deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/devices/surface/advanced-uefi-security-features-for-surface.md
Jan Backstrom e0ff338ac3 content cleanup 
Fix headings in Diagnostic Toolkit article; add ms.pagetype tag
2016-05-24 12:06:23 -07:00

164 lines
8.9 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: Advanced UEFI security features for Surface (Surface)
description: This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.
ms.assetid: 90F790C0-E5FC-4482-AD71-60589E3C9C93
keywords: security, features, configure, hardware, device, custom, script, update
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices, security
ms.sitesec: library
author: miladCA
---
# Advanced UEFI security features for Surface
This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.
To address more granular control over the security of Surface devices, the v3.11.760.0 UEFI update provides additional security options that allow you to disable specific hardware devices or to prevent starting from those devices. After the UEFI update is installed on a device, you can configure it manually or automatically by running a script.
## Manually install the UEFI update
Before you can configure the advanced security features of your Surface device, you must first install the v3.11.760.0 UEFI update. This update is installed automatically if you receive your updates from Windows Update. For more information about how to configure Windows to update automatically using Windows Update, see [How to configure and use Automatic Updates in Windows]( http://go.microsoft.com/fwlink/p/?LinkID=618030). Otherwise, you can download the UEFI update from the Microsoft Download Center; see [SurfacePro3\_ 150326.msi (105 MB)](http://go.microsoft.com/fwlink/p/?LinkID=618033) or [SurfacePro3\_ 150326.zip (156 MB)](http://go.microsoft.com/fwlink/p/?LinkID=618035).
## Manually configure additional security settings
>**Note:**  To enter firmware setup on a Surface device, begin with the device powered off, press and hold the **Volume Up** button, then press and release the **Power** button, then release the **Volume Up** button after the device has begun to boot.
After the v3.11.760.0 UEFI update is installed on a Surface device, an additional UEFI menu named **Advanced Device Security** becomes available. If you click this menu, the following options are displayed:
| Option | Description | Available settings (default listed in bold) |
|----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------|
| Network Boot | Enables or disables the ability of your Surface device to boot from the network (also known as PXE boot). | **Enabled**, Not Bootable |
| Side USB | Enables or disables the USB port on the side of the Surface device. Additionally, the USB port can be enabled, but not allow booting. | **Enabled**, Not Bootable, Disabled |
| Docking Port | Enables or disables the ports on the Surface docking station. Additionally, the docking port can be enabled, but block booting from any USB or Ethernet port in the docking station. | **Enabled**, Not Bootable, Disabled |
| Front Camera | Enables or disables the camera on the front of the Surface device. | **Enabled**, Disabled |
| Rear Camera | Enables or disables the camera on the rear of the Surface device. | **Enabled**, Disabled |
| On Board Audio | Enables or disables audio on the Surface device. | **Enabled**, Disabled |
| microSD | Enables or disables the microSD slot on the Surface device. | **Enabled**, Disabled |
| WiFi | Enables or disables the built-in Wi-Fi transceiver in the Surface device. This also disables Bluetooth. | **Enabled**, Disabled |
| Bluetooth | Enables or disables the built-in Bluetooth transceiver in the Surface device. | **Enabled**, Disabled |
 
## Automate additional security settings
As an IT professional with administrative privileges, you can automate the configuration of UEFI settings by leveraging [Surface Pro 3 Firmware Tools (476 KB)](http://go.microsoft.com/fwlink/p/?LinkID=618038) available from the Microsoft Download Center. These tools install a .NET assembly that can be called from any custom application or script.
**Prerequisites**
- The sample scripts below leverage the previously mentioned extension and therefore assume that the tool has been installed on the device being managed.
- The scripts must be run with administrative privilege.
- The Windows PowerShell command [**Set-ExecutionPolicy Unrestricted**](http://go.microsoft.com/fwlink/p/?LinkID=618039) must be called prior to running sample scripts if they are not digitally signed.
**Sample scripts**
>**Note**:  The UEFI password used in the sample scripts below is presented in clear text. We strongly recommend saving the scripts in a protected location and running them in a controlled environment.
Show all configurable options:
```
# Load the extension
[System.Reflection.Assembly]::Load("SurfaceUefiManager, Version=1.0.5483.22783, Culture=neutral, PublicKeyToken=20606f4b5276c705")
# Get the collection of all configurable settings
$uefiOptions = [Microsoft.Surface.FirmwareOption]::All()
foreach ($uefiOption in $uefiOptions)
{
Write-Host "Name:" $uefiOption.Name
Write-Host " Description =" $uefiOption.Description
Write-Host " Current Value =" $uefiOption.CurrentValue
Write-Host " Default Value =" $uefiOption.DefaultValue
Write-Host " Proposed Value =" $uefiOption.ProposedValue
# This gives usage and validation information
Write-Host " Allowed Values =" $uefiOption.FriendlyRegEx
Write-Host " Regular Expression =" $uefiOption.RegEx
Write-Host
}
```
Set or change UEFI password:
```
# Load the extension
[System.Reflection.Assembly]::Load("SurfaceUefiManager, Version=1.0.5483.22783, Culture=neutral, PublicKeyToken=20606f4b5276c705")
# Must supply UEFI administrator Password if set
# If it is not currently set this is ignored
[Microsoft.Surface.FirmwareOption]::Unlock("1234")
$Password = [Microsoft.Surface.FirmwareOption]::Find("Password")
# Set New value to 12345
$Password.ProposedValue = "12345"
```
Check status of proposed changes:
```
# Load the extension
[System.Reflection.Assembly]::Load("SurfaceUefiManager, Version=1.0.5483.22783, Culture=neutral, PublicKeyToken=20606f4b5276c705")
# Check update status
$updateStatus = [Microsoft.Surface.FirmwareOption]::UpdateStatus
$updateIteration = [Microsoft.Surface.FirmwareOption]::UpdateIteration
Write-Host "Last Update Status =" $updateStatus
Write-Host "Last Update Iteration =" $updateIteration
# Get the individual results for the last proposed update
# If the device has never had an update attempt this will be an empty list
$details = [Microsoft.Surface.FirmwareOption]::UpdateStatusDetails
Write-Host $details.Count "Settings were proposed"
if ($details.Count -gt 0)
{
Write-Host "Result Details"
foreach ($detail in $details.GetEnumerator())
{
Write-Host " " $detail.Key "=" $detail.Value
}
}
```
Revert UEFI to default values:
```
# Load the extension
[System.Reflection.Assembly]::Load("SurfaceUefiManager, Version=1.0.5483.22783, Culture=neutral, PublicKeyToken=20606f4b5276c705")
# Must supply UEFI administrator Password if set
# If it is not currently set this is ignored
[Microsoft.Surface.FirmwareOption]::Unlock("1234")
# Get the collection of all configurable settings
$uefiOptions = [Microsoft.Surface.FirmwareOption]::All()
# Reset all options to the factory default
foreach ($uefiOption in $uefiOptions)
{
$uefiOption.ProposedValue = $uefiOption.DefaultValue
}
```
Status code interpretation
- 00 - The proposed update was a success
- 02 - One of the proposed values had an invalid value
- 03 - There was a proposed value set that was not recognized
- 0F - The unlock password did not match currently set password
 
 
Reference in New Issue View Git Blame Copy Permalink