring any other enrolled devices. + +1. Sign in to the OMS portal. +2. Navigate to the Surface Hub solution pack dashboard. +3. Your device's health will be displayed here. + +You can create OMS alerts based on existing or custom queries that use the data collected through OMS. + +## Related topics + + +[Manage Microsoft Surface Hub](manage-surface-hub.md) + +[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) + +  + +  + + + + + diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md new file mode 100644 index 0000000000..1c2f707abd --- /dev/null +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -0,0 +1,111 @@ +--- +title: On-premises deployment (Surface Hub) +description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment. +ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6 +keywords: ["single forest deployment", "on prem deployment", "device account", "Surface Hub"] +author: TrudyHa +--- + +# On-premises deployment (Surface Hub) + + +This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment. + +If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, or are using Exchange 2010 or Lync 2010, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section. + +1. Start a remote PowerShell session from a PC and connect to Exchange. + + Be sure you have the right permissions set to run the associated cmdlets. + + Note here that `$strExchangeServer` is the fully qualified domain name (FQDN) of your Exchange server, and `$strLyncFQDN` is the FQDN of your Skype for Business server. + + ```PowerShell + Set-ExecutionPolicy Unrestricted + $org='contoso.microsoft.com' + $cred=Get-Credential $admin@$org + $sessExchange = New-PSSession -ConfigurationName microsoft.exchange -Credential $cred -AllowRedirection -Authentication Kerberos -ConnectionUri "http://$strExchangeServer/powershell" -WarningAction SilentlyContinue + $sessLync = New-PSSession -Credential $cred -ConnectionURI "https://$strLyncFQDN/OcsPowershell" -AllowRedirection -WarningAction SilentlyContinue + Import-PSSession $sessExchange + Import-PSSession $sessLync + ``` + +2. After establishing a session, you’ll either create a new mailbox and enable it as a RoomMailboxAccount, or change the settings for an existing room mailbox. This will allow the account to authenticate into the Surface Hub. + + If you're changing an existing resource mailbox: + + ```PowerShell + Set-Mailbox -Identity 'HUB01' -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) + ``` + + If you’re creating a new resource mailbox: + + ```PowerShell + New-Mailbox -UserPrincipalName HUB01@contoso.com -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) + ``` + +3. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy. + + Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled. + + If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts. + + ```PowerShell + $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false + ``` + + Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too. + + ```PowerShell + Set-Mailbox $acctUpn -Type Regular + Set-CASMailbox $acctUpn -ActiveSyncMailboxPolicy $easPolicy + Set-Mailbox $acctUpn -Type Room + Set-Mailbox $credNewAccount.UserName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true + ``` + +4. Various Exchange properties can be set on the device account to improve the meeting experience for people. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. + + ```PowerShell + Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false + Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a room!" + ``` + +5. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information. + + ```PowerShell + Set-AdUser $acctUpn -PasswordNeverExpires $true + ``` + +6. Enable the account in Active Directory so it will authenticate to the Surface Hub. + + ```PowerShell + Set-AdUser $acctUpn -Enabled $true + ``` + +7. Enable the device account with Skype for Business by enabling your Surface Hub AD account on a Skype for Business Server pool: + + ```PowerShell + Enable-CsMeetingRoom -SipAddress "sip:HUB01@contoso.com" + -DomainController DC-ND-001.contoso.com -RegistrarPool LYNCPool15.contoso.com + -Identity HUB01 + ``` + + You'll need to use the Session Initiation Protocol (SIP) address and domain controller for the Surface Hub, along with your own Skype for Business Server pool identifier and user identity. + +8. OPTIONAL: You can also allow your Surface Hub to make and receive public switched telephone network (PSTN) phone calls by enabling Enterprise Voice for your account. Enterprise Voice isn't a requirement for Surface Hub, but if you want PSTN dialing functionality for the Surface Hub client, here's how to enable it: + + ```PowerShell + CsMeetingRoom HUB01 -DomainController DC-ND-001.contoso.com + -LineURItel: +14255550555;ext=50555" Set-CsMeetingRoom -DomainController DC-ND-001.contoso.com + -Identity HUB01 -EnterpriseVoiceEnabled $true + ``` + + Again, you'll need to replace the provided domain controller and phone number examples with your own information. The parameter value `$true` stays the same. + +  + +  + + + + + diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md new file mode 100644 index 0000000000..1afd55621a --- /dev/null +++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md @@ -0,0 +1,145 @@ +--- +title: Online deployment with Office 365 (Surface Hub) +description: This topic has instructions for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment. +ms.assetid: D325CA68-A03F-43DF-8520-EACF7C3EDEC1 +keywords: ["device account for Surface Hub", "online deployment"] +author: TrudyHa +--- + +# Online deployment with Office 365 (Surface Hub) + + +This topic has instructions for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment. + +If you have a pure, online (O365) deployment, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-os356-ps-scripts) to create device accounts. If you’re using Microsoft Exchange 2010 or Lync 2010, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section. + +1. Start a remote PowerShell session on a PC and connect to Exchange. + + Be sure you have the right permissions set to run the associated cmdlets. + + ```PowerShell + Set-ExecutionPolicy Unrestricted + $org='contoso.microsoft.com' + $cred=Get-Credential $admin@$org + $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection + Import-PSSession $sess + ``` + +2. After establishing a session, you’ll either create a new mailbox and enable it as a RoomMailboxAccount, or change the settings for an existing room mailbox. This will allow the account to authenticate into the Surface Hub. + + If you're changing an existing resource mailbox: + + ```PowerShell + Set-Mailbox -Identity 'HUB01' -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) + ``` + + If you’re creating a new resource mailbox: + + ```PowerShell + New-Mailbox -MicrosoftOnlineServicesID HUB01@contoso.com -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) + ``` + +3. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy. + + Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled. + + If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts. + + ```PowerShell + $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false + ``` + + Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too. + + ```PowerShell + Set-Mailbox $acctUpn -Type Regular + Set-CASMailbox $acctUpn -ActiveSyncMailboxPolicy $easPolicy + Set-Mailbox $acctUpn -Type Room + Set-Mailbox $credNewAccount.UserName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true + ``` + +4. Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. + + ```PowerShell + Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false + Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a room!" + ``` + +5. Connect to Azure AD. + + You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect. + + ```PowerShell + Connect-MsolService -Credential $cred + ``` + +6. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information. + + ```PowerShell + Set-MsolUser -UserPrincipalName $acctUpn -PasswordNeverExpires $true + ``` + +7. The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account. + + Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant. + + Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*). + + ```PowerShell + Set-MsolUser -UserPrincipalName $acctUpn -UsageLocation "US" + Get-MsolAccountSku + Set-MsolUserLicense -UserPrincipalName $acctUpn -AddLicenses $strLicense + ``` + +8. Enable the device account with Skype for Business. + + In order to enable Skype for Business, your environment will need to meet the following prerequisites: + + - You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability. + - If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3). + - Your tenant users must have Exchange mailboxes. + - Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license. + + + + - Start by creating a remote PowerShell session from a PC. + + ```PowerShell + Import-Module LyncOnlineConnector + $cssess=New-CsOnlineSession -Credential $cred + Import-PSSession $cssess -AllowClobber + ``` + + - To enable your Surface Hub account for Skype for Business Server, run this cmdlet: + + ```PowerShell + Enable-CsMeetingRoom -Identity $rm -RegistrarPool + "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress + ``` + + If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: + + ```PowerShell + Get-CsOnlineUser -Identity ‘alice@contoso.microsoft.com’| fl *registrarpool* + ``` + +9. Assign Skype for Business license to your Surface Hub account. + + Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) to the device. + + - Login as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app. + - Click on **Users and Groups** and then **Add users, reset passwords, and more**. + - Select the Surface Hub account, and then click or tap the pen icon, which means edit. + - Click on the **Licenses** option. + - In the **Assign licenses** section, you need to select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and what you've decided in terms of needing Enterprise Voice. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub. + - Click **Save** and you're done. + +**Note**
+It's also possible to use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here. + +For validation, you should be able to use any Skype for Business client (PC, Android, etc) to log in to this account. + + + + + diff --git a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md new file mode 100644 index 0000000000..0f413f86d6 --- /dev/null +++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md @@ -0,0 +1,69 @@ +--- +title: Password management (Surface Hub) +description: Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device. +ms.assetid: 0FBFB546-05F0-430E-905E-87111046E4B8 +keywords: ["password", "password management", "password rotation", "device account"] +author: TrudyHa +--- + +# Password management (Surface Hub) + + +Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device. For security reasons, you may want to change ( or "rotate") this password. However, if the device account’s password changes, the device account on the Surface Hub will be expired, and all features that depend on the device account will be disabled. You can update the device account’s password on the Surface Hub from the Settings app to re-enable these features. + +To prevent the device account from expiring, there are two options: + +1. Set the password on the device account so it doesn't expire. +2. Allow the Surface Hub to automatically rotate the device account’s password. + +## Setting the password so it doesn't expire + + +Set the device account’s **PasswordNeverExpires** property to True. You should verify whether this meets your organization’s security requirements. + +## Allow the Surface Hub to manage the password + + +The Surface Hub can manage a device account’s password by changing it frequently without requiring you to manually update the device account’s information from the Surface Hub. You can enable this feature in **Settings**. Once enabled, the device account's password will change daily. + +Note that when the device account’s password is changed, you will not be shown the new password. If you need to sign in to the account, or to provide the password again (for example, if you want to change the device account settings on the Surface Hub), then you'll need use Active Directory to reset the password. + +For your device account to use password rotation, you must meet enter the device account’s information when you set up your Surface Hub (during First-run experience), or in **Settings**. The format you'll use depends on where your device account it hosted: + + ++++ + + + + + + + + + + + + + + + + + + + + +
EnvironmentRequired format for device account

Device account is hosted only online

username@contoso.com

Device account is hosted only on-prem

DOMAIN\username

Device account is hosted online and on-prem (hybrid)

DOMAIN\username

+ +  + +  + +  + + + + + diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md new file mode 100644 index 0000000000..e576286f28 --- /dev/null +++ b/devices/surface-hub/physically-install-your-surface-hub-device.md @@ -0,0 +1,26 @@ +--- +title: Physically install Microsoft Surface Hub +description: The Microsoft Surface Hub Readiness Guide will help make sure that your site is ready for the installation. +ms.assetid: C764DBFB-429B-4B29-B4E8-D7F0073BC554 +keywords: ["Surface Hub", "readiness guide", "installation location", "mounting options"] +author: TrudyHa +--- + +# Physically install Microsoft Surface Hub + + +The Microsoft Surface Hub Readiness Guide will help make sure that your site is ready for the installation. You can download the Guide from the [Microsoft Download Center](http://go.microsoft.com/fwlink/?LinkId=718144). It includes planning information for both the 55" and 84" devices, as well as info on moving the Surface Hub from receiving to the installation location, mounting options, and a list of what's in the box. + +You may also want to check out the Unpacking Guide. It will show you how to unpack the devices efficiently and safely. There are two guides, one for the 55" and one for the 84". A printed version of the Unpacking Guide is attached to the outside front of each unit's shipping crate. + +- Download the 55" Unpacking Guide from the [Microsoft Download Center](http://go.microsoft.com/fwlink/?LinkId=718145). +- Download the 84" version from the [Microsoft Download Center](http://go.microsoft.com/fwlink/?LinkId=718146). + +  + +  + + + + + diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md new file mode 100644 index 0000000000..bca63b0847 --- /dev/null +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -0,0 +1,130 @@ +--- +title: Prepare your environment for Microsoft Surface Hub +description: This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Microsoft Surface Hub. +ms.assetid: 336A206C-5893-413E-A270-61BFF3DF7DA9 +keywords: ["prepare environment", "features of Surface Hub", "create and test device account", "check network availability"] +author: TrudyHa +--- + +# Prepare your environment for Microsoft Surface Hub + + +This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Microsoft Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment. + +## Create and test a device account + + +A "device account" is an account that Surface Hub uses in order to access features from Exchange, like email and calendar, and to enable Skype for Business. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. + +## Check network availability + + +In order to function properly, the Surface Hub must have access to a wired or wireless network that meets these requirements: + +- Access to your Active Directory or Azure Active Directory (Azure AD) instance, as well as your Microsoft Exchange and Skype for Business servers +- Can receive an IP address using DHCP +- Open ports: + - HTTPS: 443 + - HTTP: 8080 + +A wired connection is preferred. + +## Certificates + + +Your Surface Hub may require certificates for ActiveSync, Skype for Business, network usage, or other authentication. To install certificates, you can either create a provisioning package (in order to install at first run, or after first run in Settings), or deploy them through a mobile device management (MDM) solution (after first run only). + +To install certificates using provisioning packages, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md). To install them using MDM, see the documentation for your MDM solution. + +## Create provisioning packages + + +Currently, Surface Hub can use provisioning packages only to install certificates and to install Universal Windows Platform (UWP) apps. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details. + +Customers will use provisioning packages to authenticate (for example, to Exchange or Skype for Business), or to sideload apps that don't come from the Windows Store or Windows Store for Business. + +## Know the Exchange server for your device account + + +You should know which Exchange server the device account will use for email and calendar services. The device will attempt to discover this automatically during first run, but if auto-discovery doesn't work, you may need to enter the server info manually. + +### Admin group management + +Every Surface Hub can be configured individually by opening the Settings app on the device. To prevent people who are not administrators from changing settings, the Settings app requires local administrator credentials to open the app and change settings. See [Admin group management](admin-group-management-for-surface-hub.md) for details on how admin groups are set up and managed. + +## Skype for Business + + +Certificates may be required in order to have the Surface Hub use Skype for Business. + +## Checklist for preparation + + +In order to ensure that your environment is ready for the Surface Hub, verify the items in the following list. + +1. The device account has been created. + + Test this by running: + + - Surface Hub device account validation PowerShell scripts + - Lync Windows app from the Windows Store (if Lync runs successfully, then Skype for Business will most likely run). + +2. Ensure that there is a working network/Internet connection for the device to connect to: + + - It must be able to receive an IP address using DHCP (Surface Hub cannot be configured with a static IP address) + - It must have these ports open: + + - HTTPS: 443 + - HTTP: 8080 + + If your network runs through a proxy, you'll need the proxy address or script information as well. + +3. In order to improve your experience, we collect data. To collect data, we need these sites whitelisted: + - Telemetry client endpoint: https://vortex.data.microsoft.com/ + - Telemetry settings endpoint: https://settings.data.microsoft.com/ + +4. Choose the local admin method you want to set up during first run (see [Set up admins for this device](first-run-program-surface-hub.md#setup-admins)). Also, decide whether you'll be using MDM (see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)). +5. You've created provisioning packages, as needed. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md). +6. Have all necessary information available from the [Setup worksheet](setup-worksheet-surface-hub.md). + +## In this section + + + ++++ + + + + + + + + + + + + + + + + + + + + +
TopicDescription

[Create and test a device account](create-and-test-a-device-account-surface-hub.md)

This topic introduces how to create and test the device account that Surface Hub uses to communicate with and Skype.

[Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md)

For Windows 10, settings that use the registry or a content services platform (CSP) can be configured using provisioning packages. You can also add certificates during first run using provisioning.

[Admin group management](admin-group-management-for-surface-hub.md)

Every Surface Hub can be configured individually by opening the Settings app on the device. However, to prevent people who are not administrators from changing the settings, the Settings app requires administrator credentials to open the app and change settings.

+

The Settings app requires local administrator credentials to open the app.

+ +  + +  + +  + + + + + diff --git a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md new file mode 100644 index 0000000000..8a4eb488f1 --- /dev/null +++ b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md @@ -0,0 +1,257 @@ +--- +title: Create provisioning packages (Surface Hub) +description: For Windows 10, settings that use the registry or a content services platform (CSP) can be configured using provisioning packages. You can also add certificates during first run using provisioning. +ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345 +keywords: ["add certificate", "provisioning package"] +author: TrudyHa +--- + +# Create provisioning packages (Surface Hub) + + +For Windows 10, settings that use the registry or a content services platform (CSP) can be configured using provisioning packages. You can also add certificates during first run using provisioning. + +In this topic, you'll find the following information: + +- [Introduction to provisioning packages](#intro-prov-pkg) +- [What can provisioning packages configure for Microsoft Surface Hubs?](#what-can-prov-pkg) +- [How do I create and deploy a provisioning package?](#how-do-i-prov-pkg) +- [Requirements](#requirements-prov-pkg) +- [Install the Windows Imaging and Configuration Designer](#installing-wicd-prov-pkg) +- [Create a provisioning package for certificates](#creating-prov-pkg-certs) +- [Create a provisioning package for apps](#creating-prov-pkg-apps) +- [Deploy a provisioning package to a Surface Hub](#deploy-to-hub-prov-pkg) + - [Deploy a provisioning package using first run](#deploy-via-oobe-prov-pkg) + - [Deploy a provisioning package using Settings](#deploy-via-settings-prov-pkg) + +### Introduction to provisioning packages + +Provisioning packages are created using Windows Imaging and Configuration Designer (WICD), which is a part of the Windows Assessment and Deployment Kit (ADK). For Surface Hub, the provisioning packages can be placed on a USB drive. + +### What can provisioning packages configure for Surface Hubs? + +Currently, you can use provisioning packages to install certificates and to install Universal App Platform (UAP) apps on your Surface Hub. These are the only two supported scenarios. + +You may use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange or Skype for Business, or to sideload apps that don't come from the Windows Store (for example, your own in-house apps). + +**Note**  Provisioning can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, you must use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details. + +  + +### How do I create and deploy a provisioning package? + +Provisioning packages must be created using the Windows Imaging and Configuration Designer (ICD). + +### Requirements + +In order to create and deploy provisioning packages, all of the following are required: + +- Access to the Settings app on Surface Hub (using admin credentials which were configured at initial setup of the Surface Hub). +- Windows Imaging and Configuration Designer (ICD), which is installed as a part of the windows 10 Assessment and Deployment Kit (ADK). +- A PC running Windows 10. +- USB flash drive. + +### Install the Windows Imaging and Configuration Designer + +1. The Windows Imaging and Configuration Designer (ICD) is installed as part of the Windows 10 ADK. The installer for the ADK can be downloaded from the [Microsoft Download Center](http://go.microsoft.com/fwlink/?LinkId=718147). + **Note**  The ADK must be installed on a separate PC, not on the Surface Hub. + +   + +2. Run the installer, and set your preferences for installation. When asked what features you want to install, you will see a checklist like the one in the following figure. Note that **Windows Performance Toolkit** and **Windows Assessment Toolkit** should be unchecked, as they are not needed to run the ICD. + + Before going to the next step, make sure you have the following checked: + + - **Deployment Tools** + - **Windows Preinstallation Environment** + - **Imaging and Configuration Designer** + - **User State Migration Tool** + + All four of these features are required to run the ICD and create a package for the Surfact Hub. + + ![icd options checklist](images/idcfeatureschecklist.png) + +3. Continue with the installer until the ADK is installed. This may take a while, because the installer downloads remote content. + +### Create a provisioning package for certificates + +This example will demonstrate how to create a provisioning package to install a certificate. + +1. On the PC that had the Windows 10 ADK installed, open ICD and choose the **New provisioning package** tile from the main menu. + + ![icd tiles](images/wicd-screen01a.png) + +2. When the **New project** dialog box opens, type whatever name you like in the **Name** box. The **Location** and **Description** boxes can also be filled at your discretion, though we recommend using the **Description** box to help you distinguish among multiple packages. Click **Next**. + + ![icd tiles](images/wicd-screen02a.png) + + Select the settings that are **Common to all Windows editions**, and click **Next**. + + ![icd tiles](images/wicd-screen02b.png) + + When asked to import a provisioning package, just click **Finish.** + + ![icd tiles](images/wicd-screen02c.png) + +3. ICD's main screen will be displayed. This is where you create the provisioning package. In the **Available customizations** pane, expand **Runtime settings** and then expand **Certificates**. Click **Root certificates**. + + ![icd tiles](images/wicd-screen03a.png) + + In the center pane, you’ll be asked to specify a **CertificateName** for the Root certificate. You can set this to whatever you want. For the example, we've used the same name as the project. Click **Add**, and an entry will be added in the left pane. + +4. In the **Available customizations** pane on the left, a new category has appeared for **CertificatePath** underneath the **CertificateName** you provided. There’s also a red exclamation icon indicating that there is a required field that needs to be set. Click **CeritficatePath**. + + ![icd tiles](images/wicd-screen04a.png) + +5. In the center pane, you’ll be asked to specify the path for the certificate. Enter the name of the .cer file that you want to deploy, either by typing or clicking **Browse**. It must be a root certificate. The provisioning package created will copy the .cer file into the package it creates. + + ![icd tiles](images/wicd-screen06a.png) + +6. Verify that the path is set, then click **Export** in the top menu and choose **Provisioning package**. + + ![icd tiles](images/wicd-screen07a.png) + +7. You'll see a series of dialog boxes next. In the first one, either accept the defaults, or enter new values as needed, and click **Next**. You'll most likely want to accept the defaults. + + ![icd tiles](images/wicd-screen08a.png) + + Click **Next** again in the security options dialog box, because this package doesn't need to be encrypted or signed. + + ![icd tiles](images/wicd-screen09a.png) + + Choose where to save the provisioning package, and click **Next**. + + ![icd tiles](images/wicd-screen10a.png) + + Review the information shown, and if it looks good, click **Build**. + + ![icd tiles](images/wicd-screen11a.png) + + You will see a confirmation dialog box similar to the one following. Click the link under **Output location** to open the directory containing the provisioning package. + + ![icd tiles](images/wicd-screen12a.png) + +8. Copy the .ppkg from the output directory into the root directory of a USB drive. If it’s not at the root, it won’t be recognized by the device. You’ve finished making the provisioning package—now you just need to deploy it to the Surface Hub. + +### Create a provisioning package for apps + +This example will demonstrate how to create a provisioning package to install offline-licensed apps purchased from the Windows Store for Business. For information on offline-licensed apps and what you need to download in order to install them, see [Distribute offline apps](http://go.microsoft.com/fwlink/?LinkId=718148). + +For each app you want to install on Surface Hubs, you'll need to download: + +- App metadata +- App package +- App license + +Depending on the app, you may or may not need to download a new app framework. + +1. On the PC that had the Windows 10 ADK installed, open ICD and choose the **New provisioning package** tile from the main menu. + + ![icd tiles](images/wicd-screen01a.png) + +2. When the **New project** dialog box opens, type whatever name you like in the **Name** box. The **Location** and **Description** boxes can also be filled at your discretion, though we recommend using the **Description** box to help you distinguish among multiple packages. Click **Next**. + + ![icd tiles](images/wicd-screen-apps-02a.png) + + Select the settings that are **Common to all Windows editions**, and click **Next**. + + ![icd tiles](images/wicd-screen02b.png) + + When asked to import a provisioning package, just click **Finish.** + + ![icd tiles](images/wicd-screen02c.png) + +3. ICD's main screen will be displayed. This is where you create the provisioning package. In the **Available customizations** pane, expand **UniversalAppInstall** and click **DeviceContextApp**. + + ![icd tiles](images/wicd-screen-apps-03a.png) + + In the center pane, you’ll be asked to specify a **PackageFamilyName** for the app. This is one of the things you downloaded from the Store for Business. Click **Add**, and an entry will be added in the left pane. + +4. In the **Available customizations** pane on the left, new categories will be displayed for **ApplicationFile** and **LaunchAppAtLogin** underneath the **PackageFamilyName** you just entered. Enter the appx filename in the **ApplicationFile** box in the center pane. + + ![icd tiles](images/wicd-screen-apps-04a.png) + + Generally, **LaunchAppAtLogin** should be set to **Do not launch app** or **NOT CONFIGURED**. + +5. Next, click **DeviceContextAppLicense** in the left pane. In the center pane, you’ll be asked to specify the **LicenseProductId**. Click **Add**. Back in the left pane, click on the **LicenseProductId** that you just added. In the center pane, you'll need to specify **LicenseInstall**. Enter the name of the license file that you previously downloaded from the Store for Business, either by typing or clicking **Browse**. The file will have a extension of "ms-windows-store-license". + + ![icd tiles](images/wicd-screen-apps-06a.png) + +6. Verify that the path is set, then click **Export** in the top menu and choose **Provisioning package**. + + ![icd tiles](images/wicd-screen07a.png) + +7. You'll see a series of dialog boxes next. In the first one, either accept the defaults, or enter new values as needed, and click **Next**. You'll most likely want to accept the defaults. + + ![icd tiles](images/wicd-screen-apps-08a.png) + + Click **Next** again in the security options dialog box, because this package doesn't need to be encrypted or signed. + + ![icd tiles](images/wicd-screen09a.png) + + Choose where to save the provisioning package, and click **Next**. + + ![icd tiles](images/wicd-screen-apps-10a.png) + + Review the information shown, and if it looks good, click **Build**. + + ![icd tiles](images/wicd-screen-apps-11a.png) + + You will see a confirmation dialog box similar to the one following. Click the link under **Output location** to open the directory containing the provisioning package. + + ![icd tiles](images/wicd-screen-apps-12a.png) + +8. Copy the .ppkg from the output directory into the root directory of a USB drive. If it’s not at the root, it won’t be recognized by the device. You’ve finished making the provisioning package—now you just need to deploy it to the Surface Hub. + +### Deploy a provisioning package to a Surface Hub + +The following two methods for deploying provisioning packages apply to any kind of provisioning package that is being deployed to a Surface Hub. There is no difference in the way cert provisioning packages and app provisioning packages are installed. You may see different description text in the UI depending on what the package is for, but the process is still the same. + +### Deploy a provisioning package using first run + +1. When you turn on the Surface Hub for the first time, the first run process will display the page titled **Hi there**. Make sure the settings on this page are correct before you proceed. (See [Hi there page](first-run-program-surface-hub.md#first-page) for details.) Once you've deployed your provisioning package, the first run process will not return here. It will continue to the next screen. +2. Insert the USB drive into the Surface Hub. +3. Press the Windows key on the separate keyboard five times. You’ll see a dialog box asking whether you want to set up your device. Click **Set Up**. + + ![image with set up device message for surface hub.](images/provisioningpackageoobe-01.png)IMage + +4. Click on **Removable Media** in the **Provision From** dropdown list, then click **Next**. + + ![image with provision this device page for surface hub. ](images/provisioningpackageoobe-02.png) + +5. The available packages in the root directory of the USB drive will be listed. Note that you can only install one package during first run. Select the package you want to install and then click **Next**. + + ![image with choose a package page for surface hub. ](images/provisioningpackageoobe-03.png) + +6. You’ll then see a dialog asking if it’s from a source you trust. Click **Yes, add it**. The certificate will be installed, and you’ll be taken to the next page of first run. + + ![image with ](images/provisioningpackageoobe-04.png) + +### Deploy a provisioning package using Settings + +1. Insert the USB drive into the Surface Hub you want to deploy to. +2. On the Surface Hub, open **Settings** and enter in the admin credentials. +3. Navigate to **System > Work Access**. Under the header **Related settings**, click on **Add or remove a management package**. +4. Here, click the button for **Add a package**. + + ![](images/provisioningpackagesettings-01.png) + +5. Click **Removable media** from the dropdown list. You will see a list of available provisioning packages on the **Settings** page. + + ![](images/provisioningpackagesettings-02.png) + +6. Choose your package and click **Add**. + + ![](images/provisioningpackagesettings-03.png) + +7. You may have to re-enter the admin credentials if User Access Control (UAC) asks for them. +8. You’ll see a confirmation dialog box. Click **Yes, add it**. The certificate will be installed. + +  + +  + + + + + diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md new file mode 100644 index 0000000000..6c08da3b77 --- /dev/null +++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md @@ -0,0 +1,38 @@ +--- +title: Save your BitLocker key (Surface Hub) +description: Every Microsoft Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys. +ms.assetid: E11E4AB6-B13E-4ACA-BCE1-4EDC9987E4F2 +keywords: ["Surface Hub", "BitLocker", "Bitlocker recovery keys"] +author: TrudyHa +--- + +# Save your BitLocker key (Surface Hub) + + +Every Microsoft Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys. + +There are several ways to manage your BitLocker key on the Surface Hub. + +1. If you’ve joined the Surface Hub to a domain, the device will back up the key on the domain and store it under the computer object. + + If you can’t find the BitLocker key after joining the device to a domain, it’s likely that your Active Directory schema doesn’t support BitLocker key backup. If you don’t want to change the schema, you can save the BitLocker key by going to Settings and following the procedure for using a local admin account, which is detailed later in this list. + +2. If you’ve joined the Surface Hub to Azure Active Directory (Azure AD), the BitLocker key will be stored under the account that was used to join the device. + +3. If you’re using a local admin account to manage the device, you can save the BitLocker key by going to Settings and navigating to **System** > **Microsoft Surface Hub**. Insert a USB drive and select the option to save the BitLocker key. The key will be saved to a text file on the USB drive. + +## Related topics + + +[Manage Microsoft Surface Hub](manage-surface-hub.md) + +[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) + +  + +  + + + + + diff --git a/devices/surface-hub/set-up-your-surface-hub.md b/devices/surface-hub/set-up-your-surface-hub.md new file mode 100644 index 0000000000..976bfd183c --- /dev/null +++ b/devices/surface-hub/set-up-your-surface-hub.md @@ -0,0 +1,51 @@ +--- +title: Set up Microsoft Surface Hub +description: Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program. +ms.assetid: 4D1722BC-704D-4471-BBBE-D0500B006221 +keywords: ["set up instructions", "Surface Hub", "setup worksheet", "first-run program"] +author: TrudyHa +--- + +# Set up Microsoft Surface Hub + + +Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program. + +Before you turn on your Microsoft Surface Hub for the first time, make sure you've completed the checklist at the end of the [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) section, and that you have the information listed in the [Setup worksheet](setup-worksheet-surface-hub.md). When you do power it on, the device will walk you through a series of setup screens. If you haven't properly set up your environment, or don't have the required information, you'll have to do extra work afterward making sure the settings are correct. + +## In this section + + + ++++ + + + + + + + + + + + + + + + + +
TopicDescription

[Setup worksheet](setup-worksheet-surface-hub.md)

When you've finished pre-setup and are ready to start first-time setup for your Surface Hub, make sure you have all the information listed in this section.

[First-run program](first-run-program-surface-hub.md)

The term "first run" refers to the series of steps you'll go through the first time you power up your Surface Hub, and means the same thing as "out-of-box experience" (OOBE). This section will walk you through the process.

+ +  + +  + +  + + + + + diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md new file mode 100644 index 0000000000..4dd579c142 --- /dev/null +++ b/devices/surface-hub/setup-worksheet-surface-hub.md @@ -0,0 +1,242 @@ +--- +title: Setup worksheet (Surface Hub) +description: When you've finished pre-setup and are ready to start first-time setup for your Microsoft Surface Hub, make sure you have all the information listed in this section. +ms.assetid: AC6F925B-BADE-48F5-8D53-8B6FFF6EE3EB +keywords: ["Setup worksheet", "pre-setup", "first-time setup"] +author: TrudyHa +--- + +# Setup worksheet (Surface Hub) + + +When you've finished pre-setup and are ready to start first-time setup for your Microsoft Surface Hub, make sure you have all the information listed in this section. + +You should fill out one list for each Surface Hub you need to configure, although some information can be used on all Surface Hubs, like the proxy information or domain credentials. Some of this information may not be needed, depending on how you've decided to configure your device, or depending on how the environment is configured for your organization's infrastructure. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyWhat this is used forExampleActual value
+

Proxy information

+		 +

If your network uses a proxy to for network and/or Internet access, you must provide a script or server/port information.

+		 +

http://contoso/proxy.pa (proxy script) +OR +10.10.10.100, port 8080 (server, port) +

+		 +

+
+

Wireless network credentials (username and password)

+		 +

If you decide to connect your device to Wi-Fi, and your wireless network requires user credentials.

+		 +

admin1@contoso.com, #MyPassw0rd

+		 +

+
+

Device account UPN or Domain\username and device account password

+		 +

This is the User Principal Name (UPN) or the domain\username, and the password of the device account. Mail, calendar, and Skype for Business depend on a compatible device account.

+		 +

ConfRoom15@contoso.com, #Passw0rd1 (for UPN) OR CONTOSO\ConfRoom15, #Passw0rd1 (for Domain\username)

+		 +

+
+

Device account Microsoft Exchange server

+		 +

This is the device account's Exchange server. +Mail, calendar, and Skype for Business depend on a compatible device account. +For mail and calendar to work, the device account must have a valid Exchange server. The device will try to find this automatically.

+		 +

outlook.office365.com

+		 +

+
+

Device account Session Initiation Protocol (SIP) address

+		 +

This is the device account's Skype for Business SIP address. +Mail, calendar, and Skype for Business depend on a compatible device account. +For Skype for Business to work, the device account must have a valid SIP address. The device will try to find this automatically.

+		 +

sip:ConfRoom15@contoso.com

+		 +

+
+

Friendly name

+		 +

The friendly name of the device is the broadcast name that people will see when they try to wirelessly connect to the Surface Hub. This name will be displayed prominently on the Surface Hub's screen. +We suggest that the friendly name you choose is recognizable and unique so that people can distinguish one Surface Hub from another when trying to connect.

+		 +

Conference Room 15

+		 +

+
+

Device name

+		 +

The device name is the name that will be used for domain join, and is the identity you will see in your MDM provider if the device is enrolled into MDM. +The device name you choose must not be the same name as any other device on the user’s Active Directory domain (if you decide to domain join the device). The device cannot join the domain if its name is not unique. +

+		 +

confroom15

+		 +

+
+

IF YOU'RE JOINING AZURE AD

+
+

Azure AD tenant user credentials (username and password)

+		 +

If you decide to have people in your Azure Active Directory (Azure AD) organization become admins on the device, then you'll need to join Azure AD. +To join Azure AD, you will need valid user credentials.

+		 +

admin1@contoso.com, #MyPassw0rd

+		 +

+
+

IF YOU'RE JOINING A DOMAIN

+
+

Domain to join

+		 +

This is the domain you will need to join so that a security group of your choice can be admins for the device. +You may need the fully qualified domain name (FQDN).

+		 +

contoso (short name) OR contoso.corp.com (FQDN)

+		 +

+
+

Domain account credentials (username and password)

+		 +

A domain can't be joined unless you provide sufficient account credentials to join the domain. Once you provide a domain to join and credentials to join the domain, then a security group of your choice can change settings on the device.

+		 +

admin1, #MyPassw0rd

+		 +

+
+

Admin security group alias

+		 +

This is a security group in your Active Directory (AD); any members of this security group can change settings on the device.

+		 +

SurfaceHubAdmins

+		 +

+
+

IF YOU'RE USING A LOCAL ADMIN

+
+

Local admin account credentials (username and password)

+		 +

If you decide not to join an AD domain or Azure AD, you can create a local admin account on the device.

+		 +

admin1, #MyPassw0rd

+		 +

+
+

IF YOU NEED TO INSTALL CERTIFICATES OR APPS

+
+

USB drive

+		 +

If you know before first run that you want to install certificates or universal apps, follow the steps in Create provisioning packages. Your provisioning packages will be created on a USB drive.

+		 +

+		 +

+
  + + + + + diff --git a/devices/surface-hub/surface-hub-administrators-guide.md b/devices/surface-hub/surface-hub-administrators-guide.md new file mode 100644 index 0000000000..a965c14182 --- /dev/null +++ b/devices/surface-hub/surface-hub-administrators-guide.md @@ -0,0 +1,71 @@ +--- +title: Microsoft Surface Hub administrator's guide +description: This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers. +ms.assetid: e618aab7-3a94-4159-954e-d455ef7b8839 +keywords: ["Surface Hub", "installation", "administration", "administrator's guide"] +author: TrudyHa +--- + +# Microsoft Surface Hub administrator's guide + + +This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers. + +Before you power on Microsoft Surface Hub for the first time, make sure you've [completed the checklist](prepare-your-environment-for-surface-hub.md#prepare-checklist) at the end of the [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) section, and that you have the information listed in the [Setup worksheet](setup-worksheet-surface-hub.md). When you do power it on, the device will walk you through a series of setup screens. If you haven't properly set up your environment, or don't have the required information, you'll have to do extra work afterward making sure the settings are correct. + +## In this section + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TopicDescription

[Intro to Microsoft Surface Hub](intro-to-surface-hub.md)

Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. This guide describes what needs to be done both before and during setup in order to help you optimize your use of the device.

[Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)

The Surface Hub Readiness Guide will help make sure that your site is ready for the installation. You can download the Guide from the [Microsoft Download Center](http://go.microsoft.com/fwlink/?LinkId=718144). It includes planning information for both the 55" and 84" devices, as well as info on moving the Surface Hub from receiving to the installation location, mounting options, and a list of what's in the box.

[Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)

This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment.

[Set up Microsoft Surface Hub](set-up-your-surface-hub.md)

Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program.

[Manage Microsoft Surface Hub](manage-surface-hub.md)

How to manage your Surface Hub after finishing the first-run program.

[Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)

Troubleshoot common problems, including setup issues, Exchange ActiveSync errors.

[Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)

PowerShell scripts to help set up and manage your Surface Hub .

+ +  + +  + +  + + + + + diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md new file mode 100644 index 0000000000..1a55de269c --- /dev/null +++ b/devices/surface-hub/troubleshoot-surface-hub.md @@ -0,0 +1,661 @@ +--- +title: Troubleshoot Microsoft Surface Hub +description: Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. +ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A +keywords: ["Troubleshoot common problems", "setup issues", "Exchange ActiveSync errors"] +author: TrudyHa +--- + +# Troubleshoot Microsoft Surface Hub + + +Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. + +Common issues are listed in the following table, along with causes and possible fixes. The [Setup troubleshooting](#setup-troubleshooting) section contains a listing of on-device problems, along with several types of issues that may be encountered during the first-run experience. The [Exchange ActiveSync errors](#exchange-activesync-errors) section lists common errors the device may encounter when trying to synchronize with an Microsoft Exchange ActiveSync server. + +- [Setup troubleshooting](#setup-troubleshooting) +- [Exchange ActiveSync errors](#exchange-activesync-errors) + +## Setup troubleshooting + + +This section lists causes, and possible fixes to help troubleshoot issues you might find when you set up your Microsoft Surface Hub. + +### On-device + +Possible fixes for issues on the Surface Hub after you've completed the first-run program. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
IssueCausesPossible fixes
+

Not receiving automatic accept/decline messages.

+		 +

The device account isn't configured to automatically accept/decline messages.

+		 +

Use PowerShellcmdlet Set-CalendarProcessing $upn -AutomateProcessing AutoAccept.

+
+

The device account isn't configured to process external meeting requests.

+		 +

Use PowerShell cmdlet Set-CalendarProcessing $upn -ProcessExternalMeetingMessages $true.

+
+

Calendar is not showing on the Welcome screen, or message "Appointments of date (no account provisioned)" is being displayed.

+		 +

No device account is set up on this Surface Hub.

+		 +

Provision a device account through Settings.

+
+

Calendar is not showing on the Welcome screen or message "Appointments of date (overprovisioned)" is being displayed.

+		 +

The device account is provisioned on too many devices.

+		 +

Remove the device account from other devices that it's provisioned to. This can be done using the Exchange admin portal.

+
+

Calendar is not showing on the Welcome screen or message "Appointments of date (invalid credentials)" is being displayed.

+		 +

The device account's password has expired and is no longer valid.

+		 +

Update the account's password in Settings. Also see Password management.

+
+

Calendar is not showing on the Welcome screen or message "Appointments of date (account policy)" is being displayed.

+		 +

The device account is using an invalid ActiveSync policy.

+		 +

Make sure the device account has an ActiveSync policy where PasswordEnabled == False.

+
+

Calendar is not showing on the Welcome screen or message "Appointments may be out of date" is being displayed.

+		 +

Exchange is not enabled.

+		Enable the device account for Exchange services through Settings. You need to make sure you have the right set of ActiveSync policies and have also installed any necessary certificates for Exchange services to work.
+

Can't log in to Skype for Business.

+		 +

The device account does not have a Session Initiation Protocol (SIP) address property.

+		 +

The account does not have a SIP address property and its User Principal Name (UPN) does not match the actual SIP address. The account must have its SIP address set, or the SIP address should be added using the Settings app.

+
+

Can't log in to Skype for Business.

+		 +

The device account requires a certificate to authenticate into Skype for Business.

+		 +

Install the appropriate certificate using provisioning packages.

+
+  + +### First run + +Possible fixes for issues with Surface Hub first-run program. + + +++++ + + + + + + + + + + + + + + +
IssueCausesPossible fixes

Cannot find account when asked for domain and user name.

Domain needs to be the fully qualified domain name (FQDN).

The FQDN should be provided in the domain field.

+ +  + +### Device account page, issues for new account settings + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
IssueCausesPossible fixes

Unable to find the provided account in Azure AD.

The provided account's User Principal Name (UPN) has a tenant that can't be reached in Azure AD.

Make sure that you have a working Internet connection, and that the device can reach Microsoft Online Services. Make sure the account credentials are entered correctly.

Unable to reach the specified directory.

The provided account domain specifies a domain that can't be reached.

Make sure that you have a working network connection, and that the device can reach the domain controller. Make sure the account credentials are entered correctly. You can also try using the FQDN instead.

Can't auto-discover Exchange server.

The Exchange server isn't configured for auto-discovery.

Enable auto-discovery of the Exchange server for the device account, or enter the account's Exchange server address manually.

Could not discover the SIP address after entering the account credentials.

There was no SIP address entry in Active Directory or Azure AD.

Make sure the account is enabled with Skype for Business and has a SIP address. If not, you can enter the SIP address manually into the text box.

+ +  + +### Device account page, issues for existing account settings + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
IssueCausesError codesPossible fixes
+

Account could not authenticate with the specified credentials.

+		 +

The account is not enabled as a user in Active Directory (AD), needs a password to authenticate, or the password is incorrect.

+		 +

None

+		 +

Make sure the credentials are entered correctly. Enable the account as a user in AD and add a password, or set the RoomMailboxPassword

.
+

Error 0x800C0019 is displayed when providing an Exchange server.

+		 +

The device account requires a certificate to authenticate.

+		 +

0x800C0019

+		 +

Install the appropriate certificate using provisioning packages.

+
+

Device account credentials are not valid for the provided Exchange server.

+		 +

The provided Exchange server is not where the device account's mailbox is hosted.

+		 +

None

+		 +

Make sure you are providing the correct Exchange mail server for the device account.

+
+

HTTP timeout while trying to reach Exchange server.

+		 +

0x80072EE2

+
+

Couldn't find the provided Exchange server.

+		 +

The Exchange server provided could not be found.

+		 +

None

+		 +

Ensure that you have a working network or Internet connection, and that the Exchange server you provided is correct.

+
+

http not supported.

+		 +

An Exchange server with http:// instead of https:// was provided.

+		 +

None

+		 +

Use an Exchange server that uses https.

+
+
Note  

People land on the page titled "There's a problem with this account" regarding ActiveSync.

+
+
 
+		 +

The ActiveSync policy PasswordEnabled is set to True (or 1).

+		 +

None

+		 +

Create a new ActiveSync policy where PasswordEnabled is set to False (or 0), and then apply that policy to the account.

+
+

The Surface Hub doesn't have a connection to Exchange.

+		 +

None

+		 +

Make sure that you have a working network or Internet connection.

+
+

Exchange returns a status code indicating an error.

+		 +

None

+		 +

Make sure that you have a working network or Internet connection.

+
+  + +### First run, Domain join page issues + + +++++ + + + + + + + + + + + + + + + + + + + +
IssueCausesPossible fixes

When trying to join a domain, an error shows that the account couldn't authenticate using the specified credentials.

The credentials provided are not capable of joining the specified domain.

Enter correct credentials for an account that exists in the specified domain.

When specifying a group from a domain, an error shows that the group couldn't be found on the domain.

The group may have been removed or no longer exists.

Verify that the group exists within the domain.

+ +  + +### First run, Exchange server page + + +++++ + + + + + + + + + + + + + + +
IssueCausesPossible fixes

People land on this page and are asked for the Exchange server address.

The Exchange server isn't configured for auto-discovery.

Enable auto-discovery of the Exchange server for the device account, or enter the account's Exchange server address manually.

+ +  + +### First run, On-device issues + + ++++++ + + + + + + + + + + + + + + + + +
IssueCausesError codesPossible fixes

Can't sync mail/calendar.

The account has not allowed the Surface Hub as an allowed device.

0x86000C1C

Add the Surface Hub device ID to the whitelist by setting the ActiveSyncAllowedDeviceIds property for the mailbox.

+ +  + +### Skype for Business + + +++++ + + + + + + + + + + + + + + +
IssueCausesPossible fixes

Can't call a Skype consumer from my Surface Hub.

Outgoing calls aren't supported yet.

None currently.

+ +  + +## Exchange ActiveSync errors + + +This section liss status codes, mapping, user messages, and actions an admin can take to solve Exchange ActiveSync errors. + + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Status CodeCount of EventResultMappingUser-Friendly MessageAction admin should take

-2063532030

3849

E_HTTP_DENIED

The password must be updated.

Update the password.

-2147012867

1234

WININET_E_CANNOT_CONNECT

Can’t connect to the server right now. Wait a while and try again, or check the account settings.

Verify that the server name is correct and reachable. Verify that the device is connected to the network.

-2046817239

316

E_NEXUS_STATUS_DEVICE_NOTPROVISIONED (policies don’t match)

The account is configured with policies not compatible with Surface Hub

+.

Disable the PasswordEnabled policy for this account.

+

We have a bug were we may surface policy errors if the account doesn’t receive any server notifications within the policy refresh interval.

-2046817204

145

E_NEXUS_STATUS_MAXIMUMDEVICESREACHED

The account has too many device partnerships.

Delete one or more partnerships on the server.

-2046817270

93

E_NEXUS_STATUS_SERVERERROR_RETRYLATER

Can’t connect to the server right now.

Wait until the server comes back online. If the issue persists, re-provision the account.

-2063269885

28

E_CREDENTIALS_EXPIRED (Credentials have expired and need to be updated)

The password must be updated.

Update the password.

-2063269875

14

E_AIRSYNC_RESET_RETRY

Can’t connect to the server right now. Wait a while or check the account’s settings.

This is normally a transient error but if the issue persists check the number of devices associated with the account and delete some of them if the number is large.

-2046817258

14

E_NEXUS_STATUS_USER_HASNOMAILBOX

The mailbox was migrated to a different server.

You should never see this error. If the issue persists, re-provision the account.

-2063532028

12

E_HTTP_FORBIDDEN

Can’t connect to the server right now. Wait a while and try again, or check the account’s settings.

Verify the server name to make sure it is correct. If the account is using cert based authentication make sure the certificate is still valid and update it if not.

-2063400920

12

E_ACTIVESYNC_PASSWORD_OR_GETCERT

The account’s password or client certificate are missing or invalid.

Update the password and/or deploy the client certificate.

-2046817238

12

E_NEXUS_STATUS_DEVICE_POLICYREFRESH

The account is configured with policies not compatible with Surface Hub.

Disable the PasswordEnabled policy for this account.

-2063269886

7

E_CREDENTIALS_UNAVAILABLE

The password must be updated.

Update the password.

-2147012894

6

WININET_E_TIMEOUT

The network doesn’t support the minimum idle timeout required to receive server notification, or the server is offline.

Verify that the server is running. Verify the NAT settings.

-2063589372

6

E_FAIL_ABORT

This error is used to interrupt the hanging sync, and will not be exposed to users. It will be shown in the telemetry if you force an interactive sync, delete the account, or update its settings.

Nothing.

-2063532009

5

E_HTTP_SERVICE_UNAVAIL

Can’t connect to the server right now. Wait a while or check the account’s settings.

Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account.

-2046817267

4

E_NEXUS_STATUS_MAILBOX_SERVEROFFLINE

Can’t connect to the server right now. Wait a while or check the account’s settings.

Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account.

-2063400921

3

E_ACTIVESYNC_GETCERT

The Exchange server requires a certificate.

Import the appropriate EAS certificate on the Surface Hub.

-2046817237

2

E_NEXUS_STATUS_INVALID_POLICYKEY

The account is configured with policies not compatible with Surface Hub.

Disable the PasswordEnabled policy for this account.

+

We have a bug were we may surface policy errors if the account doesn’t receive any server notifications within the policy refresh interval.

-2063532027

1

E_HTTP_NOT_FOUND

The server name is invalid.

Verify the server name to make sure it is correct. If the issue persists, re-provision the account.

-2063532012

1

E_HTTP_SERVER_ERROR

Can’t connect to the server.

Verify the server name to make sure it is correct. Trigger a sync and, if the issue persists, re-provision the account.

0x80072ee7

The server name or address could not be resolved.

Make sure the server name is entered correctly.

0x8007052f

While auto-discovering the Exchange server, a policy is applied that prevents the logged-in user from logging in to the server.

This is a timing issue. Re-verify the account's credentials. Try to re-provision when they're correct.

0x800c0019

Security certificate required to access this resource is invalid.

Install the correct ActiveSync certificate needed for the provided device account.

0x80072f0d

The certificate authority is invalid or is incorrect. Could not auto-discover the Exchange server because a certificate is missing.

Install the correct ActiveSync certificate needed for the provided device account.

0x80004005

E_FAIL

The domain provided couldn't be found. The Exchange server could not be auto-discovered and was not provided in the settings.

Make sure that the domain entered is the FQDN, and that there is an Exchange server entered in the Exchange server text box.

0x80072efd

Fail to connect to Exchange server as a result of a networking issue. It's possible the server was misspelled or it just couldn't be found.

Make sure that the Exchange server ID is entered correctly, and that the device is connected to the right network.

+ +  + +  + +  + + + + + diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md new file mode 100644 index 0000000000..70f4344966 --- /dev/null +++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md @@ -0,0 +1,551 @@ +--- +title: Using a room control system (Surface Hub) +description: Room control systems can be used with your Microsoft Surface Hub. +ms.assetid: DC365002-6B35-45C5-A2B8-3E1EB0CB8B50 +keywords: ["room control system", "Surface Hub"] +author: TrudyHa +--- + +# Using a room control system (Surface Hub) + + +Room control systems can be used with your Microsoft Surface Hub. + +Using a room control system with your Surface Hub involves connecting room control hardware to the Surface Hub, usually through the RJ11 serial port on the bottom of the Surface Hub. + +## Debugging + + +You can use the info in this section for debugging scenarios. You shouldn't need it for a typical installation. + +### Terminal settings + +To connect to a room control system control panel, you don't need to connect to the Surface Hub, or to configure any terminal settings. For debugging purposes, if you want to connect a PC or laptop to your Surface Hub and send commands from the Surface Hub, you can use a terminal emulator program like Tera Term or PuTTY. These are the terminal settings you'll need: + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SettingValue

Baud rate

115200

Data bits

8

Stop bits

1

Parity

none

Flow control

none

+ +  + +### Wiring diagram + +You can use a standard RJ-11 (6P6C) connector to connect the Surface Hub serial port to a room control system. This is the recommended method. + +You can also use an RJ-11 4-conductor cable, but we do not recommend this method. You'll need to convert pin numbers to make sure it's wired correctly. The following diagram shows how to convert the pin numbers. + +![image showing the wiring diagram. ](images/roomcontrolwiring.png) + +### Command sets + +Room control systems use common meeting-room scenarios for commands. Commands originate from the room control system, and are communicated over a serial connection to a Surface Hub. Commands are ASCII based, and the Surface Hub will acknowledge when state changes occur. + +The following command modifiers are available. Commands terminate with a new line character (/n). Responses can come at any time in response to state changes not triggered directly by a management port command. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
ModifierResult

+

Increment a value

-

Decrease a value

=

Set a discrete value

?

Queries for a current value

+ +  + +### Power + +Surface Hub can be in one of these power states. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
StateEnergy Star stateDescription

0

S5

Off

1

-

Power up (indeterminate)

2

S3

Sleep

3

S0

Resting

4

S0

Ambient

5

S0

Ready

+ +  + +### Brightness + +The current brightness level is a range from 0 to 100. + +Changes to brightness levels can be sent by a room control system, or other system. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + +
CommandState changeResponse

Brightness+

System management controller (SMC) sends the brightness up command.

+

PC service on the room control system notifies SMC of new brightness level.

Brightness = 51

Brightness-

SMC sends the brightness down command.

+

PC service notifies SMC of new brightness level.

Brightness = 50

Brightness?

SMC sends a message over the control channel to request brightness.

+

PC service notifies SMC of new brightness level.

Brightness = 50

+ +  + +### Volume + +The current volume level is a range from 0 to 100. + +Changes to volume levels can be sent by a room control system, or other system. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + +
CommandState changeResponse

Volume+

SMC sends the volume up command.

+

PC service notifies SMC of new volume level.

Volume = 51

Volume-

SMC sends the volume down command.

+

PC service notifies SMC of new volume level.

Volume = 50

Volume?

SMC sends a message over the control channel to request volume.

+

PC service notifies SMC of new volume level.

Volume = 50

+ +  + +### Mute for audio and microphone + +Audio and microphone can be muted. + + ++++ + + + + + + + + + + + + + + + + +
StateDescription

0

Source is not muted.

1

Source is muted.

+ +  + +Changes to microphone or audio can be sent by a room control system, or other system. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
CommandState changeResponse

AudioMute+

SMC sends the audio mute command.

+

PC service notifies SMC that audio is muted.

AudioMute=<#>

MicMute+

SMC sends the microphone mute command.

+

PC service notifies SMC that microphone is muted.

MicMute=<#>

AudioMute?

SMC queries PC service for the current audio state.

+

PC service notifies SMC that audio is muted.

AudioMute=<#>

MicMute?

SMC queries PC service for the current microphone state.

+

PC service notifies SMC that the microphone is muted.

MicMute=<#>

+ +  + +### Video source + +Several display sources can be used. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
StateDescription

0

Onboard PC

1

DisplayPort

2

HDMI

3

VGA

4

Wireless

+ +  + +Changes to display source can be sent by a room control system, or other system. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
CommandState changeResponse

Source=<#>

SMC changes to the desired source.

+

PC service notifies SMC that the display source has switched.

Source=<#>

Source+

SMC cycles to the next active input source.

+

PC service notifies SMC of the current input source.

Source=<#>

Source+

SMC cycles to the previous active input source.

+

PC service notifies SMC of the current input source.

Source=<#>

Source?

SMC queries PC service for the active input source.

+

PC service notifies SMC of the current in;put source.

Source=<#>

+ +  + +### Starting apps + +Surface Hub keyboard supports starting apps with special keys. Room control systems can invoke those keys through the management port. There is no expected response for these commands. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
StateDescription

0

Start large-screen experience (LSX)

1

Start LSX custom app 1

2

Start LSX custom app 2

3

Start LSX custom app 3

+ +  + +Changes to display source can be sent by a room control system, or other system. + + +++++ + + + + + + + + + + + + + + +
CommandState changeResponse

AppKey=<#>

Send a command to

+

PC service notifies SMC that the display source has switched.

Source=<#>

+ +  + +### I'm done + +People will be able to start the I'm done feature on a Surface Hub from a room control system. I'm done removes any work that was displayed on the Surface Hub before ending the meeting. No information or files are saved on Surface Hub. + + +++++ + + + + + + + + + + + + + + +
CommandState changeResponse

I'm done

Start I'm done activity on Surface Hub.

none

+ +  + +### Errors + +Errors are returned following the format in this table. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
ErrorNotes

Error: Unknown command '<input>'.

The instruction contains an unknown initial command. For example, "VOL+" would be invalid and return " Error: Unknown command 'VOL'".

Error: Unknown operator '<input>'.

The instruction contains an unknown operator. For example, "Volume!" would be invalid and return " Error: Unknown operator '!'".

Error: Unknown parameter '<input>'.

The instruction contains an unknown parameter. For example, "Volume=abc" would be invalid and return " Error: Unknown parameter 'abc'".

Error: Command not available when off '<input>'.

When the Surface Hub is off, commands other than Power return this error. For example, "Volume+" would be invalid and return " Error: Command not available when off 'Volume'".

+ +  + +## Related topics + + +[Manage Microsoft Surface Hub](manage-surface-hub.md) + +[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) + +  + +  + + + + + diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md new file mode 100644 index 0000000000..467c9cf42c --- /dev/null +++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md @@ -0,0 +1,66 @@ +--- +title: Wireless network management (Surface Hub) +description: Microsoft Surface Hub offers two options for network connectivity to your corporate network and Internet wireless, and wired. While both provide network access, we recommend you use a wired connection. +ms.assetid: D2CFB90B-FBAA-4532-B658-9AA33CAEA31D +keywords: ["network connectivity", "wired connection"] +author: TrudyHa +--- + +# Wireless network management (Surface Hub) + + +Microsoft Surface Hub offers two options for network connectivity to your corporate network and Internet: wireless, and wired. While both provide network access, we recommend you use a wired connection. + +## Modifying, adding or reviewing a network connection + + +If a wired network connection is not available, the Surface Hub can use a wireless network for internet access. A properly connected and configured Wi-Fi access point must be available and within range of the Surface Hub. + +### Choose a wireless access point + +1. On the Surface Hub, open **Settings** and enter your admin credentials. +2. Click **System**, and then click **Network & Internet**. Under **Wi-Fi**, choose an access point. If you want Surface Hub to automatically connect to this access point, click **Connect automatically**. Click **Connect**. + + ![](images/networkmgtwireless-01.png) + +3. If the network is secured, you'll be asked to enter the security key. Click **Next** to connect. + + ![](images/networkmgtwireless-02.png) + +### Review wireless settings + +1. On the Surface Hub, open **Settings** and enter your admin credentials. +2. Click **System**, click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**. + + ![](images/networkmgtwireless-03.png) + +3. The system will show you the properties for the wireless network connection. + + ![](images/networkmgtwireless-04.png) + +### Review wired settings + +1. On the Surface Hub, open **Settings** and enter your admin credentials. +2. Click **System**, click **Network & Internet**, then click on the network under Ethernet. + + ![](images/networkmgtwired-01.png) + +3. The system will show you the properties for the wired network connection. + + ![](images/networkmgtwired-02.png) + +## Related topics + + +[Manage Microsoft Surface Hub](manage-surface-hub.md) + +[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) + +  + +  + + + + +