mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00

2016-11-30 11:53:03 -08:00

26 KiB

Raw Blame History

title, description, ms.assetid, keywords, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, author, localizationpriority

title	description	ms.assetid	keywords	ms.prod	ms.mktglfcycl	ms.sitesec	ms.pagetype	author	localizationpriority
Manage settings with an MDM provider (Surface Hub)	Microsoft Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution.	18EB8464-6E22-479D-B0C3-21C4ADD168FE	mobile device management, MDM, manage policies	w10	manage	library	surfacehub, mobility	jdeckerMS	medium

Manage settings with an MDM provider (Surface Hub)

Surface Hub and other Windows 10 devices allow IT administrators to manage settings and policies using a mobile device management (MDM) provider. A built-in management component communicates with the management server, so there is no need to install additional clients on the device. For more information, see Windows 10 mobile device management.

Surface Hub has been validated with Microsoft’s first-party MDM providers:

On-premises MDM with System Center Configuration Manager (beginning in version 1602)
Hybrid MDM with System Center Configuration Manager and Microsoft Intune
Microsoft Intune standalone

You can also manage Surface Hubs using any third-party MDM provider that can communicate with Windows 10 using the MDM protocol.

Enroll a Surface Hub into MDM

You can enroll your Surface Hubs using bulk or manual enrollment.

Note

You can join your Surface Hub to Azure Active Directory (Azure AD) to manage admin groups on the device. However, Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD-joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD.

To enable automatic enrollment for Microsoft Intune

In the Azure classic portal, navigate to the Active Directory node and select your directory.

Click the Applications tab, then click Microsoft Intune.

Under Manage devices for these users, click Groups.

Click Select Groups, then select the groups of users you want to automatically enroll into Intune. Do not include accounts that are used to enroll Surface Hubs into Intune.

Click the checkmark button, then click Save.

Bulk enrollment

To configure bulk enrollment

Surface Hub supports the Provisioning CSP for bulk enrollment into MDM. For more information, see Windows 10 bulk enrollment.
--OR--
If you have an on-premises System Center Configuration Manager infrastructure, see How to bulk enroll devices with On-premises Mobile Device Management in System Center Configuration Manager.

Manual enrollment

To configure manual enrollment

On your Surface Hub, open Settings.
Type the device admin credentials when prompted.
Select This device, and navigate to Device management.
Under Device management, select + Device management.
Follow the instructions in the dialog to connect to your MDM provider.

Manage Surface Hub settings with MDM

You can use MDM to manage some Surface Hub CSP settings, and some Windows 10 settings. Depending on the MDM provider that you use, you may set these settings using a built-in user interface, or by deploying custom SyncML. Microsoft Intune and System Center Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. Refer to documentation from your MDM provider to learn how to create and deploy SyncML.

Supported Surface Hub CSP settings

You can configure the Surface Hub settings in the following table using MDM. The table identifies if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML.

For more information, see SurfaceHub configuration service provider.

Setting	Node in the SurfaceHub CSP	Supported with Intune?	Supported with Configuration Manager?	Supported with SyncML*?
Maintenance hours	MaintenanceHoursSimple/Hours/StartTime MaintenanceHoursSimple/Hours/Duration	Yes	Yes	Yes
Automatically turn on the screen using motion sensors	InBoxApps/Welcome/AutoWakeScreen	Yes	Yes	Yes
Require a pin for wireless projection	InBoxApps/WirelessProjection/PINRequired	Yes	Yes	Yes
Enable wireless projection	InBoxApps/WirelessProjection/Enabled	Yes	Yes. Use a custom setting.	Yes
Miracast channel to use for wireless projection	InBoxApps/WirelessProjection/Channel	Yes	Yes. Use a custom setting.	Yes
Connect to your Operations Management Suite workspace	MOMAgent/WorkspaceID MOMAgent/WorkspaceKey	Yes	Yes. Use a custom setting.	Yes
Welcome screen background image	InBoxApps/Welcome/CurrentBackgroundPath	Yes	Yes. Use a custom setting.	Yes
Meeting information displayed on the welcome screen	InBoxApps/Welcome/MeetingInfoOption	Yes	Yes. Use a custom setting.	Yes
Friendly name for wireless projection	Properties/FriendlyName	Yes. Use a custom policy.)	Yes. Use a custom setting.	Yes
Device account, including password rotation	DeviceAccount/`<name_of_policy>` See SurfaceHub CSP.	No	No	Yes
*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.

Supported Windows 10 settings

In addition to Surface Hub-specific settings, there are numerous settings common to all Windows 10 devices. These settings are defined in the Configuration service provider reference.

The following tables include info on Windows 10 settings that have been validated with Surface Hub. There is a table with settings for these areas: security, browser, Windows Updates, Windows Defender, remote reboot, certificates, and logs. Each table identifies if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML.

Security settings

Setting	Details	CSP reference	Supported with Intune?	Supported with Configuration Manager?	Supported with SyncML*?
Allow Bluetooth	Keep this enabled to support Bluetooth peripherals.	Connectivity/AllowBluetooth	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Bluetooth policies	Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing.	Bluetooth/`<name of policy>` See Policy CSP	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Allow camera	Keep this enabled for Skype for Business.	Camera/AllowCamera	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Allow location	Keep this enabled to support apps such as Maps.	System/AllowLocation	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Allow telemetry	Keep this enabled to help Microsoft improve Surface Hub.	System/AllowTelemetry	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.

Browser settings

Setting	Details	CSP reference	Supported with Intune?	Supported with Configuration Manager?	Supported with SyncML*?
Homepages	Use to configure the default homepages in Microsoft Edge.	Browser/Homepages	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Allow cookies	Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session.	Browser/AllowCookies	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Allow developer tools	Use to stop users from using F12 Developer Tools.	Browser/AllowDeveloperTools	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Allow Do Not Track	Use to enable Do Not Track headers.	Browser/AllowDoNotTrack	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Allow pop-ups	Use to block pop-up browser windows.	Browser/AllowPopups	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Allow search suggestions	Use to block search suggestions in the address bar.	Browser/AllowSearchSuggestionsinAddressBar	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Allow SmartScreen	Keep this enabled to turn on SmartScreen.	Browser/AllowSmartScreen	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Prevent ignoring SmartScreen Filter warnings for websites	For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites.	Browser/PreventSmartScreenPromptOverride	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Prevent ignoring SmartScreen Filter warnings for files	For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge.	Browser/PreventSmartScreenPromptOverrideForFiles	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.

Windows Update settings

Setting	Details	CSP reference	Supported with Intune?	Supported with Configuration Manager?	Supported with SyncML*?
Use Current Branch or Current Branch for Business	Use to configure Windows Update for Business – see Windows updates.	Update/BranchReadinessLevel	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Defer feature updates	See above.	Update/ DeferFeatureUpdatesPeriodInDays	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Defer quality updates	See above.	Update/DeferQualityUpdatesPeriodInDays	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Pause feature updates	See above.	Update/PauseFeatureUpdates	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Pause quality updates	See above.	Update/PauseQualityUpdates	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Configure device to use WSUS	Use to connect your Surface Hub to WSUS instead of Windows Update – see Windows updates.	Update/UpdateServiceUrl	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Delivery optimization	Use peer-to-peer content sharing to reduce bandwidth issues during updates. See Configure Delivery Optimization for Windows 10 for details.	DeliveryOptimization/`<name of policy>` See Policy CSP	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.

Windows Defender settings

Setting	Details	CSP reference	Supported with Intune?	Supported with Configuration Manager?	Supported with SyncML*?
Defender policies	Use to configure various Defender settings, including a scheduled scan time.	Defender/`<name of policy>` See Policy CSP	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Defender status	Use to initiate a Defender scan, force a signature update, query any threats detected.	Defender CSP	No.	No.	Yes
*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.

Remote reboot

Setting	Details	CSP reference	Supported with Intune?	Supported with Configuration Manager?	Supported with SyncML*?
Reboot the device immediately	Use in conjunction with OMS to minimize support costs – see Monitor your Microsoft Surface Hub.	./Vendor/MSFT/Reboot/RebootNow See Reboot CSP	No	No	Yes
Reboot the device at a scheduled date and time	See above.	./Vendor/MSFT/Reboot/Schedule/Single See Reboot CSP	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
Reboot the device daily at a scheduled date and time	See above.	./Vendor/MSFT/Reboot/Schedule/DailyRecurrent See Reboot CSP	Yes. Use a custom policy.	Yes. Use a custom setting.	Yes
*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.

Install certificates

Setting	Details	CSP reference	Supported with Intune?	Supported with Configuration Manager?	Supported with SyncML*?
Install trusted CA certificates	Use to deploy trusted root and intermediate CA certificates.	RootCATrustedCertificates CSP	Yes. See Configure Intune certificate profiles.	Yes. See How to create certificate profiles in System Center Configuration Manager.	Yes

*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.

Collect logs

Setting	Details	CSP reference	Supported with Intune?	Supported with Configuration Manager?	Supported with SyncML*?
Collect ETW logs	Use to remotely collect ETW logs from Surface Hub.	DiagnosticLog CSP	No	No	Yes

*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.

Generate OMA URIs for settings

You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in System Center Configuration Manager.

To generate the OMA URI for any setting in the CSP documentation

In the CSP documentation, identify the root node of the CSP. Generally, this looks like ./Vendor/MSFT/<name of CSP>
For example, the root node of the SurfaceHub CSP is ./Vendor/MSFT/SurfaceHub.
Identify the node path for the setting you want to use.
For example, the node path for the setting to enable wireless projection is InBoxApps/WirelessProjection/Enabled.
Append the node path to the root node to generate the OMA URI.
For example, the OMA URI for the setting to enable wireless projection is ./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Enabled.

The data type is also stated in the CSP documentation. The most common data types are:

char (String)
int (Integer)
bool (Boolean)

## Example: Manage Surface Hub settings with Microsoft Intune

You can use Microsoft Intune to manage Surface Hub settings.

To create a configuration policy from a template

You'll use the Windows 10 Team general configuration policy as the template.

On the Intune management portal, sign in with your Intune administrator account.
On the left-hand navigation menu, click Policy.
In the Overview page, click Add Policy.
On Select a template for the new policy, expand Windows, select General Configuration (Windows 10 Team and later), and then click Create Policy.
Configure your policy, then click Save Policy
When prompted, click Yes to deploy your new policy to a user or device group. For more information, see Use groups to manage users and devices in Microsoft Intune.

To create a custom configuration policy

You’ll need to create a custom policy using the Custom Configuration (Windows 10 Desktop and Mobile and later) template to manage settings that are not available in the Windows 10 Team general configuration policy template.

On the Intune management portal, sign in with your Intune administrator account.
On the left-hand navigation menu, click Policy.
On the Overview page, click Add Policy.
On Select a template for the new policy, expand Windows, select Custom Configuration (Windows 10 Desktop and Mobile and later), and then click Create Policy.
Type a name and optional description for the policy.
Under OMA-URI Settings, click Add.
Complete the form to create a new setting, and then click OK.
Repeat Steps 6 and 7 for each setting you want to configure with this policy.
After you're done, click Save Policy and deploy it to a user or device group.

## Example: Manage Surface Hub settings with System Center Configuration Manager System Center Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use System Center Configuration Manager to manage other devices in your organization, you can continue to use the Configuration Manager console as your single location for managing Surface Hubs.

Note

These instructions are based on the current branch of System Center Configuration Manager.

To create a configuration item for Surface Hub settings

On the Assets and Compliance workspace of the Configuration Manager console, click Overview > Compliance Settings > Configuration Items.
On the Home tab, in the Create group, click Create Configuration Item.
On the General page of the Create Configuration Item Wizard, specify a name and optional description for the configuration item.
Under Settings for devices managed without the Configuration Manager client, select Windows 8.1 and Windows 10, and then click Next.
On the Supported Platforms page, expand Windows 10 and select All Windows 10 Team and higher. Unselect the other Windows platforms, and then click Next.
On the Device Settings page, under Device settings groups, select Windows 10 Team.
On the Windows 10 Team page, configure the settings you require.
You'll need to create custom settings to manage settings that are not available in the Windows 10 Team page. On the Device Settings page, select the check box Configure additional settings that are not in the default setting groups.
On the Additional Settings page, click Add.
In the Browse Settings dialog, click Create Setting.
In the Create Setting dialog, under the General tab, specify a name and optional description for the custom setting.
Under Setting type, select OMA URI.
Complete the form to create a new setting, and then click OK.
On the Browse Settings dialog, under Available settings, select the new setting you created, and then click Select.
On the Create Rule dialog, complete the form to specify a rule for the setting, and then click OK.
Repeat steps 9 to 15 for each custom setting you want to add to the configuration item.
When you're done, on the Browse Settings dialog, click Close.
Complete the wizard.
You can view the new configuration item in the Configuration Items node of the Assets and Compliance workspace.