19 KiB
title, description, ms.assetid, keywords, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, author, localizationpriority
| title | description | ms.assetid | keywords | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | author | localizationpriority |
|---|---|---|---|---|---|---|---|---|---|
| Manage settings with an MDM provider (Surface Hub) | Microsoft Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution. | 18EB8464-6E22-479D-B0C3-21C4ADD168FE | mobile device management, MDM, manage policies | w10 | manage | library | surfacehub, mobility | TrudyHa | medium |
Manage settings with an MDM provider (Surface Hub)
Surface Hub and other Windows 10 devices allow IT administrators to manage settings and policies using a mobile device management (MDM) provider. A built-in management component communicates with the management server, so there is no need to install additional clients on the device. For more information, see Windows 10 mobile device management.
Surface Hub has been validated with Microsoft’s first-party MDM providers: Microsoft Intune and System Center Configuration Manager (current branch). You can also manage Surface Hubs using any third-party provider that can communicate with Windows 10 using the MDM protocol.
Enroll a Surface Hub into MDM
You can enroll your Surface Hubs using automatic, bulk, or manual enrollment.
Note
You can join your Surface Hub to Azure Active Directory (Azure AD) to manage admin groups on the device. However, Surface Hub does not currently support automatic MDM enrollment through Azure AD join. If your organization automatically enrolls Azure AD joined devices into MDM, you must disable this policy for Surface Hub before joining the device to Azure AD.
Automatic enrollment
To configure automatic enrollment
- For information on configuring automatic enrollment, see Azure Active Directory enrollment.
Bulk enrollment
To configure bulk enrollment
- Surface Hub supports the Provisioning CSP for bulk enrollment into MDM. For more information, see Windows 10 bulk enrollment.
--OR-- - If you have an on-premises System Center Configuration Manager infrastructure, see How to bulk enroll devices with On-premises Mobile Device Management in System Center Configuration Manager.
Manual enrollment
You can manually enroll with an MDM using Settings on your Surface Hub.
To configure manual enrollment
- From your Surface Hub, open Settings.
- Type the device admin credentials when prompted.
- Select This device, and navigate to Device management.
- Under Device management, select + Device management.
- Follow the instructions in the dialog to connect to your MDM provider.
Manage Surface Hub settings with MDM
You can use MDM to manage some Surface Hub CSP settings, and some Windows 10 settings.
Supported Surface Hub CSP settings
You can configure the Surface Hub settings in the following table using MDM. The table also tells if the setting is supported on Microsoft Intune, System Center Configuration Manager (Configuration Manager), or SyncML.
For more information, see Surface Hub configuration service provider.
| Setting | Supported CSPs | Supported with Intune? |
Supported with Configuration Manager? |
Supported with SyncML? |
|---|---|---|---|---|
| Maintenance hours | MaintenanceHoursSimple/Hours/StartTime MaintenanceHoursSimple/Hours/Duration |
Yes | Yes | Yes |
| Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes |
| Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes |
| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes. Use a custom setting. |
Yes |
| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes. Use a custom setting. |
Yes |
| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID MOMAgent/WorkspaceKey |
Yes | Yes. Use a custom setting. |
Yes |
| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes. Use a custom setting. |
Yes |
| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes. Use a custom setting. |
Yes |
| Friendly name for wireless projection | Properties/FriendlyName | Yes. Use a custom policy |
Yes. Use a custom setting. |
Yes |
| Device account, including password rotation | Multiple | No | No | Yes |
Refer to documentation from your MDM provider to learn how to create and deploy SyncML.
Tip
You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in System Center Configuration Manager.
To generate the OMA URI for any setting in the CSP documentation
- Prepend the node path with path of the root node.
For example, the OMA URI for the InBoxApps/WirelessProjection/Enabled setting in the SurfaceHub CSP is “./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Enabled”.
The data type is stated in the CSP documentation. The most common data types are:
- char (string)
- int (integer)
- bool (boolean)
Depending on the MDM provider that you use, you may set these settings using the SyncML nodes defined in the SurfaceHub CSP, or using a built-in user interface. Intune and System Center Configuration Manager provide built-in experiences to help create policy templates for Surface Hub.
Supported Windows 10 settings
In addition to Surface Hub specific settings, there are numerous settings common to all Windows 10 devices. These settings are defined in the Configuration service provider reference.
The following tables include info on Windows 10 settings have been validated with Surface Hub. There is a table with settings for these areas: security, browser, Windows Updates, Windows Defender, remote reboot, certificates, and logs. Each table also tells if the setting is supported on Microsoft Intune, System Center Configuration Manager (Configuration Manager), or SyncML.
Security settings
| Setting | Details | CSP documentation reference | Supported with Intune? |
Supported with Configuration Manager? |
Supported with SyncML? |
|---|---|---|---|---|---|
| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | ./Vendor/MSFT/Policy/Config/Connectivity/AllowBluetooth | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Various policies in the Policy CSP: ./Vendor/MSFT/Policy/Config/Bluetooth/ | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
| Allow camera | Keep this enabled for Skype for Business. | ./Vendor/MSFT/Policy/Config/Camera/AllowCamera | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
| Allow location | Keep this enabled to support apps such as Maps. | ./Vendor/MSFT/Policy/Config/System/AllowLocation | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | ./Vendor/MSFT/Policy/Config/System/AllowTelemetry | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
Browser settings
| Setting | Details | CSP documentation reference | Supported with Intune? |
Supported with Configuration Manager? |
Supported with SyncML? |
|---|---|---|---|---|---|
| Homepages | Use to configure the default homepages in Microsoft Edge. | ./Vendor/MSFT/Policy/Config/Browser/Homepages | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | ./Vendor/MSFT/Policy/Config/Browser/AllowCookies | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
| Allow developer tools | Use to stop users from using F12 Developer Tools. | ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
| Allow Do Not Track | Use to enable Do Not Track headers. | ./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
| Allow pop-ups | Use to block pop-up browser windows. | ./Vendor/MSFT/Policy/Config/Browser/AllowPopups | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
| Allow search suggestions | Use to block search suggestions in the address bar | ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
| Allow SmartScreen | Keep this enabled to turn on SmartScreen | ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverride | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
Windows Update settings
| Setting | Details | CSP documentation reference | Supported with Intune? |
Supported with Configuration Manager? |
Supported with SyncML? |
|---|---|---|---|---|---|
| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see Windows Updates. | ./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
| Defer feature updates | See above. | ./Vendor/MSFT/Policy/Config/Update/ DeferFeatureUpdatesPeriodInDays | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
| Defer quality updates See above. | ./Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes | |
| Pause feature updates | See above. | ./Vendor/MSFT/Policy/Config/PauseFeatureUpdates | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
| Pause quality updates | See above. | ./Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
| Configure device to use WSUS | Use to connect your Surface Hub to WSUS instead of Windows Update – see Windows Updates. | ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See Configure Delivery Optimization for Windows 10 for details. | Various policies in the Policy CSP: ./Vendor/MSFT/Policy/Config/DeliveryOptimization/ |
Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
Windows Defender settings
| Setting | Details | CSP documentation reference | Supported with Intune? |
Supported with Configuration Manager? |
Supported with SyncML? |
|---|---|---|---|---|---|
| Defender policies. | Use to configure various Defender settings, including a scheduled scan time. | Various policies in Policy CSP: ./Vendor/MSFT/Policy/Config/Defender/. |
Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
| Defender status | Use to initiate a Defender scan, force a signature update, query any threats detected. | Defender CSP | No. | No. | Yes |
Remote reboot settings
| Setting | Details | CSP documentation reference | Supported with Intune? |
Supported with Configuration Manager? |
Supported with SyncML? |
|---|---|---|---|---|---|
| Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see Monitoring. | ./Vendor/MSFT/Reboot/RebootNow | No | No | Yes |
| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent | Yes. Use a custom policy. |
Yes. Use a custom setting. |
Yes |
Certficate settings
| Setting | Details | CSP documentation reference | Supported with Intune? |
Supported with Configuration Manager? |
Supported with SyncML? |
|---|---|---|---|---|---|
| Install certificates | Use to deploy certificates to the Surface Hub. | RootCATrustedCertificates CSP and ClientCertificateInstall CSP | Yes. See Secure resource access with certificate profiles. |
Yes. See How to create certificate profiles in Configuration Manager. |
Yes |
Log settings
| Setting | Details | CSP documentation reference | Supported with Intune? |
Supported with Configuration Manager? |
Supported with SyncML? |
|---|---|---|---|---|---|
| Log collection | Use to remotely collect ETW logs from Surface Hub. | DiagnosticLog CSP | No | No | Yes |
Related topic
Microsoft Surface Hub administrator's guide