Surface User Manual
Surface User Manual
Surface
Deploy Surface devices
Windows Autopilot and Surface devices
Surface device compatibility with Windows 10 Long-Term Servicing Branch
Long-Term Servicing Branch for Surface devices
Deploy Windows 10 to Surface devices with MDT
Upgrade Surface devices to Windows 10 with MDT
Customize the OOBE for Surface deployments
Ethernet adapters and Surface deployment
Surface Deployment Accelerator
Step by step: Surface Deployment Accelerator
Using the Surface Deployment Accelerator deployment share
Battery Limit setting
Surface firmware and driver updates
Download the latest firmware and drivers for Surface devices
Manage Surface driver and firmware updates
Surface Dock Updater
Wake On LAN for Surface devices
Considerations for Surface and System Center Configuration Manager
Deploy Surface app with Microsoft Store for Business
Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices
Manage Surface UEFI settings
Advanced UEFI security features for Surface Pro 3
Surface Enterprise Management Mode
Enroll and configure Surface devices with SEMM
Unenroll Surface devices from SEMM
Use System Center Configuration Manager to manage devices with SEMM
Surface Diagnostic Toolkit for Business
Use Surface Diagnostic Toolkit for Business in desktop mode
Run Surface Diagnostic Toolkit for Business using commands
Surface Data Eraser
Top support solutions for Surface devices
Change history for Surface documentation
Surface
10/29/2018 • 2 minutes to read • Edit Online
This library provides guidance to help you deploy Windows on Microsoft Surface devices, keep those devices up to
date, and easily manage and support Surface devices in your organization.
For more information on planning for, deploying, and managing Surface devices in your organization, see the
Surface TechCenter.
In this section
TOPIC DESCRIPTION
Deploy Surface devices Get deployment guidance for your Surface devices including
information about MDT, OOBE customization, Ethernet
adaptors, and Surface Deployment Accelerator.
Surface firmware and driver updates Find out how to download and manage the latest firmware
and driver updates for your Surface device.
Considerations for Surface and System Center Configuration Get guidance on how to deploy and manage Surface devices
Manager with System Center Configuration Manager.
Deploy Surface app with Microsoft Store for Business Find out how to add and download Surface app with Microsoft
Store for Business, as well as install Surface app with
PowerShell and MDT.
Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices Find out how to enable support for PEAP, EAP-FAST, or Cisco
LEAP protocols on your Surface device.
Manage Surface UEFI settings Use Surface UEFI settings to enable or disable devices,
configure security settings, and adjust Surface device boot
settings.
Surface Enterprise Management Mode See how this feature of Surface devices with Surface UEFI
allows you to secure and manage firmware settings within
your organization.
Surface Data Eraser Find out how the Microsoft Surface Data Eraser tool can help
you securely wipe data from your Surface devices.
Top support solutions for Surface devices These are the top Microsoft Support solutions for common
issues experienced using Surface devices in an enterprise.
Change history for Surface documentation This topic lists new and updated topics in the Surface
documentation library.
Learn more
Certifying Surface Pro 4 and Surface Book as standard devices at Microsoft
Related topics
Surface TechCenter
Surface for IT pros blog
Deploy Surface devices
10/3/2018 • 2 minutes to read • Edit Online
Get deployment guidance for your Surface devices including information about Microsoft Deployment Toolkit
(MDT), out-of-box-experience (OOBE ) customization, Ethernet adaptors, Surface Deployment Accelerator, and the
Battery Limit setting.
In this section
TOPIC DESCRIPTION
Windows Autopilot and Surface devices Find out how to remotely deploy and configure devices with
Windows Autopilot.
Surface device compatibility with Windows 10 Long-Term Find out about compatibility and limitations of Surface devices
Servicing Channel running Windows 10 Enterprise LTSC edition.
Deploy Windows 10 to Surface devices with MDT Walk through the recommended process of how to deploy
Windows 10 to your Surface devices with the Microsoft
Deployment Toolkit.
Upgrade Surface devices to Windows 10 with MDT Find out how to perform a Windows 10 upgrade deployment
to your Surface devices.
Customize the OOBE for Surface deployments Walk through the process of customizing the Surface out-of-
box experience for end users in your organization.
Ethernet adapters and Surface deployment Get guidance and answers to help you perform a network
deployment to Surface devices.
Surface Deployment Accelerator See how Microsoft Surface Deployment Accelerator provides a
quick and simple deployment mechanism for organizations to
reimage Surface devices.
Battery Limit setting Learn how to use Battery Limit, a UEFI setting that changes
how the Surface device battery is charged and may prolong its
longevity.
Related topics
Surface TechCenter
Surface for IT pros blog
Windows Autopilot and Surface devices
10/29/2018 • 3 minutes to read • Edit Online
Windows Autopilot is a cloud-based deployment technology available in Windows 10. Using Windows Autopilot,
you can remotely deploy and configure devices in a truly zero-touch process right out of the box. Windows
Autopilot registered devices are identified over the internet at first boot using a unique device signature, known as
the hardware hash, and automatically enrolled and configured using modern management solutions such as Azure
Active Directory (AAD ) and Mobile Device Management (MDM ).
With Surface devices, you can choose to register your devices at the time of purchase when purchasing from a
Surface partner enabled for Windows Autopilot. New devices can be shipped directly to your end-users and will
be automatically enrolled and configured when the units are unboxed and turned on for the first time. This process
can eliminate need to reimage your devices as part of your deployment process, reducing the work required of
your deployment staff and opening up new, agile methods for device management and distribution.
In this article learn how to enroll your Surface devices in Windows Autopilot with a Surface partner and the
options and considerations you will need to know along the way. This article focuses specifically on Surface
devices, for more information about using Windows Autopilot with other devices, or to read more about Windows
Autopilot and its capabilities, see Overview of Windows Autopilot in the Windows Docs Library.
Prerequisites
Enrollment of Surface devices in Windows Autopilot with a Surface partner enabled for Windows Autopilot has
the following licensing requirements for each enrolled Surface device:
Azure Active Directory Premium – Required to enroll your devices in your organization and to automatically
enroll devices in your organization’s mobile management solution.
Mobile Device Management (such as Microsoft Intune) – Required to remotely deploy applications,
configure, and manage your enrolled devices.
Office 365 ProPlus – Required to deploy Microsoft Office to your enrolled devices.
These requirements are also met by the following solutions:
Microsoft 365 E3 or E5 (includes Azure Active Directory Premium, Microsoft Intune, and Office 365 ProPlus)
Or
Enterprise Mobility + Security E3 or E5 (includes Azure Active Directory Premium and Microsoft Intune)
Office 365 ProPlus, E3, or E5 (includes Office 365 ProPlus)
NOTE
Deployment of devices using Windows Autopilot to complete the Out-of-Box Experience (OOBE) is supported without these
prerequisites, however will yield deployed devices without applications, configuration, or enrollment in a management
solution and is highly discouraged.
Surface devices are designed to provide best-in-class experiences in productivity and general-purpose scenarios.
Regular updates enable Surface devices to bring to life new innovations and to evolve with the new capabilities
delivered by Windows 10 Feature Updates. Feature Updates are available only in Windows 10 Pro or Windows
10 Enterprise editions that receive continuous updates through the Semi-Annual Channel (SAC ).
In contrast to the SAC servicing option, formerly known as the Current Branch (CB ) or Current Branch for
Business (CBB ) servicing options, you cannot select the Long-Term Servicing Channel (LTSC ) option in Windows
10 settings. To use the LTSC servicing option, you must install a separate edition of Windows 10 Enterprise,
known as Windows 10 Enterprise LTSC, formerly known as Windows 10 Enterprise LTSB (Long-Term Servicing
Branch. In addition to providing an extended servicing model, the Windows 10 Enterprise LTSC edition also
provides an environment with several Windows components removed. The core Surface experiences that are
impacted by LTSC include:
Windows Feature Updates, including enhancements such as:
Improvements to Direct Ink and palm rejection provided in Windows 10, version 1607 (also referred to
as the Anniversary Update)
Improved support for high DPI applications provided in Windows 10, version 1703 (also referred to as
the Creators Update)
Pressure sensitivity settings provided by the Surface app
The Windows Ink Workspace
Key touch-optimized in-box applications including Microsoft Edge, OneNote, Calendar, and Camera
The use of the Windows 10 Enterprise LTSC environment on Surface devices results in sub-optimal end-user
experiences and you should avoid using it in environments where users want and expect a premium, up-to-date
user experience.
The LTSC servicing option is designed for device types and scenarios where the key attribute is for features or
functionality to never change. Examples include systems that power manufacturing or medical equipment, or
embedded systems in kiosks, such as ATMs or airport ticketing systems.
NOTE
For general information about Windows servicing branches, including LTSC, see Overview of Windows as a service.
As a general guideline, devices that fulfill the following criteria are considered general-purpose devices and should
be paired with Windows 10 Pro or Windows 10 Enterprise using the Semi-Annual Channel servicing option:
Devices that run productivity software such as Microsoft Office
Devices that use Microsoft Store applications
Devices that are used for general Internet browsing (for example, research or access to social media)
Before you choose to use Windows 10 Enterprise LTSC edition on Surface devices, consider the following
limitations:
Driver and firmware updates are not explicitly tested against releases of Windows 10 Enterprise LTSC.
If you encounter problems, Microsoft Support will provide troubleshooting assistance. However, due to the
servicing nature of the Windows LTSC, issue resolution may require that devices be upgraded to a more
recent version of Windows 10 Enterprise LTSC, or to Windows 10 Pro or Enterprise with the SAC servicing
option.
Surface device replacements (for example, devices replaced under warranty) may contain subtle variations
in hardware components that require updated device drivers and firmware. Compatibility with these
updates may require the installation of a more recent version of Windows 10 Enterprise LTSC or Windows
10 Pro or Enterprise with the SAC servicing option.
NOTE
Organizations that standardize on a specific version of Windows 10 Enterprise LTSC may be unable to adopt new
generations of Surface hardware without also updating to a later version of Windows 10 Enterprise LTSC or Windows 10 Pro
or Enterprise. For more information, see the How will Windows 10 LTSBs be supported? topic in the Supporting the
latest processor and chipsets on Windows section of Lifecycle Policy FAQ—Windows products.
Surface devices running Windows 10 Enterprise LTSC edition will not receive new features. In many cases these
features are requested by customers to improve the usability and capabilities of Surface hardware. For example,
new improvements for High DPI applications in Windows 10, version 1703. Customers that use Surface devices
in the LTSC configuration will not see the improvements until they either update to a new Windows 10 Enterprise
LTSC release or upgrade to a version of Windows 10 with support for the SAC servicing option.
Devices can be changed from Windows 10 Enterprise LTSC to a more recent version of Windows 10 Enterprise,
with support for the SAC servicing option, without the loss of user data by performing an upgrade installation.
You can also perform an upgrade installation on multiple devices by leveraging the Upgrade Task Sequence
Templates available in the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. For
more information, see Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit.
Long-Term Servicing Branch (LTSB) for Surface
devices
5/10/2018 • 2 minutes to read • Edit Online
WARNING
For updated information on this topic, see Surface device compatibility with Windows 10 Long-Term Servicing Channel. For
additional information on this update, see the Documentation Updates for Surface and Windows 10 LTSB Compatibility post
on the Surface Blog for IT Pros.
General-purpose Surface devices running Long-Term Servicing Branch (LTSB ) are not supported. As a general
guideline, if a Surface device runs productivity software, such as Microsoft Office, it is a general-purpose device
that does not qualify for LTSB and should instead run Current Branch (CB ) or Current Branch for Business (CBB ).
NOTE
For more information about the servicing branches, see Overview of Windows as a service.
LTSB prevents Surface devices from receiving critical Windows 10 feature updates and certain non-security
servicing updates. Customers with poor experiences using Surface devices in the LTSB configuration will be
instructed to upgrade to CB or CBB. Furthermore, the Windows 10 Enterprise LTSB edition removes core features
of Surface devices, including seamless inking and touch-friendly applications. It does not contain key in-box
applications including Microsoft Edge, OneNote, Calendar or Camera. Therefore, productivity is impacted and
functionality is limited. LTSB is not supported as a suitable servicing solution for general-purpose Surface devices.
General-purpose Surface devices are intended to run CB or CBB to receive full servicing and firmware updates
and forward compatibility with the introduction of new Surface features. With CB, feature updates are available as
soon as Microsoft releases them. Customers in the CBB servicing model receive the same build of Windows 10 as
those in CB, at a later date.
Surface devices in specialized scenarios–such as PCs that control medical equipment, point-of-sale systems, and
ATMs–may consider the use of LTSB. These special-purpose systems typically perform a single task and do not
require feature updates as frequently as other devices in the organization.
Related topics
Surface TechCenter
Surface for IT pros blog
Deploy Windows 10 to Surface devices with Microsoft
Deployment Toolkit
5/10/2018 • 54 minutes to read • Edit Online
Applies to
Surface Studio
Surface Pro 4
Surface Book
Surface 3
Windows 10
This article walks you through the recommended process to deploy Windows 10 to Surface devices with
Microsoft deployment technologies. The process described in this article yields a complete Windows 10
environment including updated firmware and drivers for your Surface device along with applications like
Microsoft Office 365 and the Surface app. When the process is complete, the Surface device will be ready for use
by the end user. You can customize this process to include your own applications and configuration to meet the
needs of your organization. You can also follow the guidance provided in this article to integrate deployment to
Surface devices into existing deployment strategies.
By following the procedures in this article, you can create an up-to-date reference image and deploy this image to
your Surface devices, a process known as reimaging. Reimaging will erase and overwrite the existing environment
on your Surface devices. This process allows you to rapidly configure your Surface devices with identical
environments that can be configured to precisely fit your organization’s requirements.
An alternative to the reimaging process is an upgrade process. The upgrade process is non-destructive and
instead of erasing the existing environment on your Surface device, it allows you to install Windows 10 while
retaining your user data, applications, and settings. You can read about how to manage and automate the upgrade
process of Surface devices to Windows 10 at Upgrade Surface devices to Windows 10 with MDT.
The goal of the deployment process presented in this article is automation. By leveraging the many technologies
and tools available from Microsoft, you can create a process that requires only a single touch on the devices being
deployed. The automation can load the deployment environment; format the device; prepare an updated Windows
image with the drivers required for the device; apply that image to the device; configure the Windows
environment with licensing, membership in a domain, and user accounts; install applications; apply any Windows
updates that were not included in the reference image; and log out.
By automating each aspect of the deployment process, you not only greatly decrease the effort involved, but you
create a process that can be easily repeated and where human error becomes less of a factor. Take for example a
scenario where you create a reference image for the device manually, but you accidentally install conflicting
applications and cause the image to become unstable. In this scenario you have no choice but to begin again the
manual process of creating your image. If in this same scenario you had automated the reference image creation
process, you could repair the conflict by simply editing a step in the task sequence and then re-running the task
sequence.
Deployment tools
The deployment process described in this article leverages a number of Microsoft deployment tools and
technologies. Some of these tools and technologies are included in Windows client and Windows Server, such as
Hyper-V and Windows Deployment Services (WDS ), while others are available as free downloads from the
Microsoft Download Center.
Microsoft Deployment Toolkit
The Microsoft Deployment Toolkit (MDT) is the primary component of a Windows deployment. It serves as a
unified interface for most of the Microsoft deployment tools and technologies, such as the Windows Assessment
and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM ), Deployment Image
Servicing and Management (DISM ), User State Migration Tool (USMT), and many other tools and technologies.
Each of these is discussed throughout this article. The unified interface, called the Deployment Workbench,
facilitates automation of the deployment process through a series of stored deployment procedures, known as a
task sequence. Along with these task sequences and the many scripts and tools that MDT provides, the resources
for a Windows deployment (driver files, application installation files, and image files) are stored in a network share
known as the deployment share.
You can download and find out more about MDT at Microsoft Deployment Toolkit.
Windows Assessment and Deployment Kit
Although MDT is the tool you will interact with most during the deployment process, the deployment tools found
in the Windows ADK perform most of the deployment tasks during the deployment process. The resources for
deployment are held within the MDT deployment share, but it is the collection of tools included in Windows ADK
that access the image files, stage drivers and Windows updates, run the deployment experience, provide
instructions to Windows Setup, and back up and restore user data.
You can download and find out more about the Windows ADK at Download the Windows ADK.
Windows 10 installation media
Before you can perform a deployment with MDT, you must first supply a set of operating system installation files
and an operating system image. These files and image can be found on the physical installation media (DVD ) for
Windows 10. You can also find these files in the disk image (ISO file) for Windows 10, which you can download
from the Volume Licensing Service Center (VLSC ).
NOTE
The installation media generated from the Get Windows 10 page differs from physical media or media downloaded from the
VLSC, in that it contains an image file in Electronic Software Download (ESD) format rather than in the Windows Imaging
(WIM) format. Installation media with an image file in WIM format is required for use with MDT. Installation media from the
Get Windows 10 page cannot be used for Windows deployment with MDT.
Windows Server
Although MDT can be installed on a Windows client, to take full advantage of Windows Deployment Services’
ability to network boot, a full Windows Server environment is recommended. To provide network boot for UEFI
devices like Surface with WDS, you will need Windows Server 2008 R2 or later.
NOTE
To evaluate the deployment process for Surface devices or to test the deployment process described in this article with the
upcoming release of Windows Server 2016, you can download evaluation and preview versions from the TechNet Evaluation
Center.
NOTE
A Generation 1 virtual machine is recommended for the preparation of a reference image in a Hyper-V virtual environment.
Because customizations are performed by MDT at the time of deployment, the goal of reference image creation is
not to perform customization but to increase performance during deployment by reducing the number of actions
that need to occur on each deployed device. The biggest action that can slow down an MDT deployment is the
installation of Windows updates. When MDT performs this step during the deployment process, it downloads the
updates on each deployed device and installs them. By installing Windows updates in your reference image, the
updates are already installed when the image is deployed to the device and the MDT update process only needs to
install updates that are new since the image was created or are applicable to products other than Windows (for
example, Microsoft Office updates).
NOTE
Hyper-V is available not only on Windows Server, but also on Windows clients, including Professional and Enterprise editions
of Windows 8, Windows 8.1, and Windows 10. Find out more at Client Hyper-V on Windows 10 and Client Hyper-V on
Windows 8 and Windows 8.1 in the TechNet Library. Hyper-V is also available as a standalone product, Microsoft Hyper-V
Server, at no cost. You can download Microsoft Hyper-V Server 2012 R2 or Microsoft Hyper-V Server 2016 Technical
Preview from the TechNet Evaluation Center.
NOTE
Beginning in Windows 10, the drivers for Surface devices are included in the Windows Preinstallation Environment (WinPE).
In earlier versions of Windows, specific drivers (like network drivers) had to be imported and configured in MDT for use in
WinPE to successfully deploy to Surface devices.
Application installation files
In addition to the drivers that are used by Windows to communicate with the Surface device’s hardware and
components, you will also need to provide the installation files for any applications that you want to install on your
deployed Surface devices. To automate the deployment of an application, you will also need to determine the
command-line instructions for that application to perform a silent installation. In this article, the Surface app and
Microsoft Office 365 will be installed as examples of application installation. The application installation process
can be used with any application with installation files that can be launched from command line.
NOTE
If the application files for your application are stored on your organization’s network and will be accessible from your Surface
devices during the deployment process, you can deploy that application directly from that network location. To use
installation files from a network location, use the Install Application Without Source Files or Elsewhere on the Network
option in the MDT New Application Wizard, which is described in the Import applications section later in this article.
NOTE
To download deployment tools directly to Windows Server, you must disable Internet Explorer Enhanced Security
Configuration. On Windows Server 2012 R2, this can be performed directly through the Server Manager option on the
Local Server tab. In the Properties section, IE Enhanced Security Configuration can be found on the right side. You may
also need to enable the File Download option for the Internet zone through the Security tab of Internet Options.
Using the Windows Deployment Services Configuration Wizard, configure WDS to fit the needs of your
organization. You can find detailed instructions for the installation and configuration of WDS at Windows
Deployment Services Getting Started Guide for Windows Server 2012. On the PXE Server Initial Settings page,
be sure to configure WDS so that it will respond to your Surface devices when they attempt to boot from the
network. If you have already installed WDS or need to change your PXE server response settings, you can do so
on the PXE Response tab of the Properties of your server in the Windows Deployment Services Management
Console.
NOTE
You will add boot images to WDS when you update your boot images in MDT. You do not need to add boot images or
Windows images to WDS when you configure the role.
NOTE
You can also use the Adksetup.exe file to download the Windows ADK installation files locally for use on other devices.
When you get to the Select the features you want to install page, you only need to select the Deployment
Tools and Windows Preinstallation Environment (Windows PE ) check boxes to deploy Windows 10 using
MDT, as shown in Figure 3.
Figure 3. Only Deployment Tools and Windows PE options are required for deployment with MDT
Install Microsoft Deployment Toolkit
After the Windows ADK installation completes successfully, you can install MDT. When you download MDT,
ensure that you download the version that matches the architecture of your deployment server environment. For
Windows Server the architecture is 64-bit. Download the MDT installation file that ends in x64. When MDT is
installed you can use the default options during the installation wizard, as shown in Figure 4.
NOTE
Like the WDS remote installation folder, it is recommended that you put this folder on an NTFS volume that
is not your system volume.
Share – Specify a name for the network share under which the local folder specified on the Path
page will be shared, and then click Next.
NOTE
The share name cannot contain spaces.
NOTE
You can use a Dollar Sign ($) to hide your network share so that it will not be displayed when users browse
the available network shares on the server in File Explorer.
Descriptive Name – Enter a descriptive name for the network share (this descriptive name can
contain spaces), and then click Next. The descriptive name will be the name of the folder as it
appears in the Deployment Workbench.
Options – You can accept the default options on this page. Click Next.
Summary – Review the specified configuration on this page before you click Next to begin creation of
the deployment share.
Progress – While the deployment share is being created, a progress bar is displayed on this page to
indicate the status of the deployment share creation process.
Confirmation – When the deployment share creation process completes, the success of the process is
displayed on this page. Click Finish to complete the New Deployment Share Wizard.
4. When the New Deployment Share Wizard is complete, you can expand the Deployment Shares folder to
find your newly created deployment share.
5. You can expand your deployment share, where you will find several folders for the resources, scripts, and
components of your MDT deployment environment are stored.
To secure the deployment share and prevent unauthorized access to the deployment resources, you can create a
local user on the deployment share host and configure permissions for that user to have read-only access to the
deployment share only. It is especially important to secure access to the deployment share if you intend to
automate the logon to the deployment share during the deployment boot process. By automating the logon to the
deployment share during the boot of deployment media, the credentials for that logon are stored in plaintext in
the bootstrap.ini file on the boot media.
NOTE
If you intend to capture images (such as the reference image) with this user, the user must also have write permission on the
Captures folder in the MDT deployment share.
You now have an empty deployment share that is ready for you to add the resources that will be required for
reference image creation and deployment to Surface devices.
Import Windows installation files
The first resources that are required to perform a deployment of Windows are the installation files from Windows
10 installation media. Even if you have an already prepared reference image, you still need to supply the unaltered
installation files from your installation media. The source of these files can be a physical disk, or it can be an ISO
file like the download from the Volume Licensing Service Center (VLSC ).
NOTE
A 64-bit operating system is required for compatibility with Surface Studio, Surface Pro 4, Surface Book, Surface Pro 3, and
Surface 3.
NOTE
For some organizations keeping a simple deployment share without applications or drivers is the simplest solution for
creation of reference images. You can easily connect to more than one deployment share from a single Deployment
Workbench and copy images from a simple, reference-image-only deployment share to a production deployment share
complete with drivers and applications.
Figure 9. Create a new task sequence to deploy and update a Windows 10 reference environment
2. The New Task Sequence Wizard presents a series of steps, as follows:
General Settings – Enter an identifier for the reference image task sequence in the Task Sequence ID
field, a name for the reference image task sequence in the Task Sequence Name field, and any
comments for the reference image task sequence in the Task Sequence Comments field, and then click
Next. >[!NOTE ] >The Task Sequence ID field cannot contain spaces and can be a maximum of 16
characters.
Select Template – Select Standard Client Task Sequence from the drop-down menu, and then click
Next.
Select OS – Navigate to and select the Windows 10 image you imported with the Windows 10
installation files, and then click Next.
Specify Product Key – Click Do Not Specify a Product Key at This Time, and then click Next.
OS Settings – Enter a name, organization, and home page URL in the Full Name, Organization, and
Internet Explorer Home Page fields, and then click Next.
Admin Password – Click Use the Specified Local Administrator Password, enter a password in the
provided field, and then click Next. >[!NOTE ] >During creation of a reference image, any specified
Administrator password will be automatically removed when the image is prepared for capture with
Sysprep. During reference image creation, a password is not necessary, but is recommended to remain
in line with best practices for production deployment environments.
Summary – Review the specified configuration on this page before you click Next to begin creation of
the task sequence.
Progress – While the task sequence is created, a progress bar is displayed on this page.
Confirmation – When the task sequence creation completes, the success of the process is displayed on
this page. Click Finish to complete the New Task Sequence Wizard.
3. Select the Task Sequences folder, right-click the new task sequence you created, and then click Properties.
4. Select the Task Sequence tab to view the steps that are included in the Standard Client Task Sequence
template, as shown in Figure 10.
Figure 10. Enable Windows Update in the reference image task sequence
5. Select the Windows Update (Pre-Application Installation) option, located under the State Restore
folder.
6. Click the Options tab, and then clear the Disable This Step check box.
7. Repeat Step 4 and Step 5 for the Windows Update (Post-Application Installation) option.
8. Click OK to apply changes to the task sequence, and then close the task sequence properties window.
Generate and import MDT boot media
To boot the reference virtual machine from the network, the MDT deployment share first must be updated to
generate boot media with the resources that have been added in the previous sections.
To update the MDT boot media, follow these steps:
1. Right-click the deployment share in the Deployment Workbench, and then click Update Deployment
Share to start the Update Deployment Share Wizard, as shown in Figure 11.
Figure 11. Generate boot images with the Update Deployment Share Wizard
2. Use the Update Deployment Share Wizard to create boot images with the following process:
Options – Click Completely Regenerate the Boot Images, and then click Next. >[!NOTE ] >Because
this is the first time the newly created deployment share has been updated, new boot images will be
generated regardless of which option you select on the Options page.
Summary – Review the specified options on this page before you click Next to begin generation of
boot images.
Progress – While the boot images are being generated, a progress bar is displayed on this page.
Confirmation – When the boot images have been generated, the success of the process is displayed on
this page. Click Finish to complete the Update Deployment Share Wizard.
3. Confirm that boot images have been generated by navigating to the deployment share in File Explorer and
opening the Boot folder. The following files should be displayed, as shown in Figure 12:
LiteTouchPE_x86.iso
LiteTouchPE_x86.wim
LiteTouchPE_x64.iso
LiteTouchPE_x64.wim
Figure 12. Boot images displayed in the Boot folder after completion of the Update Deployment Share Wizard
To import the MDT boot media into WDS for PXE boot, follow these steps:
1. Open Windows Deployment Services from the Start menu or Start screen.
2. Expand Servers and your deployment server.
3. Click the Boot Images folder, as shown in Figure 13.
Figure 13. Start the Add Image Wizard from the Boot Images folder
4. Right-click the Boot Images folder, and then click Add Boot Image to open the Add Image Wizard, as
shown in Figure 14.
NOTE
Only the 32-bit boot image, LiteTouchPE_x86.wim, is required to boot from BIOS devices, including Generation 1 Hyper-V
virtual machines like the reference virtual machine.
If your WDS configuration is properly set up to respond to PXE clients, you should now be able to boot from the
network with any device with a network adapter properly configured for network boot (PXE ).
NOTE
If your WDS server resides on the same server as DHCP or in a different subnet than the devices you are attempting to
boot, additional configuration may be required. For more information, see Managing Network Boot Programs.
By using a fully automated task sequence in an MDT deployment share dedicated to reference image creation, you can
greatly reduce the time and effort required to create new reference images and it is the best way to ensure that your
organization is ready for feature updates and new versions of Windows 10.
You can now boot from the network with a virtual machine to run the prepared task sequence and generate a
reference image. When you prepare your virtual machine in Hyper-V for reference image creation, consider the
following:
Use a Generation 1 virtual machine for the simplicity of drivers and to ensure maximum compatibility with
both BIOS and UEFI devices.
Ensure your virtual machine has at least 1 GB of system memory at boot. You can ensure that the virtual
machine has at least 1 GB of memory at boot but allow the memory to adjust after boot by using Dynamic
Memory. You can read more about Dynamic Memory in the Hyper-V Dynamic Memory Overview.
Ensure your virtual machine uses a legacy network adapter to support network boot (PXE ); that network
adapter should be connected to the same network as your deployment server, and that network adapter should
receive an IP address automatically via DHCP.
Configure your boot order such that PXE Boot is the first option.
When your virtual machine (VM ) is properly configured and ready, start or boot the VM and be prepared to press
the F12 key when prompted to boot via PXE from the WDS server.
Perform the reference image deployment and capture using the following steps:
1. Start your virtual machine and press the F12 key when prompted to boot to the WDS server via PXE, as
shown in Figure 15.
Figure 16. Use the Capture Image page to capture an image of the reference machine after deployment
Ready – You can review your selections by expanding Details on the Ready page. Click Begin when
you are ready to perform the deployment and capture of your reference image.
6. Your reference task sequence will run with the specified options.
As the task sequence processes the deployment, it will automatically perform the following tasks:
Install the Windows 10 image from the installation files you supplied
Reboot into Windows 10
Run Windows updates until all Windows updates have been installed and the Windows environment is fully up
to date
Run Sysprep and prepare the Windows 10 environment for deployment
Reboot into WinPE
Capture an image of the Windows 10 environment and store it in the Captures folder in the MDT deployment
share
NOTE
The Windows Update process can take some time to complete as it searches the Internet for updates, downloads those
updates, and then installs them. By performing this process now, in the reference environment, you eliminate the need to
perform these tasks on each deployed device and significantly reduce the amount of time and bandwidth required to
perform your deployment.
When the task sequence completes, your virtual machine will be off and a new reference image complete with
updates will be ready in your MDT deployment share for you to import it and prepare your deployment
environment for deployment to Surface devices.
Now that your updated reference image is imported, it is time to prepare your deployment environment for
deployment to Surface devices complete with drivers, applications, and automation.
Import Surface drivers
Before you can deploy your updated reference image to Surface devices, or any physical environment, you need to
supply MDT with the drivers that Windows will use to communicate with that physical environment. For Surface
devices you can download all of the drivers required by Windows in a single archive (.zip) file in a format that is
ready for deployment. In addition to the drivers that are used by Windows to communicate with the hardware and
components, Surface firmware and driver packs also include updates for the firmware of those components. By
installing the Surface firmware and driver pack, you will also bring your device’s firmware up to date. If you have
not done so already, download the drivers for your Surface device listed at Download the latest firmware and
drivers for Surface devices.
Many devices require that you import drivers specifically for WinPE in order for the MDT boot media to
communicate with the deployment share and to boot properly on that device. Even Surface Pro 3 required that
network drivers be imported specifically for WinPE for deployment of Windows 8.1. Fortunately, for Windows 10
deployments to Surface devices, all of the required drivers for operation of WinPE are contained within the out-of-
box drivers that are built into Windows 10. It is still a good idea to prepare your environment with folder structure
and selection profiles that allow you to specify drivers for use in WinPE. You can read more about that folder
structure in Step 5: Prepare the drivers repository in Deploy a Windows 10 image using MDT 2013 Update 2.
To import the Surface drivers (in this example, Surface Pro 4) into MDT, follow these steps:
1. Extract the downloaded archive (.zip) file to a folder that you can easily locate. Keep the driver files separate
from other drivers or files.
2. Open the Deployment Workbench and expand the Deployment Shares node and your deployment share.
3. If you have not already created a folder structure by operating system version, you should do so now and
create under the Windows 10 x64 folder a new folder for Surface Pro 4 drivers named Surface Pro 4. Your
Out-of-Box Drivers folder should resemble the following structure, as shown in Figure 17:
WinPE x86
WinPE x64
Windows 10 x64
Microsoft Corporation
Surface Pro 4
Figure 17. The recommended folder structure for drivers
4. Right-click the Surface Pro 4 folder, and then click Import Drivers to start the Import Drivers Wizard, as
shown in Figure 18.
Figure 18. The Progress page during drivers import
5. The Import Driver Wizard displays a series of steps, as follows:
Specify Directory – Click Browse and navigate to the folder where you extracted the Surface Pro 4
firmware and drivers in Step 1.
Summary – Review the specified configuration on this page before you click Next to begin the import
process.
Progress – While the drivers are imported, a progress bar is displayed on this page.
Confirmation – When the import process completes, the success of the process is displayed on this
page. Click Finish to complete the Import Drivers Wizard.
6. Click the Surface Pro 4 folder and verify that the folder now contains the drivers that were imported, as
shown in Figure 19.
Figure 19. Drivers for Surface Pro 4 imported and organized in the MDT deployment share
Import applications
You can import any number of applications into MDT for installation on your devices during the deployment
process. You can configure your applications and task sequences to prompt you during deployment to pick and
choose which applications are installed, or you can use your task sequence to explicitly define which applications
are installed. For more information, see Step 4: Add an application in Deploy a Windows 10 image using MDT
2013 Update 2.
Import Microsoft Office 365 Installer
The Office Deployment Tool is a free download available in the Microsoft Download Center that allows IT
professionals and system administrators to download and prepare Office installation packages for Office Click-to-
Run. You can find the Office Deployment Tool and instructions to download Click-to-Run for Office 365
installation source files at Download Click-to-Run for Office 365 products by using the Office Deployment Tool.
Download and install the version of Office Deployment Tool (ODT), for Office 2013 or Office 2016, that fits your
organization’s needs and use the steps provided by that page to download the Office installation files for use with
MDT.
After you have downloaded the source files for your version of Office Click-to-Run, you need to edit the
Configuration.xml file with instructions to install Office Click-to-Run silently. To configure the Office Deployment
Tool for silent installation, follow these steps:
1. Right-click the existing Configuration.xml file, and then click Edit.
2. This action opens the file in Notepad. Replace the existing text with the following:
<Configuration>
<Add OfficeClientEdition="32">
<Product ID="O365ProPlusRetail" >
<Language ID="en-us" />
</Product>
</Add>
<Display Level="None" AcceptEULA="TRUE" /> </Configuration>
3. Save the file.
The default behavior of Setup.exe is to look for the source files in the path that contains Setup.exe. If the
installation files are not found in this folder, the Office Deployment Tool will default to online source files from an
Internet connection.
For MDT to perform an automated installation of office, it is important to configure the Display Level option to a
value of None. This setting is used to suppress the installation dialog box for silent installation. It is required that
the AcceptEULA option is set to True to accept the license agreement when the Display Level option is set to
None. With both of these options configured, the installation of Office will occur without the display of dialog
boxes which could potentially cause the installation to pause until a user can address an open dialog box.
Now that the installation and configuration files are prepared, the application can be imported into the
deployment share by following these steps:
1. Open the Deployment Workbench.
2. Expand the deployment share, right-click the Applications folder, and then click New Application to start
the New Application Wizard, as shown in Figure 20.
Figure 20. Enter the command and directory for Office 2016 Click-to -Run
3. The New Application Wizard walks you through importing the Office 2016 Click-to-Run files, as follows:
Application Type – Click Application with Source Files, and then click Next.
Details – Enter a name for the application (for example, Office 2016 Click-to-Run) in the Application
Name field. Enter publisher, version, and language information in the Publisher, Version, and
Language fields if desired. Click Next.
Source – Click Browse to navigate to and select the folder where you downloaded the Office
installation files with the Office Deployment Tool, and then click Next.
Destination – Enter a name for the folder where the application files will be stored in the Specify the
Name of the Directory that Should Be Created field or click Next to accept the default name.
Command Details – Enter the Office Deployment Tool installation command line:
Setup.exe /configure configuration.xml
Summary – Review the specified configuration on this page before you click Next to begin the
import process.
Progress – While the installation files are imported, a progress bar is displayed on this page.
Confirmation – When the import process completes, the success of the process is displayed on this
page. Click Finish to complete the New Application Wizard.
4. You should now see the Office 2016 Click-to-Run item under the Applications folder in the Deployment
Workbench.
Import Surface app installer
The Surface app is a Microsoft Store app that provides the user with greater control over specific Surface device
functions and capabilities (for example, control over the sensitivity of the Surface Pen). It is a highly recommended
app for Surface devices to provide end users with the best experience and greatest control over their device. Find
out more about the Surface app at Install and use the Surface app.
To perform a deployment of the Surface app, you will need to download the app files through Microsoft Store for
Business. You can find detailed instructions on how to download the Surface app through Microsoft Store for
Business at Deploy Surface app with Microsoft Store for Business.
After you have downloaded the installation files for Surface app, including the AppxBundle and license files, you
can import these files into the deployment share through the same process as a desktop application like Microsoft
Office. Both the AppxBundle and license files must be together in the same folder for the import process to
complete successfully. Use the following command on the Command Details page to install the Surface app:
Figure 21. A new Install Application step in the deployment task sequence
8. On the Properties tab of the new Install Application step, enter Install Microsoft Office 2016 Click-
to-Run in the Name field.
9. Click Install a Single Application, and then click Browse to view available applications that have been
imported into the deployment share.
10. Select Office 2016 Click-to-Run from the list of applications, and then click OK.
11. Repeat Steps 6 through 10 for the Surface app.
12. Expand the Preinstall folder, and then click the Enable BitLocker (Offline) step.
13. Open the Add menu again and choose Set Task Sequence Variable from under the General menu.
14. On the Properties tab of the new Set Task Sequence Variable step (as shown in Figure 22), configure
the following options:
Name – Set DriverGroup001
Task Sequence Variable – DriverGroup001
Value – Windows 10 x64%Make%%Model%
Figure 22. Configure a new Set Task Sequence Variable step in the deployment task sequence
15. Select the Inject Drivers step, the next step in the task sequence.
16. On the Properties tab of the Inject Drivers step (as shown in Figure 23), configure the following options:
In the Choose a selection profile drop-down menu, select Nothing.
Click the Install all drivers from the selection profile button.
Figure 23. Configure the deployment task sequence not to choose the drivers to inject into Windows
17. Click OK to apply changes to the task sequence and close the task sequence properties window.
Configure deployment share rules
The experience of users during a Windows deployment is largely governed by a set of rules that control how the
MDT and Windows Deployment Wizard experience should proceed. These rules are stored in two configuration
files. Boot media rules are stored in the Bootstrap.ini file that is processed when the MDT boot media is first run.
Deployment share rules are stored in the Customsettings.ini file and tell the Windows Deployment Wizard how to
operate (for example, what screens to show and what questions to ask). By using these the rules stored in these
two files, you can completely automate the process of deployment to where you will not be asked to supply the
answer to any questions during deployment and the deployment will perform all tasks completely on its own.
Configure Bootstrap.ini
Bootstrap.ini is the simpler of the two rule files. The purpose it serves is to provide instructions from when the
MDT boot media starts on a device until the Windows Deployment Wizard is started. The primary use of this file
is to provide the credentials that will be used to log on to the deployment share and start the Windows
Deployment Wizard.
To automate the boot media rules, follow these steps:
1. Right-click your deployment share in the Deployment Workbench, and then click Properties.
2. Click the Rules tab, and then click Edit Bootstrap.ini to open Bootstrap.ini in Notepad.
3. Replace the text of the Bootstrap.ini file with the following text:
[Settings]
Priority=Model,Default
[Surface Pro 4]
DeployRoot=\\STNDeployServer\DeploymentShare$
UserDomain=STNDeployServer
UserID=MDTUser
UserPassword=P@ssw0rd
SkipBDDWelcome=YES
[Surface Pro 4]
DeployRoot=\\STNDeployServer\DeploymentShare$
[Surface Pro 4]
SkipTaskSequence=YES
TaskSequenceID=Win10SP4
[Default]
OSInstall=Y
SkipCapture=YES
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerBackup=YES
SkipBitLocker=YES
SkipBDDWelcome=YES
SkipUserData=YES
UserDataLocation=AUTO
SkipApplications=YES
SkipPackageDisplay=YES
SkipComputerName=YES
SkipDomainMembership=YES
JoinDomain=contoso.com
DomainAdmin=MDT
DomainAdminDomain=contoso
DomainAdminPassword=P@ssw0rd
SkipLocaleSelection=YES
KeyboardLocale=en-US
UserLocale=en-US
UILanguage=en-US
SkipTimeZone=YES
TimeZoneName=Pacific Standard Time
UserID=MDTUser
UserDomain=STNDeployServer
UserPassword=P@ssw0rd
SkipSummary=YES
SkipFinalSummary=YES
FinishAction=LOGOFF
NOTE
Although it is a best practice to replace and update the boot images in WDS whenever the MDT deployment share is
updated, for deployment to Surface devices the 32-bit boot image, LiteTouchPE_x86.wim, is not required. Only the 64-bit
boot image is required for 64-bit UEFI devices.
NOTE
For Surface devices not configured to boot to the network as the first boot option, you can hold Volume Down and press
Power to boot the system immediately to a USB or network device.
The resulting configuration is a Surface device that is logged out and ready for an end user to enter their
credentials, log on, and get right to work. The applications and drivers they need are already installed and up to
date.
Upgrade Surface devices to Windows 10 with
Microsoft Deployment Toolkit
10/29/2018 • 12 minutes to read • Edit Online
Applies to
Surface Pro 3
Surface 3
Surface Pro 2
Surface Pro
Windows 10
In addition to the traditional deployment method of reimaging devices, administrators that want to upgrade
Surface devices that are running Windows 8.1 or Windows 10 have the option of deploying upgrades. By
performing an upgrade deployment, Windows 10 can be applied to devices without removing users, apps, or
configuration. The users of the deployed devices can simply continue using the devices with the same apps and
settings that they used prior to the upgrade. The process described in this article shows how to perform a
Windows 10 upgrade deployment to Surface devices.
If you are not already familiar with the deployment of Windows or the Microsoft deployment tools and
technologies, you should read Deploy Windows 10 to Surface devices with MDT and familiarize yourself with the
traditional deployment method before you proceed.
The upgrade concept
When you use the factory installation media to install Windows on a device, you are presented with two options or
installation paths to install Windows on that device. The first of these installation paths – clean installation – allows
you to apply a factory image of Windows to that device, including all default settings. The second of these
installation paths – upgrade – allows you to apply Windows to the device but retains the device’s users, apps, and
settings.
When you perform a Windows deployment using traditional deployment methods, you follow an installation path
that is very similar to a clean installation. The primary difference between the clean installation and the traditional
deployment method of reimaging is that with reimaging, you can apply an image that includes customizations.
Microsoft deployment technologies, such as the Microsoft Deployment Toolkit (MDT), expand the capabilities of
the reimaging process by modifying the image during deployment. For example, MDT is able to inject drivers for a
specific hardware configuration during deployment, and with pre and post imaging scripts to perform a number of
tasks, such as the installation of applications.
For versions of Windows prior to Windows 10, if you wanted to install a new version of Windows on your devices
and preserve the configuration of those systems, you had to perform additional steps during your deployment. For
example, if you wanted to keep the data of users on the device, you had to back up user data with the User State
Migration Tool (USMT) prior to the deployment and restore that data after the deployment had completed.
Introduced with Windows 10 and MDT 2013 Update 1, you can use the upgrade installation path directly with
Microsoft deployment technologies such as the Microsoft Deployment Toolkit (MDT). With an upgrade
deployment you can use the same deployment technologies and process, but you can preserve users settings, and
applications of the existing environment on the device.
NOTE
Installation media for use with MDT must contain a Windows image in Windows Imaging Format (.wim). Installation
media produced by the Get Windows 10 page does not use a .wim file, instead using an Electronic Software
Download (.esd) file, which is not compatible with MDT.
Figure 4. Configure a new Set Task Sequence Variable step in the deployment task sequence
14. Select the Inject Drivers step, the next step in the task sequence.
15. On the Properties tab of the Inject Drivers step (as shown in Figure 5) configure the following options:
In the Choose a selection profile drop-down menu, select Nothing.
Click the Install all drivers from the selection profile button.
Figure 5. Configure the deployment task sequence to not install drivers
16. Click OK to apply changes to the task sequence and close the task sequence properties window.
Steps 11 through 15 are very important to the deployment of Surface devices. These steps instruct the task
sequence to install only drivers that are organized into the correct folder using the organization for drivers from
the Import Surface drivers section.
Deployment share rules
To automate the upgrade process, the rules of the MDT deployment share need to be modified to suppress
prompts for information from the user. Unlike a traditional deployment, Bootstrap.ini does not need to be modified
because the deployment process is not started from boot media. Similarly, boot media does not need to be
imported into WDS because it will not be booted over the network with PXE.
To modify the deployment share rules and suppress the Windows Deployment Wizard prompts for information,
copy and paste the following text into the text box on the Rules tab of your deployment share properties:
[Settings]
Priority=Model,Default
Properties=MyCustomProperty
[Surface Pro 4]
SkipTaskSequence=YES
TaskSequenceID=Win10SP4
[Surface Pro 3]
SkipTaskSequence=YES
TaskSequenceID=Win10SP3Up
[Default]
OSInstall=Y
SkipCapture=YES
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerBackup=YES
SkipBitLocker=YES
SkipBDDWelcome=YES
SkipUserData=YES
UserDataLocation=AUTO
SkipApplications=YES
SkipPackageDisplay=YES
SkipComputerName=YES
SkipDomainMembership=YES
JoinDomain=contoso.com
DomainAdmin=MDT
DomainAdminDomain=contoso
DomainAdminPassword=P@ssw0rd
SkipLocaleSelection=YES
KeyboardLocale=en-US
UserLocale=en-US
UILanguage=en-US
SkipTimeZone=YES
TimeZoneName=Pacific Standard Time
UserID=MDTUser
UserDomain=STNDeployServer
UserPassword=P@ssw0rd
SkipSummary=YES
SkipFinalSummary=YES
FinishAction=LOGOFF
For more information about the rules configured by this text, see the Configure deployment share rules section
in the Deploy Windows 10 to Surface devices with MDT article.
Update deployment share
To update the deployment share, right-click the deployment share in the Deployment Workbench and click
Update Deployment Share, then proceed through the Update Deployment Share Wizard. See the Update and
import updated MDT boot media section of the Deploy Windows 10 to Surface devices with MDT article for
detailed steps.
Run the upgrade deployment
Unlike a traditional deployment, the upgrade task sequence must be launched from within the Windows
environment that will be upgraded. This requires that a user on the device to be upgraded navigate to the
deployment share over the network and launch a script, LiteTouch.vbs. This script is the same script that displays
the Windows Deployment Wizard in Windows PE in a traditional deployment. In this scenario, Litetouch.vbs will
run within Windows. To perform the upgrade task sequence and deploy the upgrade to Windows 10 follow these
steps:
1. Browse to the network location of your deployment share in File Explorer.
2. Navigate to the Scripts folder, locate LiteTouch.vbs, and then double-click LiteTouch.vbs to start the
Windows Deployment Wizard.
3. Enter your credentials when prompted.
4. The upgrade task sequence for Surface Pro 3 devices will automatically start when the model of the device is
detected and determined to match the deployment share rules.
5. The upgrade process will occur automatically and without user interaction.
The task sequence will automatically install the drivers for Surface Pro 3 and the Surface app, and will perform any
outstanding Windows Updates. When it completes, it will log out and be ready for the user to log on with the
credentials they have always used for this device.
Customize the OOBE for Surface deployments
8/28/2018 • 3 minutes to read • Edit Online
This article walks you through the process of customizing the Surface out-of-box experience for end users in your
organization.
It is common practice in a Windows deployment to customize the user experience for the first startup of deployed
computers — the out-of-box experience, or OOBE.
NOTE
OOBE is also often used to describe the phase, or configuration pass, of Windows setup during which the user experience is
displayed. For more information about the OOBE phase of setup, see How Configuration Passes Work.
In some scenarios, you may want to provide complete automation to ensure that at the end of a deployment,
computers are ready for use without any interaction from the user. In other scenarios, you may want to leave key
elements of the experience for users to perform necessary actions or select between important choices. For
administrators deploying to Surface devices, each of these scenarios presents a unique challenge to overcome.
This article provides a summary of the scenarios where a deployment might require additional steps. It also
provides the required information to ensure that the desired experience is achieved on any newly deployed Surface
device. This article is intended for administrators who are familiar with the deployment process, as well as concepts
such as answer files and reference images.
NOTE
Although the OOBE phase of setup is still run during a deployment with an automated deployment solution such as the
Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager Operating System Deployment (OSD), it is
automated by the settings supplied in the Deployment Wizard and task sequence. For more information see:
Deploy Windows 10 with the Microsoft Deployment Toolkit
Deploy Windows 10 with System Center 2012 R2 Configuration Manager
NOTE
You should copy the files from a factory image for the same model Surface device that you intend to deploy to. For example,
you should use the files from a Surface Pro 3 to deploy to Surface Pro 3, and the files from Surface Book to deploy Surface
Book, but you should not use the files from a Surface Pro 3 to deploy Surface Book or Surface Pro 4.
The step-by-step process for adding these required files to an image is described in Deploying Surface Pro 3 Pen
and OneNote Tips. This blog post also includes tips to ensure that the necessary updates for the Surface Pen Quick
Note-Taking Experience are installed, which allows users to send notes to OneNote with a single click.
Ethernet adapters and Surface deployment
6/27/2018 • 5 minutes to read • Edit Online
This article provides guidance and answers to help you perform a network deployment to Surface devices.
Network deployment to Surface devices can pose some unique challenges for system administrators. Due to the
lack of a native wired Ethernet adapter, administrators must provide connectivity through a removable Ethernet
adapter.
NOTE
In addition to an Ethernet adapter, a keyboard must also be connected to the Surface device to enter the preinstallation
environment and navigate the deployment wizard.
For Windows 10, version 1511 and later – including the Windows Assessment and Deployment Kit (Windows
ADK) for Windows 10, version 1511 – the drivers for Microsoft Surface Ethernet Adapters are present by default.
If you are using a deployment solution that uses Windows Preinstallation Environment (WinPE ), like the Microsoft
Deployment Toolkit, and booting from the network with PXE, ensure that your deployment solution is using the
latest version of the Windows ADK.
Microsoft Surface Deployment Accelerator (SDA) provides a quick and simple deployment mechanism for
organizations to reimage Surface devices.
SDA includes a wizard that automates the creation and configuration of a Microsoft recommended deployment
experience by using free Microsoft deployment tools. The resulting deployment solution is complete with
everything you need to immediately begin the deployment of Windows to a Surface device. You can also use SDA
to create and capture a Windows reference image and then deploy it with the latest Windows updates.
SDA is built on the powerful suite of deployment tools available from Microsoft including the Windows
Assessment and Deployment Kit (ADK), the Microsoft Deployment Toolkit (MDT), and Windows Deployment
Services (WDS ). The resulting deployment share encompasses the recommended best practices for managing
drivers during deployment and automating image creation and can serve as a starting point upon which you build
your own customized deployment solution.
You can find more information about how to deploy to Surface devices, including step-by-step walkthroughs of
customized deployment solution implementation, on the Deploy page of the Surface TechCenter.
Download Microsoft Surface Deployment Accelerator
You can download the installation files for SDA from the Microsoft Download Center. To download the installation
files:
1. Go to the Surface Tools for IT page on the Microsoft Download Center.
2. Click the Download button, select the Surface_Deployment_Accelerator_xxxx.msi file, and then click
Next.
NOTE
With SDA v1.9.0258, Surface Pro 3, Surface Pro 4, and Surface Book are supported for Windows 10 deployment, and Surface
Pro 3 is supported for Windows 8.1 deployment.
NOTE
Downloaded files do not need to be extracted. The downloaded files can be left as .zip files as long as they are stored in one
folder.
NOTE
Using files from a local directory is not supported when including Office 365 in your deployment share. To include Office 365
in your deployment share, select the Download from the Internet check box.
NOTE
To install a newer version of SDA on a server with a previous version of SDA installed, you only need to run the installation
file for the new version of SDA. The installer will handle the upgrade process automatically. If you used SDA to create a
deployment share prior to the upgrade and want to use new features of the new version of SDA, you will need to create a
new deployment share. SDA does not support upgrades of an existing deployment share.
Version 2.8.136.0
This version of SDA supports deployment of the following:
Surface Book 2
Surface Laptop
Surface Pro LTE
Version 2.0.8.0
This version of SDA supports deployment of the following:
Surface Pro
NOTE
SDA version 2.0.8.0 includes support only for Surface Pro, and does not support other Surface devices such as Surface Pro 4
or Surface Book. To deploy these devices, please continue to use SDA version 1.96.0405.
Version 1.96.0405
This version of SDA adds support for the following:
Microsoft Deployment Toolkit (MDT) 2013 Update 2
Office 365 Click-to-Run
Surface 3 and Surface 3 LTE
Reduced Windows Assessment and Deployment Kit (Windows ADK) footprint, only the following Windows
ADK components are installed:
Deployment tools
Windows Preinstallation Environment (WinPE )
User State Migration Tool (USMT)
Version 1.90.0258
This version of SDA adds support for the following:
Surface Book
Surface Pro 4
Windows 10
Version 1.90.0000
This version of SDA adds support for the following:
Local driver and app files can be used to create a deployment share without access to the Internet
Version 1.70.0000
This version is the original release of SDA. This version of SDA includes support for:
MDT 2013 Update 1
Windows ADK
Surface Pro 3
Windows 8.1
Related topics
Step by step: Surface Deployment Accelerator
Using the Surface Deployment Accelerator deployment share
Step by step: Surface Deployment Accelerator
10/1/2018 • 20 minutes to read • Edit Online
This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment
share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices. This
article also contains instructions on how to perform these tasks without an Internet connection or without support
for Windows Deployment Services network boot (PXE ).
NOTE
SDA lets you create deployment shares for both Windows 8.1 and Windows 10 deployments, but you can only create a
single deployment share at a time. Therefore, to create both Windows 8.1 and Windows 10 deployment shares, you will need
to run the tool twice.
1. Open the SDA wizard by double-clicking the icon in the Surface Deployment Accelerator program
group on the Start screen.
2. On the Welcome page, click Next to continue.
3. On the Verify System page, the SDA wizard verifies the prerequisites required for an SDA deployment
share. This process also checks for the presence of the Windows Assessment and Deployment Kit (Windows
ADK) for Windows 10 and the Microsoft Deployment Toolkit (MDT) 2013 Update 2. If these tools are not
detected, they are downloaded and installed automatically. Click Next to continue.
NOTE
As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for
deployment, as follows:
Deployment tools
User State Migration Tool (USMT)
Windows Preinstallation Environment (WinPE)
NOTE
As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible
only with MDT 2013 Update 1.
4. On the Windows 8.1 page, to create a Windows 10 deployment share, do not select the Would you like
to support Windows 8.1 check box. Click Next to continue.
5. On the Windows 10 page, to create a Windows 10 deployment share, select the Would you like to
support Windows 10 check box. Supply the following information before you click Next to continue:
Configure Deployment Share for Windows 10
Local Path – Specify or browse to a location on the local storage device where you would like
to store the deployment share files for the Windows 10 SDA deployment share. For example,
E:\SDAWin10\ is the location specified in Figure 3.
Share Name – Specify a name for the file share that will be used to access the deployment
share on this server from the network. For example, SDAWin10 is the deployment share
name shown in Figure 3. The local path folder is automatically shared by the SDA scripts
under this name to the group Everyone with a permission level of Full Control.
Windows 10 Deployment Services
Select the Import boot media into the local Windows Deployment Service check box if you
would like to boot your Surface devices from the network to perform the Windows deployment.
Windows Deployment Services must be installed and configured to respond to PXE boot
requests. See Windows Deployment Services Getting Started Guide for Windows Server 2012 for
more information about how to configure Windows Deployment Services for PXE boot.
Windows 10 Source Files
Local Path – Specify or browse to the root directory of Windows 10 installation files. If you have
an ISO file, mount it and browse to the root of the mounted drive. You must have a full set of
source files, not just Install.wim.
NOTE
You cannot select both Surface 3 and Surface 3 LTE models at the same time.
7. On the Summary page confirm your selections and click Finish to begin the creation of your deployment
share. The process can take several minutes as files are downloaded, the tools are installed, and the
deployment share is created. While the SDA scripts are creating your deployment share, an Installation
Progress window will be displayed, as shown in Figure 5. A typical SDA process includes:
Download of Windows ADK
Installation of Windows ADK
Download of MDT
Installation of MDT
Download of Surface apps and drivers
Creation of the deployment share
Import of Windows installation files into the deployment share
Import of the apps and drivers into the deployment share
Creation of rules and task sequences for Windows deployment
Figure 5. The Installation Progress window
NOTE
The following error message may be hit while Installing the latest ADK or MDT: "An exception occurred during a
WebClient request.". This is due to incompatibility between SDA and BITS. Here is the workaround for this:
Edit the $BITSTransfer variable in the input parameters to $False as shown below:
Param( [Parameter( Position=0, Mandatory=$False, HelpMessage="Download via BITS bool true/false" )]
[string]$BITSTransfer = $False )
8. When the SDA process completes the creation of your deployment share, a **Success** window is displayed.
Click **Finish** to close the window. At this point your deployment share is now ready to perform a Windows
deployment to Surface devices.
If you are unable to connect to the Internet with your deployment server, or if you want to download the
Surface drivers and apps separately, you can specify a local source for the driver an app files at the time of
deployment share creation. On the **Configure** page of the SDA wizard, select the **Copy from a Local
Directory** check box, as shown in Figure 6. The **Download from the Internet** check box will be
automatically deselected. Enter the folder location where you have placed the driver and app files in the
**Local Path** field, as shown in Figure 6.
>[!NOTE]
>All of the downloaded driver and applications files must be located in the same folder. If a required driver
or application file is missing from the selected folder when you click **Next**, a warning is displayed and
the wizard will not proceed to the next step.
>[!NOTE]
>The driver and app files do not need to be extracted from the downloaded .zip files.
>[!NOTE]
>Including Office 365 in your deployment share requires an Internet connection and cannot be performed if you
use local files.
*Figure 6. Specify the Surface driver and app files from a local path*
>[!NOTE]
>The **Copy from a Local Directory** check box is only available in SDA version 1.90.0221 or later.
### <a href="" id="optional"></a>Optional: Prepare offline USB media
You can use USB media to perform an SDA deployment if your Surface device is unable to boot from the network.
For example, if you do not have a Microsoft Surface Ethernet Adapter or Microsoft Surface dock to facilitate
network boot (PXE boot). The USB drive produced by following these steps includes a complete copy of the SDA
deployment share and can be run on a Surface device without a network connection.
>[!NOTE]
>The offline media files for the complete SDA deployment share are approximately 9 GB in size. Your USB drive
must be at least 9 GB in size. A 16 GB USB drive is recommended.
Before you can create bootable media files within the MDT Deployment Workbench or copy those files to a USB
drive, you must first configure that USB drive to be bootable. Using [DiskPart]
(https://go.microsoft.com/fwlink/p/?LinkId=761073), create a partition, format the partition as FAT32, and set
the partition to be active. To run DiskPart, open an administrative PowerShell or Command Prompt window, and
then run the following sequence of commands, as shown in Figure 7:
2. **list disk** – Displays a list of the disks available in your system; use this list to identify the disk
number that corresponds with your USB drive.
3. **sel disk 2** – Selects your USB drive; use the number that corresponds with the disk in your system.
>[!WARNING]
>This step will remove all information from your drive. Verify that your USB drive does not contain any
needed data before you perform the **clean** command.
6. **format fs=fat32 quick** – Formats the partition with the FAT32 file system, performing a quick format.
FAT32 is required to boot the device from UEFI systems like Surface devices.
7. **assign** – Assigns the next available drive letter to the newly created FAT32 volume.
8. **active** – Sets the partition to be active, which is required to boot the volume.
9. **exit** – Exits DiskPart, after which you can close the PowerShell or Command Prompt window.

>[!NOTE]
>You can format your USB drive with FAT32 from Disk Management, but you must still use DiskPart to set the
partition as active for the drive to boot properly.
After you have prepared the USB drive for boot, the next step is to generate offline media from the SDA
deployment share. To create this media, follow these steps:
1. Open the **Deployment Workbench** from the **Microsoft Deployment Toolkit** group on your Start screen.
2. Expand the **Deployment Shares** node and the **Microsoft Surface Deployment Accelerator** deployment
share.
3. Expand the folder **Advanced Configuration** and select the **Media** folder.
4. Right-click the **Media** folder and click **New Media** as shown in Figure 8 to start the New Media
Wizard.

the SDA deployment share")
5. On the **General Settings** page in the **Media path** field, enter or browse to a folder where you will
create the files for the new offline media. See the example **E:\\SDAMedia** in Figure 9. Leave the default
profile **Everything** selected in the **Selection profile** drop-down menu, and then click **Next**.
*Figure 9. Specify a location and selection profile for your offline media*
6. On the **Summary** page verify your selections, and then click **Next** to begin creation of the media.
9. Right-click the **Microsoft Surface Deployment Accelerator** deployment share folder, click
**Properties**, and then click the **Rules** tab as shown in Figure 10.

10. Use your mouse to highlight all of the text displayed in the text box of the **Rules** tab, and then press
**Ctrl+C** to copy the text.
11. Click **OK** to close the **Microsoft Surface Deployment Accelerator** deployment share properties.
12. Right-click the newly created **MEDIA001** item in the **Media** folder, click **Properties**, and then
click the **Rules** tab.
13. Use your mouse to highlight all of the text displayed in the text box of the **Rules** tab, and then press
**Ctrl+V** to paste the text you copied from the **Microsoft Surface Deployment Accelerator** deployment share
rules.
14. Right-click the **Microsoft Surface Deployment Accelerator** deployment share folder, click
**Properties**, and then click the **Rules** tab again. Click the **Bootstrap.ini** button to open
Bootstrap.ini in Notepad.
15. Press **Ctrl+A** to select all of the text in the window, and then press **Ctrl+C** to copy the text.
16. Close Bootstrap.ini and click **OK** in **Microsoft Surface Deployment Accelerator** deployment share
properties to close the window.
17. Right-click the newly created **MEDIA001** item in the **Media** folder, click **Properties**, and then
click the **Rules** tab again. Click the **Bootstrap.ini** button to open Bootstrap.ini in Notepad.
18. Press **Ctrl+A** to select all of the text in the window, then press **Ctrl+V** to paste the text from the
SDA deployment share Bootstrap.ini file.
19. Delete the following lines from the Bootstrap.ini as shown in Figure 11, and then save the file:
```
UserID=
UserDomain=
UserPassword=
DeployRoot=\\SDASERVER\SDAWin10
UserID=
UserDomain=
UserPassword=
```
21. In the **Deployment Workbench** under the **Media** folder, right-click the newly created **MEDIA001** and
click **Update Media Content**, as shown in Figure 12. This will update the media files with the content of
the **Microsoft Surface Deployment Accelerator** deployment share.

22. The **Update Media Content** window is displayed and shows the progress as the media files are created.
When the process completes, click **Finish.**
The final step is to copy the offline media files to your USB drive.
1. In File Explorer, open the path you specified in Step 5, for example **E:\\SDAMedia**.
2. Copy all of the files from the Content folder to the root of the USB drive.
Your USB drive is now configured as bootable offline media that contains all of the resources required to
perform a deployment to a Surface device.
The SDA deployment share is configured with all of the resources required to perform a Windows deployment to a
Surface device. These resources include Windows source files, image, Surface drivers, and Surface apps. The
deployment share also contains two pre-configured task sequences, as shown in Figure 13. These task sequences
contain the steps required to perform a deployment to a Surface device using the default Windows image from
the installation media or to create a reference image complete with Windows updates and applications. To learn
more about task sequences, see [MDT 2013 Update 2 Lite Touch components]
(https://technet.microsoft.com/itpro/windows/deploy/mdt-2013-lite-touch-components).
The **1 – Deploy Microsoft Surface** task sequence is used to perform a complete deployment of Windows to a
Surface device. This task sequence is pre-configured by the SDA wizard and is ready to perform a deployment as
soon as the wizard completes. Running this task sequence on a Surface device deploys the unaltered Windows
image copied directly from the Windows installation media you specified in the SDA wizard, along with the
Surface drivers for your device. The drivers for your Surface device will be automatically selected through
the pre-configured deployment share rules.
When you run the task sequence, you will be prompted to provide the following information:
- A computer name
- Your domain information and the credentials required to join the domain
>[!NOTE]
>If you are deploying the same version of Windows as the version that came on your device, no product key
is required.
- A time zone
- An Administrator password
The Surface apps you specified on the **Configure** page of the SDA wizard are automatically installed when
you run this task sequence on a Surface device.
Like the **1 – Deploy Microsoft Surface** task sequence, the **2 – Create Windows Reference Image** task
sequence performs a deployment of the unaltered Windows image directly from the installation media. Creation
of a reference image should always be performed on a virtual machine. Using a virtual machine as your
reference system helps to ensure that the resulting image is compatible with different hardware
configurations.
>[!NOTE]
>Using a virtual machine when you create a reference image for Windows deployment is a recommended practice
for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit
and System Center Configuration Manager. These Microsoft deployment technologies use the hardware agnostic
images produced from a virtual machine and a collection of managed drivers to deploy to different
configurations of hardware. For more information, see [Deploy a Windows 10 image using MDT 2013 Update 2]
(https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt).
In addition to the information required by the **1 – Deploy Microsoft Surface** task sequence, you will also
be prompted to capture an image when you run this task sequence on your reference virtual machine. The
**Location** and **File name** fields are automatically populated with the proper information for your
deployment share. All that you need to do is select the **Capture an image of this reference computer** option
when you are prompted on the **Capture Image** page of the Windows Deployment Wizard.
To perform a deployment from the SDA deployment share, follow this process on the Surface device:
1. Boot the Surface device to MDT boot media for the SDA deployment share. You can do this over the network
by using PXE boot, or from a USB drive as described in the [Optional: Prepare offline USB media](#optional)
section of this article.
2. Select the deployment share for the version of Windows you intend to deploy and enter your credentials
when you are prompted.
3. Select the task sequence you want to run, usually the **1 – Deploy Microsoft Surface** task sequence.
4. Address the task sequence prompts to pick applications, supply a password, and so on.
5. The task sequence performs the automated deployment using the options specified.
To boot the Surface device from the network, the Microsoft Surface Deployment Accelerator wizard must have
been run on a Windows Server 2012 R2 or later environment that was configured with the Windows Deployment
Services (WDS). WDS must have been configured to respond to network boot (PXE boot) requests and the boot
files must have been imported into WDS. The SDA wizard will import these file automatically if the **Import
boot media into the local Windows Deployment Service** check box was selected on the page for the version of
Windows you intend to deploy.
To boot the Surface device from the network, you must also use a Microsoft Surface Ethernet Adapter or the
Ethernet port on a Microsoft Surface Dock. Third-party Ethernet adapters are not supported for network boot
(PXE boot). A keyboard is also required. Both the Microsoft Surface Type Cover and keyboards connected via USB
to the device or dock are supported.
To instruct your Surface device to boot from the network, start with the device powered off and follow these
steps:
1. Press and hold the **Volume Down** button, press and release the **Power** button. Continue holding the
**Volume Down** button until the device has begun to boot from the network.
2. Press **Enter** when prompted by the dialog on the screen. This prompt indicates that your device has
found the WDS PXE server over the network.
3. If you have configured more than one deployment share on this device, you will be prompted to select
between the boot images for each deployment share. For example, if you created both a Windows 10 and a Windows
8.1 deployment share, you will be prompted to choose between these two options.
4. Enter the domain credentials that you use to log on to the server where SDA is installed when you are
prompted, as shown in Figure 14.
5. The Windows Deployment Wizard will start from the deployment share to walk you through the deployment
process.
1. Press and hold the **Volume Down** button, press and release the **Power** button. Continue holding the
**Volume Down** button until the device has begun to boot from the USB drive.
2. The Windows Deployment Wizard will start from the deployment share to walk you through the deployment
process.
1. On the **Task Sequence** page, select the **1 – Deploy Microsoft Surface** task sequence as shown in
Figure 15, and then click **Next.**
2. On the **Computer Details** page, type a name for the Surface device in the **Computer Name** box. In the
**Join a domain** section, type your domain name and credentials as shown in Figure 16, and then click
**Next**.
3. On the **Product Key** page, keep the **No product key is required** check box selected if you are
deploying the same version and edition of Windows to your Surface devices as they came with from the factory.
If you are deploying a different version or edition of Windows to the device, such as Windows Enterprise,
select the licensing option that is applicable to your scenario.
4. On the **Locale and Time** page, select your desired **Language Settings** and **Time Zone**, and then
click **Next.**
5. On the **Administrator Password** page, type a password for the local Administrator account on the Surface
device, and then click **Next.**
6. On the **BitLocker** page, select the **Enable BitLocker** option along with your desired configuration of
BitLocker protectors if you want to encrypt the device. Otherwise, keep the **Do not enable BitLocker for this
computer** check box selected, and then click **Next.**
7. On the **Ready** page, verify your selections and then click **Begin** to start the automated deployment
to this device. The deployment will not require user interaction again. The Windows Deployment Wizard will
close and an **Installation Progress** window is displayed to show progress of the task sequence as the image
is applied and applications are installed (Figure 17).
8. When the deployment task sequence completes, a **Success** window is displayed. Click **Finish** to
complete the deployment and begin using your Surface device.
Using the Microsoft Surface Deployment Accelerator
deployment share
5/10/2018 • 11 minutes to read • Edit Online
With Microsoft Surface Deployment Accelerator (SDA), you can quickly and easily set up a deployment solution
that is ready to deploy Windows to Surface devices. The prepared environment is built on powerful deployment
technologies available from Microsoft, such as the Microsoft Deployment Toolkit (MDT), and is capable of
immediately performing a deployment after configuration. See Step-by-Step: Surface Deployment Accelerator for
a comprehensive walkthrough of using the SDA wizard to set up a deployment share and perform a deployment.
For more information about SDA and information on how to download SDA, see Microsoft Surface Deployment
Accelerator (SDA).
Using SDA provides these primary benefits:
With SDA, you can create a ready-to-deploy environment that can deploy to target devices as fast as your
download speeds allow. The wizard experience enables you to check a few boxes and then the automated
process builds your deployment environment for you.
With SDA, you prepare a deployment environment built on the industry leading deployment solution of
MDT. With MDT you can scale from a relatively basic deployment of a few Surface devices to a solution
capable of deploying to thousands of devices including all of the different makes and models in your
organization and all of the applications required by each device and user.
This article explores four scenarios where you can use SDA to meet the needs of your organization. See Deploy
Windows 10 to explore the capabilities of MDT and the Windows deployment technologies available from
Microsoft in greater detail.
NOTE
A pilot deployment should not replace the testing process that should be performed regularly in the lab as the deployment
environment is built and developed. A deployment solution should be tested in virtual and physical environments as new
applications and drivers are added and when task sequences are modified and before a pilot deployment is performed.
For example, you are tasked with deploying Surface devices to mobile workers and you want to test the
organization’s MDT deployment process by providing a small number of devices to executives. You can use SDA to
create an isolated Surface deployment environment and then copy the task sequence, applications, and drivers
needed from the production deployment share. This not only enables you to quickly create a Surface deployment,
but it also minimizes the risk to the production deployment process used for other types of devices.
For small organizations, the pilot deployment environment of SDA may suffice as a complete deployment solution.
Even if you do not have an existing deployment environment, you can import drivers and applications (covered
later in this article) to provide a complete deployment solution based on MDT. Even without previous knowledge
of MDT or Windows deployment, you can follow the Step-by-Step: Surface Deployment Accelerator article to get
started with a deployment to Surface devices.
NOTE
You can even import drivers for other computer makes and models to support other devices. See Step 5: Prepare the
drivers repository in Deploy a Windows 10 image using MDT 2013 Update 2 for more information about how to import
drivers for other makes and models.
Battery Limit option is a UEFI setting that changes how the Surface device battery is charged and may prolong its
longevity. This setting is recommended in cases in which the device is continuously connected to power, for
example when devices are integrated into kiosk solutions.
Default Value: 0
Proposed Value: 0
NOTE
To configure this setting, you must use SP3_Firmware_Powershell_Scripts.zip.
Surface firmware and driver updates
11/14/2018 • 2 minutes to read • Edit Online
Find out how to download and manage the latest firmware and driver updates for your Surface device.
In this section
TOPIC DESCRIPTION
Wake On LAN for Surface devices See how you can use Wake On LAN to remotely wake up
devices to perform management or maintenance tasks, or to
enable management solutions automatically.
Download the latest firmware and drivers for Surface devices Get a list of the available downloads for Surface devices and
links to download the drivers and firmware for your device.
Manage Surface driver and firmware updates Explore the available options to manage firmware and driver
updates for Surface devices.
Related topics
Surface TechCenter
Surface for IT pros blog
Download the latest firmware and drivers for Surface
devices
11/15/2018 • 7 minutes to read • Edit Online
This article provides a list of the available downloads for Surface devices and links to download the drivers and
firmware for your device.
As easy as it is to keep Surface device drivers and firmware up to date automatically with Windows Update, it is
sometimes necessary to download and install updates manually, such as during a Windows deployment. For any
situation where you need to install drivers and firmware separately from Windows Update, you can find the files
available for download at the Microsoft Download Center.
On the Microsoft Download Center page for your device, you will find several files available. These files allow you
to deploy drivers and firmware in various ways. You can read more about the different deployment methods for
Surface drivers and firmware in Manage Surface driver and firmware updates.
Driver and firmware updates for Surface devices are cumulative updates which provide comprehensive
roundups of all of the latest files for the Surface device running that version of Windows.
Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for
some devices and are detailed here in this article.
NOTE
To simplify the process of locating drivers for your device, downloads for Surface devices have been reorganized to separate
pages for each model. Bookmark the Microsoft Download Center page for your device from the links provided on this page.
Many of the filenames contain a placeholder denoted with xxxxxx, which identifies the current version number or date of the
file.
Recent additions to the downloads for Surface devices provide you with options to install Windows 10 on your
Surface devices and update LTE devices with the latest Windows 10 drivers and firmware.
NOTE
A battery charge of 40% or greater is required before you install firmware to a Surface device. See Microsoft Support article
KB2909710 for more information.
Surface GO
Download the following updates for Surface GO from the Microsoft Download Center.
SurfaceGO_Win10_17134_1802010_6.msi - Cumulative firmware and driver update package for Windows 10
Surface Book 2
Download the following updates for Surface Book 2 from the Microsoft Download Center.
SurfaceBook2_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
Surface Laptop
Download the following updates for Surface Laptop from the Microsoft Download Center.
SurfaceLaptop_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
Surface Pro
Download the following updates for Surface Pro (Model 1796) from the Microsoft Download Center.
SurfacePro_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
Surface Pro 6
Download the following updates for Surface Pro 6 from the Microsoft Download Center.
SurfacePro6_Win10_17134_xxxxx_xxxxxx.msi
Surface Studio
Download the following updates for Surface Studio from the Microsoft Download Center.
SurfaceStudio_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
Surface Book
Download the following updates for Surface Book from the Microsoft Download Center.
SurfaceBook_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
SurfaceBook_Win10_xxxxx_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
Surface Pro 4
Download the following updates for Surface Pro 4 from the Microsoft Download Center.
SurfacePro4_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
SurfacePro4_Win10_xxxxx_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
Surface Pro 3
Download the following updates for Surface Pro 3 from the Microsoft Download Center.
SurfacePro3_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
SurfacePro3_Win10_xxxxx_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
SurfacePro3_Win8x_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1
Pro
SurfacePro3_Win8x_xxxxx_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1
Pro
Surface Firmware Tool.msi – Firmware tools for UEFI management
Surface Pro 3 AssetTag.zip – UEFI Asset Tag management tool
Surface Pro 3 KB2978002.zip – Update for Quick Note-Taking Experience feature in Windows 8.1
Windows8.1-KB2969817-x64.msu – Fixes an issue that causes Surface devices to reboot twice after
firmware updates are installed on all supported x64-based versions of Windows 8.1
Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
Surface 3
Download the following updates for Surface 3 from the Microsoft Download Center.
Surface3_WiFi_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
Surface3_WiFi_Win10_xxxxx_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
Surface3_WiFi_Win8x_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows
8.1 Pro
Surface3_WiFi_Win8x_xxxxx_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1
Pro
Surface 3 AssetTag.zip – UEFI Asset Tag management tool
Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
Surface 3 LTE
Download the following updates for AT&T 4G LTE versions of Surface 3 from the Microsoft Download Center.
Surface3_4GLTE -ATT_Win10_xxxxx_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver
update for locked carrier dependent AT&T devices in the US, running Windows 10
Surface3_4GLTE -ATT_Win10_xxxxx_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver
update for locked carrier dependent AT&T devices in the US, running Windows 10
Surface3_4GLTE -ATT_Win8x_xxxxx_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver
update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro
Surface3_4GLTE -ATT_Win8x_xxxxx_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver
update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro
Surface 3 AssetTag.zip – UEFI Asset Tag management tool
Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
Download the following updates for non-AT&T 4G LTE versions of Surface 3 from the Microsoft Download
Center.
Surface3_4GLTE -NorthAmericaUnlocked_Win10_xxxxx_xxxxxx.msi – Surface 3 LTE North America -
Cumulative firmware and driver update for unlocked carrier independent devices in the US, running
Windows 10
Surface3_4GLTE -NorthAmericaUnlocked_Win10_xxxxx_xxxxxx.zip – Surface 3 LTE North America -
Cumulative firmware and driver update for unlocked carrier independent devices in the US, running
Windows 10
Surface3_4GLTE -NorthAmericaUnlocked_Win8x_xxxxx_xxxxxx.msi – Surface 3 LTE North America -
Cumulative firmware and driver update for unlocked carrier independent devices in the US, running
Windows 8.1 Pro
Surface3_4GLTE -NorthAmericaUnlocked_Win8x_xxxxx_xxxxxx.zip – Surface 3 LTE North America -
Cumulative firmware and driver update for unlocked carrier independent devices in the US, running
Windows 8.1 Pro
Surface 3 AssetTag.zip – UEFI Asset Tag management tool
Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
Download the following updates for 4G LTE Surface 3 versions for regions outside North America from the
Microsoft Download Center.
Surface3_4GLTE -RestOfTheWorld_Win10_xxxxx_xxxxxx.msi – Surface 3 LTE rest of the world cumulative -
Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for
Japan, running Windows 10
Surface3_4GLTE -RestOfTheWorld_Win10_xxxxx_xxxxxx.zip – Surface 3 LTE rest of the world cumulative -
Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for
Japan, running Windows 10
Surface3_4GLTE -RestOfTheWorld_Win8x_xxxxx_xxxxxx.msi – Surface 3 LTE rest of the world cumulative -
Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for
Japan, running Windows 8.1 Pro
Surface3_4GLTE -RestOfTheWorld_Win8x_xxxxx_xxxxxx.zip – Surface 3 LTE rest of the world cumulative -
Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for
Japan, running Windows 8.1 Pro
Surface 3 AssetTag.zip – UEFI Asset Tag management tool
Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
Surface Pro 2
Download the following updates for Surface Pro 2 from the Microsoft Download Center.
SurfacePro2_Win10_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
SurfacePro2_Win8x_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro
Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
Windows8.1-KB2969817-x64.msu – Fixes an issue that causes Surface devices to reboot twice after
firmware updates are installed on all supported x64-based versions of Windows 8.1
Surface Pro
Download the following updates for Surface Pro (Model 1514) from the Microsoft Download Center.
SurfacePro_Win10_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
Surface Pro 1 - xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro
Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
Windows8.1-KB2969817-x64.msu – Fixes an issue that causes Surface devices to reboot twice after
firmware updates are installed on all supported x64-based versions of Windows 8.1
This article describes the available options to manage firmware and driver updates for Surface devices.
For a list of the available downloads for Surface devices and links to download the drivers and firmware for your
device, see Download the latest firmware and drivers for Surface devices.
On Surface devices, the firmware is exposed to the operating system as a driver and is visible in Device Manager.
This allows a Surface device firmware to be automatically updated along with all drivers through Windows
Update. This mechanism provides a seamless, automatic experience to receive the latest firmware and driver
updates. Although automatic updating is easy for end users, updating firmware and drivers automatically may not
always apply to organizations and businesses. Automatic updates with Windows Update may not be applicable
where updates are carefully managed, or when you deploy a new operating system to a Surface device.
NOTE
Updating Surface Dock firmware requires connectivity to the Surface Dock via the Surface Connect™ port. Installation of the
Microsoft Surface Dock Updater is only supported on devices that feature the Surface Connect™ port.
NOTE
The Surface Dock Updater tool is unable to run on Windows 10 S. Surface Dock devices used with Surface Laptop with
Windows 10 S will receive updates natively through Windows Update. To manually update a Surface Dock for use with
Surface Laptop and Windows 10 S, connect the Surface Dock to another Surface device with a Windows 10 Pro or Windows
10 Enterprise environment.
NOTE
The LED in the Ethernet port of the dock will blink while the update is in progress. Please wait until the LED stops
blinking before you unplug your Surface Dock from power.
12105 Error
Figure 8. Surface Dock Updater events in Event Viewer
NOTE
Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the
latest firmware, you must use the latest version of Surface Dock Updater.
Version 2.23.139.0
Release Date: 10 October 2018
This version of Surface Dock Updater adds support for the following:
Add support for Surface Pro 6
Add support for Surface Laptop 2
Version 2.22.139.0
Release Date: 26 July 2018
This version of Surface Dock Updater adds support for the following:
Increase update reliability
Add support for Surface Go
Version 2.12.136.0
Release Date: 29 January 2018
This version of Surface Dock Updater adds support for the following:
Update for Surface Dock Main Chipset Firmware
Update for Surface Dock DisplayPort Firmware
Improved display stability for external displays when used with Surface Book or Surface Book 2
Additionally, installation of this version of Surface Dock Updater on Surface Book devices includes the following:
Update for Surface Book Base Firmware
Added support for Surface Dock firmware updates with improvements targeted to Surface Book devices
NOTE
Before the Surface Dock firmware update applied by Surface Dock Updater v2.12.136.0 will take effect on a Surface Book
device, a firmware update for the Surface Book Base is required. If you install Surface Dock Updater v2.12.136.0 on a Surface
Book and update an attached Surface Dock from that same device, the firmware of the Surface Book Base will automatically
be updated when installing the Surface Dock Updater. However, if you update a Surface Dock using Surface Dock Updater
v2.12.136.0 on different device, and then connect that Surface Dock to a Surface Book where Surface Dock Updater
v2.12.136.0 has not been installed, the benefits of the updated Surface Dock will not be enabled. To enable the benefits of
the updated Surface Dock on a Surface Book device, Surface Book Base firmware must also be updated by installing Surface
Dock Updater v2.12.136.0 on the Surface Book device. Surface Book Base firmware update is not required on a Surface Book
2 device.
Version 2.9.136.0
Release date: November 3, 2017
This version of Surface Dock Updater adds support for the following:
Update for Surface Dock DisplayPort Firmware
Resolves an issue with audio over passive display port adapters
Version 2.1.15.0
Release date: June 19, 2017
This version of Surface Dock Updater adds support for the following:
Surface Laptop
Surface Pro
Version 2.1.6.0
Release date: April 7, 2017
This version of Surface Dock Updater adds support for the following:
Update for Surface Dock DisplayPort firmware
Requires Windows 10
Version 2.0.22.0
Release date: October 21, 2016
This version of Surface Dock Updater adds support for the following:
Update for Surface Dock USB firmware
Improved reliability of Ethernet, audio, and USB ports
Version 1.0.8.0
Release date: April 26, 2016
This version of Surface Dock Updater adds support for the following:
Update for Surface Dock Main Chipset firmware
Update for Surface Dock DisplayPort firmware
Wake On LAN for Surface devices
5/10/2018 • 3 minutes to read • Edit Online
Surface devices that run Windows 10, version 1607 (also known as Windows 10 Anniversary Update) or later and
use a Surface Ethernet adapter to connect to a wired network, are capable of Wake On LAN (WOL ) from
Connected Standby. With WOL, you can remotely wake up devices to perform management or maintenance tasks
or enable management solutions (such as System Center Configuration Manager) automatically. For example, you
can deploy applications to Surface devices left docked with a Surface Dock or Surface Pro 3 Docking Station by
using System Center Configuration Manager during a window in the middle of the night, when the office is empty.
NOTE
Surface devices must be connected to AC power and in Connected Standby (Sleep) to support WOL. WOL is not possible
from devices that are in hibernation or powered off.
Supported devices
The following devices are supported for WOL:
Surface Book 2
Surface Pro with LTE Advanced (Model 1807)
Surface Pro (Model 1796)
Surface Laptop
Surface Book
Surface Pro 4
Surface 3
Surface Pro 3
Surface Ethernet adapter
Surface Dock
Surface Docking Station for Surface Pro 3
WOL driver
To enable WOL support on Surface devices, a specific driver for the Surface Ethernet adapter is required. This
driver is not included in the standard driver and firmware pack for Surface devices – you must download and
install it separately. You can download the Surface WOL driver (SurfaceWOL.msi) from the Surface Tools for IT
page in the Microsoft Download Center.
You can run this Microsoft Windows Installer (.msi) file on a Surface device to install the Surface WOL driver, or
you can distribute it to Surface devices with an application deployment solution, such as System Center
Configuration Manager. To include the Surface WOL driver during deployment, you can install the .msi file as an
application during the deployment process. You can also extract the Surface WOL driver files to include them in
the deployment process. For example, you can include them in your Microsoft Deployment Toolkit (MDT)
deployment share. You can read more about Surface deployment with MDT in Deploy Windows 10 to Surface
devices with Microsoft Deployment Toolkit.
NOTE
During the installation of SurfaceWOL.msi, the following registry key is set to a value of 1, which allows easy identification of
systems where the WOL driver has been installed. If you chose to extract and install these drivers separately during
deployment, this registry key will not be configured and must be configured manually or with a script.
HKLM\SYSTEM\CurrentControlSet\Control\Power AllowSystemRequiredPowerRequests
To extract the contents of SurfaceWOL.msi, use the MSIExec administrative installation option (/a), as shown in
the following example, to extract the contents to the C:\WOL\ folder:
msiexec /a surfacewol.msi targetdir=C:\WOL /qn
NOTE
To send a magic packet and wake up a device by using WOL, you must know the MAC address of the target device and
Ethernet adapter. Because the magic packet does not use the IP network protocol, it is not possible to use the IP address or
DNS name of the device.
Many management solutions, such as System Center Configuration Manager, provide built-in support for WOL.
There are also many solutions, including Microsoft Store apps, PowerShell modules, third-party applications, and
third-party management solutions that allow you to send a magic packet to wake up a device. For example, you
can use the Wake On LAN PowerShell module from the TechNet Script Center.
NOTE
After a device has been woken up with a magic packet, the device will return to sleep if an application is not actively
preventing sleep on the system or if the AllowSystemRequiredPowerRequests registry key is not configured to 1, which
allows applications to prevent sleep. See the WOL driver section of this article for more information about this registry key.
Considerations for Surface and System Center
Configuration Manager
5/10/2018 • 8 minutes to read • Edit Online
Fundamentally, management and deployment of Surface devices with System Center Configuration Manager is
the same as the management and deployment of any other PC. Like any other PC, a deployment to Surface
devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then
deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client –
to publish apps, settings, and policies, you use the same process that you would use for any other device.
You can find more information about how to use Configuration Manager to deploy and manage devices in the
Documentation for System Center Configuration Manager.
Although the deployment and management of Surface devices is fundamentally the same as any other PC, there
are some scenarios that may require additional considerations or steps. This article provides descriptions and
guidance for these scenarios; the solutions documented in this article may apply to other devices and
manufacturers as well.
NOTE
For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration
Manager.
NOTE
Surface device drivers and firmware are signed with SHA-256, which is not natively supported by Windows Server 2008 R2. A
workaround is available for Configuration Manager environments running on Windows Server 2008 R2 – for more
information see Can't import drivers into System Center Configuration Manager (KB3025419) .
Applies to
Surface Pro 4
Surface Book
Surface 3
NOTE
The Surface app ships in Surface Studio.
The Surface app is a lightweight Microsoft Store app that provides control of many Surface-specific settings and
options, including:
Enable or disable the Windows button on the Surface device
Adjust the sensitivity of a Surface Pen
Customize Surface Pen button actions
Enable or disable Surface audio enhancements
Quick access to support documentation and information for your device
If your organization is preparing images that will be deployed to your Surface devices, you may want to include the
Surface app (formerly called the Surface Hub) in your imaging and deployment process instead of requiring users
of each individual device to download and install the app from the Microsoft Store or your Microsoft Store for
Business.
Figure 2. Select the Offline licensing mode and add the app to your inventory
Click Offline to select the Offline licensing mode.
Click Get the app to add the app to your Microsoft Store for Business inventory. As shown in Figure 3,
you’ll see a dialog box that prompts you to acknowledge that offline apps can be deployed using a
management tool or downloaded from the company’s inventory page in their private store.
Figure 3. Offline-licensed app acknowledgement
Click OK.
NOTE
The version numbers of the Surface app and required frameworks will change as the apps are updated. Check for the latest
version of Surface app and each framework in Microsoft Store for Business. Always use the Surface app and recommended
framework versions as provided by Microsoft Store for Business. Using outdated frameworks or the incorrect versions may
result in errors or application crashes.
To download the required frameworks for the Surface app, follow these steps:
1. Click the Download button under Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe. This
downloads the Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe.Appx file to your specified folder.
2. Click the Download button under
Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x64__8wekyb3d8bbwe. This downloads the
Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x64__8wekyb3d8bbwe.Appx file to your specified folder.
NOTE
Only the 64-bit (x64) version of each framework is required for Surface devices. Surface devices are native 64-bit UEFI devices
and are not compatible with 32-bit (x86) versions of Windows that would require 32-bit frameworks.
3. In the elevated PowerShell session, copy and paste the following command:
Where <DownloadPath> is the folder where you downloaded the AppxBundle and license file from the
Microsoft Store for Business account.
For example, if you downloaded the files to c:\Temp, the command you run is:
4. The Surface app will now be available on your current Windows computer.
Before the Surface app is functional on the computer where it has been provisioned, you must also provision the
frameworks described earlier in this article. To provision these frameworks, use the following procedure in the
elevated PowerShell session you used to provision the Surface app.
1. In the elevated PowerShell session, copy and paste the following command:
Add-AppxProvisionedPackage –Online –SkipLicense –PackagePath
<DownloadPath>\Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe.Appx
2. In the elevated PowerShell session, copy and paste the following command:
Add-AppxProvisionedPackage –Online –SkipLicense –PackagePath
<DownloadPath>\Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x64__8wekyb3d8bbwe.Appx
Find out how to enable support for PEAP, EAP -FAST, or Cisco LEAP protocols on your Surface device.
If you use PEAP, EAP -FAST, or Cisco LEAP in your enterprise network, you probably already know that these
three wireless authentication protocols are not supported by Surface devices out of the box. Some users may
discover this when they attempt to connect to your wireless network; others may discover it when they are unable
to gain access to resources inside the network, like file shares and internal sites. For more information, see
Extensible Authentication Protocol.
You can add support for each protocol by executing a small MSI package from a USB stick or from a file share. For
organizations that want to enable EAP support on their Surface devices, the MSI package format supports
deployment with many management and deployment tools, like the Microsoft Deployment Toolkit (MDT) and
System Center Configuration Manager.
Current and future generations of Surface devices, including Surface Pro 4, Surface Book, and Surface Studio, use
a unique UEFI firmware engineered by Microsoft specifically for these devices. This firmware allows for
significantly greater control of the device’s operation over firmware versions in earlier generation Surface devices,
including the support for touch, mouse, and keyboard operation. By using the Surface UEFI settings you can easily
enable or disable internal devices or components, configure security to protect UEFI settings from being changed,
and adjust the Surface device boot settings.
NOTE
Surface Pro 3, Surface 3, Surface Pro 2, Surface 2, Surface Pro, and Surface do not use the Surface UEFI and instead use
firmware provided by third-party manufacturers, such as AMI.
You can enter the Surface UEFI settings on your Surface device by pressing the Volume Up button and the
Power button simultaneously. Hold the Volume Up button until the Surface logo is displayed, which indicates
that the device has begun to boot.
PC information
On the PC information page, detailed information about your Surface device is provided:
Model – Your Surface device’s model will be displayed here, such as Surface Book or Surface Pro 4. The exact
configuration of your device is not shown, (such as processor, disk size, or memory size).
UUID – This Universally Unique Identification number is specific to your device and is used to identify the
device during deployment or management.
Serial Number – This number is used to identify this specific Surface device for asset tagging and support
scenarios.
Asset Tag – The asset tag is assigned to the Surface device with the Asset Tag Tool.
You will also find detailed information about the firmware of your Surface device. Surface devices have several
internal components that each run different versions of firmware. The firmware version of each of the following
devices is displayed on the PC information page (as shown in Figure 1):
System UEFI
SAM Controller
Intel Management Engine
System Embedded Controller
Touch Firmware
Figure 1. System information and firmware version information
You can find up-to-date information about the latest firmware version for your Surface device in the Surface
Update History for your device.
Security
On the Security page of Surface UEFI settings, you can set a password to protect UEFI settings. This password
must be entered when you boot the Surface device to UEFI. The password can contain the following characters (as
shown in Figure 2):
Uppercase letters: A-Z
Lowercase letters: a-z
Numbers: 1-0
Special characters: !@#$%^&*()?<>{}[]-_=+|.,;:’`”
The password must be at least 6 characters and is case sensitive.
Figure 2. Add a password to protect Surface UEFI settings
On the Security page you can also change the configuration of Secure Boot on your Surface device. Secure Boot
technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit
and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party
operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as
shown in Figure 3. Read more about Secure Boot in the TechNet Library.
Devices
On the Devices page you can enable or disable specific devices and components of your Surface device. Devices
that you can enable or disable on this page include:
Docking and USB Ports
MicroSD or SD Card Slot
Rear Camera
Front Camera
Infrared (IR ) Camera
Wi-Fi and Bluetooth
Onboard Audio (Speakers and Microphone)
Each device is listed with a slider button that you can move to On (enabled) or Off (disabled) position, as shown in
Figure 5.
Figure 5. Enable and disable specific devices
Boot configuration
On the Boot Configuration page, you can change the order of your boot devices and/or enable or disable boot of
the following devices:
Windows Boot Manager
USB Storage
PXE Network
Internal Storage
You can boot from a specific device immediately, or you can swipe left on that device’s entry in the list using the
touchscreen. You can also boot immediately to a USB device or USB Ethernet adapter when the Surface device is
powered off by pressing the Volume Down button and the Power button simultaneously.
For the specified boot order to take effect, you must set the Enable Alternate Boot Sequence option to On, as
shown in Figure 6.
Figure 6. Configure the boot order for your Surface device
You can also turn on and off IPv6 support for PXE with the Enable IPv6 for PXE Network Boot option, for
example when performing a Windows deployment using PXE where the PXE server is configured for IPv4 only.
About
The About page displays regulatory information, such as compliance with FCC rules, as shown in Figure 7.
Exit
Use the Restart Now button on the Exit page to exit UEFI settings, as shown in Figure 8.
Figure 8. Click Restart Now to exit Surface UEFI and restart the device
Figure 9. The Surface UEFI firmware update displays a blue progress bar
Figure 10. The System Embedded Controller firmware update displays a green progress bar
Figure 11. The SAM Controller firmware update displays an orange progress bar
Figure 12. The Intel Management Engine firmware update displays a red progress bar
Figure 13. The Surface touch firmware update displays a gray progress bar
NOTE
An additional warning message that indicates Secure Boot is disabled is displayed, as shown in Figure 14.
Figure 14. Surface boot screen that indicates Secure Boot has been disabled in Surface UEFI settings
Related topics
Advanced UEFI security features for Surface Pro 3
Advanced UEFI security features for Surface Pro 3
10/29/2018 • 4 minutes to read • Edit Online
This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security
options for Surface Pro 3 devices.
To address more granular control over the security of Surface devices, the v3.11.760.0 UEFI update provides
additional security options that allow you to disable specific hardware devices or to prevent starting from those
devices. After the UEFI update is installed on a device, you can configure it manually or automatically by running a
script.
After the v3.11.760.0 UEFI update is installed on a Surface device, an additional UEFI menu named Advanced
Device Security becomes available. If you click this menu, the following options are displayed:
Network Boot Enables or disables the ability of your Enabled, Not Bootable
Surface device to boot from the
network (also known as PXE boot).
Side USB Enables or disables the USB port on the Enabled, Not Bootable, Disabled
side of the Surface device. Additionally,
the USB port can be enabled, but not
allow booting.
AVAILABLE SETTINGS (DEFAULT LISTED IN
OPTION DESCRIPTION BOLD)
Docking Port Enables or disables the ports on the Enabled, Not Bootable, Disabled
Surface docking station. Additionally,
the docking port can be enabled, but
block booting from any USB or Ethernet
port in the docking station.
Note: The UEFI password used in the sample scripts below is presented in clear text. We strongly recommend
saving the scripts in a protected location and running them in a controlled environment.
Write-Host
}
$Password = [Microsoft.Surface.FirmwareOption]::Find("Password")
Microsoft Surface Enterprise Management Mode (SEMM ) is a feature of Surface devices with Surface UEFI that
allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can
prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure
UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal.
NOTE
SEMM is only available on devices with Surface UEFI firmware, such as Surface Pro 4, Surface Book, and Surface Studio. For
more information about Surface UEFI, see Manage Surface UEFI Settings.
When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered
enrolled in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of
the device, the Surface device is considered unenrolled in SEMM.
There are two administrative options you can use to manage SEMM and enrolled Surface devices – a standalone
tool or integration with System Center Configuration Manager. The SEMM standalone tool, called the Microsoft
Surface UEFI Configurator, is described in this article. For more information about how to manage SEMM with
System Center Configuration Manager, see Use System Center Configuration Manager to manage devices with
SEMM.
NOTE
Windows 10 is required to run Microsoft Surface UEFI Configurator
You can use the Microsoft Surface UEFI Configurator tool in three modes:
Surface UEFI Configuration Package. Use this mode to create a Surface UEFI configuration package to enroll a
Surface device in SEMM and to configure UEFI settings on enrolled devices.
Surface UEFI Reset Package. Use this mode to unenroll a Surface device from SEMM.
Surface UEFI Recovery Request. Use this mode to respond to a recovery request to unenroll a Surface device
from SEMM where a Reset Package operation is not successful.
Download Microsoft Surface UEFI Configurator
You can download Microsoft Surface UEFI Configurator from the Surface Tools for IT page in the Microsoft
Download Center.
Configuration package
Surface UEFI configuration packages are the primary mechanism to implement and manage SEMM on Surface
devices. These packages contain a configuration file of UEFI settings specified during creation of the package in
Microsoft Surface UEFI Configurator and a certificate file, as shown in Figure 2. When a configuration package is
run for the first time on a Surface device that is not already enrolled in SEMM, it provisions the certificate file in
the device’s firmware and enrolls the device in SEMM. When enrolling a device in SEMM, you will be prompted to
confirm the operation by providing the last two digits of the SEMM certificate thumbprint before the certificate file
is stored and the enrollment can complete. This confirmation requires that a user be present at the device at the
time of enrollment to perform the confirmation.
NOTE
You can also specify a UEFI password with SEMM that is required to view the Security, Devices, Boot Configuration, or
Enterprise Management pages of Surface UEFI.
After a device is enrolled in SEMM, the configuration file is read and the settings specified in the file are applied to
UEFI. When you run a configuration package on a device that is already enrolled in SEMM, the signature of the
configuration file is checked against the certificate that is stored in the device firmware. If the signature does not
match, no changes are applied to the device.
You can use Surface UEFI settings to enable or disable the operation of individual components, such as cameras,
wireless communication, or docking USB port (as shown in Figure 3), and configure advanced settings (as shown
in Figure 4).
Figure 3. Enable or disable devices in Surface UEFI with SEMM
Figure 4. Configure advanced settings with SEMM
You can enable or disable the following devices with SEMM:
Docking USB Port
On-board Audio
Type Cover
Micro SD or SD Card Slots
Front Camera
Rear Camera
Infrared Camera, for Windows Hello
Bluetooth Only
Wi-Fi and Bluetooth
Trusted Platform Module (TPM )
You can configure the following advanced settings with SEMM:
IPv6 support for PXE boot
Alternate boot order, where the Volume Down button and Power button can be pressed together during boot,
to boot directly to a USB or Ethernet device
Lock the boot order to prevent changes
Support for booting to USB devices
Display of the Surface UEFI Security page
Display of the Surface UEFI Devices page
Display of the Surface UEFI Boot page
NOTE
When you create a SEMM configuration package, two characters are shown on the Successful page, as shown in Figure 5.
Figure 5. Display of the last two characters of the certificate thumbprint on the Successful page
These characters are the last two characters of the certificate thumbprint and should be written down or recorded.
The characters are required to confirm enrollment in SEMM on a Surface device, as shown in Figure 6.
Figure 6. Enrollment confirmation in SEMM with the SEMM certificate thumbprint
NOTE
Administrators with access to the certificate file (.pfx) can read the thumbprint at any time by opening the .pfx file in CertMgr.
To view the thumbprint with CertMgr, follow this process:
1. Right-click the .pfx file, and then click Open.
2. Expand the folder in the navigation pane.
3. Click Certificates.
4. Right-click your certificate in the main pane, and then click Open.
5. Click the Details tab.
6. All or Properties Only must be selected in the Show drop-down menu.
7. Select the field Thumbprint.
To enroll a Surface device in SEMM or to apply the UEFI configuration from a configuration package, all you need
to do is run the .msi file on the intended Surface device. You can use application deployment or operating system
deployment technologies such as System Center Configuration Manager or the Microsoft Deployment Toolkit.
When you enroll a device in SEMM you must be present to confirm the enrollment on the device. User interaction
is not required when you apply a configuration to devices that are already enrolled in SEMM.
For a step-by-step walkthrough of how to enroll a Surface device in SEMM or apply a Surface UEFI configuration
with SEMM, see Enroll and configure Surface devices with SEMM.
Reset package
A Surface UEFI reset package is used to perform only one task — to unenroll a Surface device from SEMM. The
reset package contains signed instructions to remove the SEMM certificate from the device’s firmware and to reset
UEFI settings to factory default. Like a Surface UEFI configuration package, a reset package must be signed with
the same SEMM certificate that is provisioned on the Surface device. When you create a SEMM reset package,
you are required to supply the serial number of the Surface device you intend to reset. SEMM reset packages are
not universal and are specific to one device.
Recovery request
In some scenarios, it may be impossible to use a Surface UEFI reset package. (For example, if Windows becomes
unusable on the Surface device.) In these scenarios you can unenroll the Surface device from SEMM through the
Enterprise Management page of Surface UEFI (shown in Figure 7) with a Recovery Request operation.
NOTE
A Reset Request expires two hours after it is created.
For a step-by-step walkthrough of how to unenroll Surface devices from SEMM, see Unenroll Surface devices
from SEMM.
Packages created with the Microsoft Surface UEFI Configurator tool are signed with a certificate. This certificate
ensures that after a device is enrolled in SEMM, only packages created with the approved certificate can be used to
modify the settings of UEFI. The following settings are recommended for the SEMM certificate:
Key Algorithm – RSA
Key Length – 2048
Hash Algorithm – SHA-256
Type – SSL Server Authentication
Key Usage – Key Encipherment
Provider – Microsoft Enhanced RSA and AES Cryptographic Provider
Expiration Date – 15 Months from certificate creation
Key Export Policy – Exportable
It is also recommended that the SEMM certificate be authenticated in a two-tier public key infrastructure (PKI)
architecture where the intermediate certification authority (CA) is dedicated to SEMM, enabling certificate
revocation. For more information about a two-tier PKI configuration, see Test Lab Guide: Deploying an AD CS
Two-Tier PKI Hierarchy.
NOTE
You can use the following PowerShell script to create a self-signed certificate for use in proof-of-concept scenarios. To use
this script, copy the following text into Notepad and save the file as a PowerShell script (.ps1). This script creates a certificate
with a password of 12345678 .
The certificate generated by this script is not recommended for production environments.
if (-not (Test-Path "Demo Certificate")) { New-Item -ItemType Directory -Force -Path "Demo Certificate" }
if (Test-Path "Demo Certificate\TempOwner.pfx") { Remove-Item "Demo Certificate\TempOwner.pfx" }
$TestUefiV2 = New-SelfSignedCertificate `
-Subject "CN=Surface Demo Kit, O=Contoso Corporation, C=US" `
-Type SSLServerAuthentication `
-HashAlgorithm sha256 `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-KeyUsage KeyEncipherment `
-KeyUsageProperty All `
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
-NotAfter (Get-Date).AddYears(25) `
-TextExtension @("2.5.29.37={text}1.2.840.113549.1.1.1") `
-KeyExportPolicy Exportable
For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must be exported with the private
key and with password protection. Microsoft Surface UEFI Configurator will prompt you to select the SEMM
certificate file (.pfx) and certificate password when it is required.
NOTE
For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an
environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface
UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with
removable storage, such as a USB stick.
Version History
Version 2.21.136.9
Add support to Surface Pro 6
Add support to Surface Laptop 2
Version 2.14.136.0
Add support to Surface Go
Version 2.9.136.0
Add support to Surface Book 2
Add support to Surface Pro LTE
Accessibility improvements
Version 1.0.74.0
Add support to Surface Laptop
Add support to Surface Pro
Bug fixes and general improvement
Related topics
Enroll and configure Surface devices with SEMM
Unenroll Surface devices from SEMM
Enroll and configure Surface devices with SEMM
5/10/2018 • 7 minutes to read • Edit Online
With Microsoft Surface Enterprise Management Mode (SEMM ), you can securely configure the settings of Surface
UEFI on a Surface device and manage those settings on Surface devices in your organization. When a Surface
device is managed by SEMM, that device is considered to be enrolled (sometimes referred to as activated). This
article shows you how to create a Surface UEFI configuration package that will not only control the settings of
Surface UEFI, but will also enroll a Surface device in SEMM.
For a more high-level overview of SEMM, see Microsoft Surface Enterprise Management Mode.
Download and install Microsoft Surface UEFI Configurator
The tool used to create SEMM packages is Microsoft Surface UEFI Configurator. You can download Microsoft
Surface UEFI Configurator from the Surface Tools for IT page in the Microsoft Download Center. Run the
Microsoft Surface UEFI Configurator Windows Installer (.msi) file to start the installation of the tool. When the
installer completes, find Microsoft Surface UEFI Configurator in the All Apps section of your Start menu.
NOTE
Microsoft Surface UEFI Configurator is supported only on Windows 10.
NOTE
Record the certificate thumbprint characters that are displayed on this page, as shown in Figure 6. You will need these
characters to confirm enrollment of new Surface devices in SEMM. Click End to complete package creation and close
Microsoft Surface UEFI Configurator.
Figure 6. The last two characters of the certificate thumbprint are displayed on the Successful page
Now that you have created your Surface UEFI configuration package, you can enroll or configure Surface devices.
NOTE
When a Surface UEFI configuration package is created, a log file is created on the desktop with details of the configuration
package settings and options.
Figure 9. Verify the enrollment of a Surface device in SEMM in Programs and Features
Figure 10. Verify the enrollment of a Surface device in SEMM in Event Viewer
You can also verify that the device is enrolled in SEMM in Surface UEFI – while the device is enrolled, Surface UEFI
will contain the Enterprise management page (as shown in Figure 11).
When a Surface device is enrolled in Surface Enterprise Management Mode (SEMM ), a certificate is stored in the
firmware of that device. The presence of that certificate and the enrollment in SEMM prevent any unauthorized
changes to Surface UEFI settings or options while the device is enrolled in SEMM. To restore control of Surface
UEFI settings to the user, the Surface device must be unenrolled from SEMM, a process sometimes described as
reset or recovery. There are two methods you can use to unenroll a device from SEMM —a Surface UEFI reset
package and a Recovery Request.
WARNING
To unenroll a device from SEMM and restore user control of Surface UEFI settings, you must have the SEMM certificate that
was used to enroll the device in SEMM. If this certificate becomes lost or corrupted, it is not possible to unenroll from SEMM.
Back up and protect your SEMM certificate accordingly.
For more information about SEMM, see Microsoft Surface Enterprise Management Mode.
NOTE
To boot to Surface UEFI, press Volume Up and Power simultaneously while the device is off. Hold Volume Up until the
Surface logo is displayed and the device begins to boot.
Figure 5. The presence of the Microsoft Surface Configuration Package item in Programs and Features indicates
that the device is enrolled in SEMM
Figure 7. Choose SEMM Certificate for your Recovery Request (Reset Request)
7. On the Enter SEMM reset verification code page you can click the QR Code or Text buttons to display
your Recovery Request (Reset Request) as shown in Figure 8, or the USB button to save your Recovery
Request (Reset Request) as a file to a USB drive, as shown in Figure 9.
Figure 8. A Recovery Request (Reset Request) displayed as a QR Code
9. Click Start.
10. Click Recovery Request, as shown in Figure 10.
Figure 10. Click Recovery Request to begin the process to approve a Recovery Request
11. Click Certificate Protection to authenticate the Recovery Request with the SEMM certificate.
12. Browse to and select your SEMM certificate file, and then click OK.
13. When you are prompted to enter the certificate password as shown in Figure 11, type and confirm the
password for the certificate file, and then click OK.
Figure 11. Type the password for the SEMM certificate
14. Click Next.
15. Enter the Recovery Request (Reset Request), and then click Generate to create a reset verification code (as
shown in Figure 12).
Figure 12. Enter the Recovery Request (Reset Request)
If you displayed the Recovery Request (Reset Request) as text on the Surface device being reset, use the
keyboard to type the Recovery Request (Reset Request) in the provided field.
If you displayed the Recovery Request (Reset Request) as a QR Code and then used a messaging or
email application to send the code to the computer with Microsoft Surface UEFI Configurator, copy and
paste the code into the provided field.
If you saved the Recovery Request (Reset Request) as a file to a USB drive, click the Import button,
browse to and select the Recovery Request (Reset Request) file, and then click OK.
16. The reset verification code is displayed in Microsoft Surface UEFI Configurator, as shown in Figure 13.
Figure 13. The reset verification code displayed in Microsoft Surface UEFI Configurator
Click the Share button to send the reset verification code by email.
17. Enter the reset verification code in the provided field on the Surface device (shown in Figure 8), and then
click or press Verify to reset the device and unenroll the device from SEMM.
18. Click or press Restart now on the SEMM reset successful page to complete the unenrollment from
SEMM, as shown in Figure 14.
Figure 14. Successful unenrollment from SEMM
19. Click End in Microsoft Surface UEFI Configurator to complete the Recovery Request (Reset Request)
process and close Microsoft Surface UEFI Configurator.
Use System Center Configuration Manager to
manage devices with SEMM
10/26/2018 • 23 minutes to read • Edit Online
The Surface Enterprise Management Mode (SEMM ) feature of Surface UEFI devices allows administrators to both
manage and secure the configuration of Surface UEFI settings. For most organizations, this process is
accomplished by creating Windows Installer (.msi) packages with the Microsoft Surface UEFI Configurator tool.
These packages are then run or deployed to the client Surface devices to enroll the devices in SEMM and to update
the Surface UEFI settings configuration.
For organizations with System Center Configuration Manager, there is an alternative to using the Microsoft
Surface UEFI Configurator .msi process to deploy and administer SEMM. Microsoft Surface UEFI Manager is a
lightweight installer that makes required assemblies for SEMM management available on a device. By installing
these assemblies with Microsoft Surface UEFI Manager on a managed client, SEMM can be administered by
Configuration Manager with PowerShell scripts, deployed as applications. With this process, SEMM management
is performed within Configuration Manager, which eliminates the need for the external Microsoft Surface UEFI
Configurator tool.
NOTE
Although the process described in this article may work with earlier versions of System Center Configuration Manager or
with other third-party management solutions, management of SEMM with Microsoft Surface UEFI Manager and PowerShell
is supported only with the Current Branch of System Center Configuration Manager.
Prerequisites
Before you begin the process outlined in this article, it is expected that you are familiar with the following
technologies and tools:
Surface UEFI
Surface Enterprise Management Mode (SEMM )
PowerShell scripting
System Center Configuration Manager application deployment
Certificate management
NOTE
You will also need access to the certificate that you intend to use to secure SEMM. For details about the requirements for this
certificate, see Surface Enterprise Management Mode certificate requirements.
It is very important that this certificate be kept in a safe location and properly backed up. If this certificate becomes lost or
unusable, it is not possible to reset Surface UEFI, change managed Surface UEFI settings, or remove SEMM from an enrolled
Surface device.
To create a new application and deploy it to a collection that contains your Surface devices, perform the following
steps:
1. Open Configuration Manager Console from the Start screen or Start menu.
2. Click Software Library in the bottom left corner of the window.
3. Expand the Application Management node of the Software Library, and then click Applications.
4. Click the Create Application button under the Home tab at the top of the window. This starts the Create
Application Wizard.
5. The Create Application Wizard presents a series of steps:
General – The Automatically detect information about this application from installation
files option is selected by default. In the Type field, Windows Installer (*.msi file) is also selected
by default. Click Browse to navigate to and select SurfaceUEFIManagerSetup.msi, and then click
Next.
NOTE
The location of SurfaceUEFIManagerSetup.msi must be on a network share and located in a folder that
contains no other files. A local file location cannot be used.
Import Information – The Create Application Wizard will parse the .msi file and read the
Application Name and Product Code. SurfaceUEFIManagerSetup.msi should be listed as the only
file under the line Content Files, as shown in Figure 1. Click Next to proceed.
Figure 1. Information from Microsoft Surface UEFI Manager setup is automatically parsed
General Information – You can modify the name of the application and information about the publisher and
version, or add comments on this page. The installation command for Microsoft Surface UEFI Manager is
displayed in the Installation Program field. The default installation behavior of Install for system will allow
Microsoft Surface UEFI Manager to install the required assemblies for SEMM even if a user is not logged on to
the Surface device. Click Next to proceed.
Summary – The information that was parsed in the Import Information step and your selections from the
General Information step is displayed on this page. Click Next to confirm your selections and create the
application.
Progress – Displays a progress bar and status as the application is imported and added to the Software Library.
Completion – Confirmation of the successful application creation is displayed when the application creation
process is complete. Click Close to finish the Create Application Wizard.
After the application is created in Configuration Manager, you can distribute it to your distribution points and
deploy it to the collections including your Surface devices. This application will not install or enable SEMM on the
Surface device – it only provides the assemblies required for SEMM to be enabled via PowerShell script.
If you do not want to install the Microsoft Surface UEFI Manager assemblies on devices that will not be managed
with SEMM, you can configure Microsoft Surface UEFI Manager as a dependency of the SEMM Configuration
Manager scripts. This scenario is covered in the Deploy SEMM Configuration Manager Scripts section later in this
article.
NOTE
The SEMM Configuration Manager scripts and the exported SEMM certificate file (.pfx) should be placed in the same folder
with no other files before they are added to Configuration Manager.
Replace the FabrikamOwnerSigner.pfx value for the $privateOwnerKey variable with the name of your SEMM
Certificate file on both lines 60 and 62. The script will create a working directory (named Config) in the folder
where your scripts are located, and will then copy the certificate file to this working directory.
Replace the FabrikamSignerProvisioningPackage.pkg and FabrikamUniversalResetPackage.pkg values on
lines 63 and 64 to define the $ownerPackageName and $resetPackageName variables with your desired
names for the SEMM configuration and reset packages. These packages will also be created in the Config directory
and hold the configuration for Surface UEFI settings and permissions generated by the script.
On line 67, replace the value of the $password variable, from 1234, to the password for your certificate file. If a
password is not required, delete the 1234 text.
NOTE
The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these
digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in
SEMM. The script uses the following code, found on lines 144-149, to accomplish this:
144 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership.
145 # For convenience we get the thumbprint here and present to the user.
146 $pw = ConvertTo-SecureString $password -AsPlainText -Force
147 $certPrint = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
148 $certPrint.Import($privateOwnerKey, $pw,
[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
149 Write-Host "Thumbprint =" $certPrint.Thumbprint
Administrators with access to the certificate file (.pfx) can read the thumbprint at any time by opening the .pfx file in
CertMgr. To view the thumbprint with CertMgr, follow this process:
1. Right-click the .pfx file, and then click Open.
2. Expand the folder in the navigation pane.
3. Click Certificates.
4. Right-click your certificate in the main pane, and then click Open.
5. Click the Details tab.
6. All or Properties Only must be selected in the Show drop-down menu.
7. Select the field Thumbprint.
NOTE
The SEMM certificate name and password must also be entered in this section of the ResetSEMM.ps1 script to enable
Configuration Manager to remove SEMM from the device with the uninstall action.
Configure permissions
The first region of the script where you will specify the configuration for Surface UEFI is the Configure
Permissions region. This region begins at line 202 in the sample script with the comment # Configure
Permissions and continues to line 238. The following code fragment first sets permissions to all Surface UEFI
settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to
modify the Surface UEFI password, TPM, and front and rear cameras:
202 # Configure Permissions
203 foreach ($uefiV2 IN $surfaceDevices.Values) {
204 # Here we define which "identities" will be allowed to modify which settings
205 # PermissionSignerOwner = The primary SEMM enterprise owner identity
206 # PermissionLocal = The user when booting to the UEFI pre-boot GUI
207 # PermissionSignerUser, PermissionSignerUser1, PermissionSignerUser2 =
208 # Additional user identities created so that the signer owner
209 # can delegate permission control for some settings.
210 $ownerOnly = [Microsoft.Surface.IUefiSetting]::PermissionSignerOwner
211 $ownerAndLocalUser = ([Microsoft.Surface.IUefiSetting]::PermissionSignerOwner -bor
[Microsoft.Surface.IUefiSetting]::PermissionLocal)
212
213 # Make all permissions owner only by default
214 foreach ($setting IN $uefiV2.Settings.Values) {
215 $setting.ConfiguredPermissionFlags = $ownerOnly
216 }
217 # Allow the local user to change their own password
218 $uefiV2.SettingsById[501].ConfiguredPermissionFlags = $ownerAndLocalUser
219
220 # Allow the local user to change the state of the TPM
221 $uefiV2.Settings["Trusted Platform Module (TPM)"].ConfiguredPermissionFlags = $ownerAndLocalUser
222
223 # Allow the local user to change the state of the Front and Rear cameras
224 $uefiV2.SettingsById[302].ConfiguredPermissionFlags = $ownerAndLocalUser
225 $uefiV2.SettingsById[304].ConfiguredPermissionFlags = $ownerAndLocalUser
226
227
228 # Create a unique package name based on family and LSV.
229 # We will choose a name that can be parsed by later scripts.
230 $packageName = $uefiV2.SurfaceUefiFamily + "^Permissions^" + $lsv + ".pkg"
231 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
232
233 # Build and sign the Permission package then save it to a file.
234 $permissionPackageStream = $uefiV2.BuildAndSignPermissionPackage($privateOwnerKey, $password, "", $null,
$lsv)
235 $permissionPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew,
[System.IO.FileAccess]::Write)
236 $permissionPackageStream.CopyTo($permissionPackage)
237 $permissionPackage.Close()
238 }
Each $uefiV2 variable identifies a Surface UEFI setting by setting name or ID, and then configures the permissions
to one of the following values:
$ownerOnly – Permission to modify this setting is granted only to SEMM.
$ownerAndLocalUser – Permission to modify this setting is granted to a local user booting to Surface UEFI,
as well as to SEMM.
You can find information about the available settings names and IDs for Surface UEFI in the Settings Names and
IDs section of this article.
Configure settings
The second region of the script where you will specify the configuration for Surface UEFI is the Configure
Settings region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled.
The sample script includes instructions to set all settings to their default values. The script then provides explicit
instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You
can find this region beginning with the # Configure Settings comment at line 282 through line 312 in the sample
script. The region appears as follows:
282 # Configure Settings
283 foreach ($uefiV2 IN $surfaceDevices.Values) {
284 # In this demo, we will start by setting every setting to the default factory setting.
285 # You may want to start by doing this in your scripts
286 # so that every setting gets set to a known state.
287 foreach ($setting IN $uefiV2.Settings.Values) {
288 $setting.ConfiguredValue = $setting.DefaultValue
289 }
290
291 # If you want to set something to a different value from the default,
292 # here are examples of how to accomplish this.
293 $uefiV2.Settings["IPv6 for PXE Boot"].ConfiguredValue = "Disabled"
294
295 # If you want to leave the setting unmodified, set it to $null
296 # PowerShell has issues setting things to $null so ClearConfiguredValue()
297 # is supplied to do this explicitly.
298 # Here is an example of leaving the UEFI administrator password as-is,
299 # even after we initially set it to factory default above.
300 $uefiV2.SettingsById[501].ClearConfiguredValue()
301
302 # Create a unique package name based on family and LSV.
303 # We will choose a name that can be parsed by later scripts.
304 $packageName = $uefiV2.SurfaceUefiFamily + "^Settings^" + $lsv + ".pkg"
305 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
306
307 # Build and sign the Settings package then save it to a file.
308 $settingsPackageStream = $uefiV2.BuildAndSignSecuredSettingsPackage($privateOwnerKey, $password, "",
$null, $lsv)
309 $settingsPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew,
[System.IO.FileAccess]::Write)
310 $settingsPackageStream.CopyTo($settingsPackage)
311 $settingsPackage.Close()
312 }
Like the permissions set in the Configure Permissions section of the script, the configuration of each Surface
UEFI setting is performed by defining the $uefiV2 variable. For each line defining the $uefiV2 variable, a Surface
UEFI setting is identified by setting name or ID and the configured value is set to Enabled or Disabled.
If you do not want to alter the configuration of a Surface UEFI setting, for example to ensure that the Surface UEFI
administrator password is not cleared by the action of resetting all Surface UEFI settings to their default, you can
use ClearConfiguredValue() to enforce that this setting will not be altered. In the sample script, this is used on
line 300 to prevent the clearing of the Surface UEFI Administrator password, identified in the sample script by its
setting ID, 501.
You can find information about the available settings names and IDs for Surface UEFI in the Settings Names and
IDs section later in this article.
Settings registry key
To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes a registry key that
can be used to identify enrolled systems as having been installed with the SEMM configuration script. This key can
be found at the following location:
HKLM\SOFTWARE\Microsoft\Surface\SEMM\Enabled_Version1000
The following code fragment, found on lines 352-363, is used to write this registry key:
352 $SurfaceRegKey = "HKLM:\SOFTWARE\Microsoft\Surface\SEMM"
353 New-RegKey $SurfaceRegKey
354 $SurfaceRegValue = Get-ItemProperty $SurfaceRegKey Enabled_Version1000 -ErrorAction SilentlyContinue
355
356 If ($SurfaceRegValue -eq $null)
357 {
358 New-ItemProperty -Path $SurfaceRegKey -Name Enabled_Version1000 -PropertyType String -Value 1 | Out-Null
359 }
360 Else
361 {
362 Set-ItemProperty -Path $SurfaceRegKey -Name Enabled_Version1000 -Value 1
363 }
400 IPv6 for PXE Boot Enable IPv6 PXE boot before Disabled
IPv4 PXE boot
500 TPM clear EFI protocol Enable EFI protocol for Disabled
invoking TPM clear
400 IPv6 for PXE Boot Enable IPv6 PXE boot before IPv4 Disabled
PXE boot
500 TPM clear EFI protocol Enable EFI protocol for Disabled
invoking TPM clear
To add the SEMM Configuration Manager scripts to Configuration Manager as an application, use the following
process:
1. Start the Create Application Wizard using Step 1 through Step 5 from the Deploy Microsoft Surface UEFI
Manager section earlier in this article.
2. Proceed through The Create Application Wizard as follows:
General – Select Manually specify the application information, and then click Next.
General Information – Enter a name for the application (for example SEMM ) and any other
information you want such as publisher, version, or comments on this page. Click Next to proceed.
Application Catalog – The fields on this page can be left with their default values. Click Next.
Deployment Types – Click Add to start the Create Deployment Type Wizard.
Proceed through the steps of the Create Deployment Type Wizard, as follows:
General – Click Script Installer from the Type drop-down menu. The Manually specify the
deployment type information option will automatically be selected. Click Next to proceed.
General Information – Enter a name for the deployment type (for example SEMM
Configuration Scripts), and then click Next to continue.
Content – Click Browse next to the Content Location field, and then click the folder where your
SEMM Configuration Manager scripts are located. In the Installation Program field, type the
installation command found earlier in this article. In the Uninstall Program field, enter the
uninstallation command found earlier in this article (shown in Figure 2). Click Next to move to
the next page.
Figure 2. Set the SEMM Configuration Manager scripts as the install and uninstall commands
Detection Method – Click Add Clause to add the SEMM Configuration Manager script
registry key detection rule. The Detection Rule window is displayed, as shown in Figure 3.
Use the following settings:
Click Registry from the Setting Type drop-down menu.
Click HKEY_LOCAL_MACHINE from the Hive drop-down menu.
Enter SOFTWARE\Microsoft\Surface\SEMM in the Key field.
Enter Enabled_Version1000 in the Value field.
Click String from the Data Type drop-down menu.
Click the This registry setting must satisfy the following rule to indicate the
presence of this application button.
Enter 1 in the Value field.
Click OK to close the Detection Rule window.
Figure 3. Use a registry key to identify devices enrolled in SEMM
Click Next to proceed to the next page.
User Experience – Click Install for system from the Installation Behavior drop-down
menu. If you want your users to record and enter the certificate thumbprint themselves, leave
the logon requirement set to Only when a user is logged on. If you want your
administrators to enter the thumbprint for users and the users do not need to see the
thumbprint, click Whether or not a user is logged on from the Logon Requirement drop-
down menu.
Requirements – The ConfigureSEMM.ps1 script automatically verifies that the device is a
Surface device before attempting to enable SEMM. However, if you intend to deploy this script
application to a collection with devices other than those to be managed with SEMM, you could
add requirements here to ensure this application would run only on Surface devices or devices
you intend to manage with SEMM. Click Next to continue.
Dependencies – Click Add to open the Add Dependency window.
Click Add to open the Specify Required Application window.
Enter a name for the SEMM dependencies in the Dependency Group Name
field (for example, SEMM Assemblies).
Click Microsoft Surface UEFI Manager from the list of Available
Applications and the MSI deployment type, and then click OK to close the
Specify Required Application window.
Keep the Auto Install check box selected if you want Microsoft Surface UEFI
Manager installed automatically on devices when you attempt to enable SEMM with
the Configuration Manager scripts. Click OK to close the Add Dependency
window.
Click Next to proceed.
Summary – The information you have entered throughout the Create Deployment Type
wizard is displayed on this page. Click Next to confirm your selections.
Progress – A progress bar and status as the deployment type is added for the SEMM script
application is displayed on this page.
Completion – Confirmation of the deployment type creation is displayed when the process is
complete. Click Close to finish the Create Deployment Type Wizard.
Summary – The information that you entered throughout the Create Application Wizard is
displayed. Click Next to create the application.
Progress – A progress bar and status as the application is added to the Software Library is displayed
on this page.
Completion – Confirmation of the successful application creation is displayed when the application
creation process is complete. Click Close to finish the Create Application Wizard.
After the script application is available in the Software Library of Configuration Manager, you can distribute and
deploy SEMM using the scripts you prepared to devices or collections. If you have configured the Microsoft
Surface UEFI Manager assemblies as a dependency that will be automatically installed, you can deploy SEMM in a
single step. If you have not configured the assemblies as a dependency, they must be installed on the devices you
intend to manage before you enable SEMM.
When you deploy SEMM using this script application and with a configuration that is visible to the end user, the
PowerShell script will start and the thumbprint for the certificate will be displayed by the PowerShell window. You
can have your users record this thumbprint and enter it when prompted by Surface UEFI after the device reboots.
Alternatively, you can configure the application installation to reboot automatically and to install invisibly to the
user – in this scenario, a technician will be required to enter the thumbprint on each device as it reboots. Any
technician with access to the certificate file can read the thumbprint by viewing the certificate with CertMgr.
Instructions for viewing the thumbprint with CertMgr are in the Create or modify the SEMM Configuration
Manager scripts section of this article.
Removal of SEMM from a device deployed with Configuration Manager using these scripts is as easy as
uninstalling the application with Configuration Manager. This action starts the ResetSEMM.ps1 script and properly
unenrolls the device with the same certificate file that was used during the deployment of SEMM.
NOTE
Microsoft Surface recommends that you create reset packages only when you need to unenroll a device. These reset
packages are typically valid for only one device, identified by its serial number. You can, however, create a universal reset
package that would work for any device enrolled in SEMM with this certificate.
We strongly recommend that you protect your universal reset package as carefully as the certificate you used to enroll
devices in SEMM. Please remember that – just like the certificate itself – this universal reset package can be used to unenroll
any of your organization’s Surface devices from SEMM.
When you install a reset package, the Lowest Supported Value (LSV) is reset to a value of 1. You can reenroll a device by
using an existing configuration package – the device will prompt for the certificate thumbprint before ownership is taken.
For this reason, the reenrollment of a device in SEMM would require a new package to be created and installed on that
device. Because this action is a new enrollment and not a change in configuration on a device already enrolled in SEMM, the
device will prompt for the certificate thumbprint before ownership is taken.
Surface Diagnostic Toolkit for Business
11/19/2018 • 4 minutes to read • Edit Online
The Microsoft Surface Diagnostic Toolkit for Business (SDT) enables IT administrators to quickly investigate,
troubleshoot, and resolve hardware, software, and firmware issues with Surface devices. You can run a range of
diagnostic tests and software repairs in addition to obtaining device health insights and guidance for resolving
issues.
Specifically, SDT for Business enables you to:
Customize the package.
Run the app using commands.
Run multiple hardware tests to troubleshoot issues.
Generate logs for analyzing issues.
Obtain detailed report comparing device vs optimal configuration.
NOTE
In contrast to the way you typically install MSI packages, the SDT distributable MSI package can only be created by running
Windows Installer (MSI.exe) at a command prompt and setting the custom flag ADMINMODE = 1 . For details, see Run Surface
Diagnostic Toolkit using commands.
Desktop mode Assist users in running SDT SDT distributable MSI Use Surface Diagnostic
on their Surface devices to package Toolkit in desktop mode
troubleshoot issues. Microsoft Surface Diagnostic
Create a custom package to Toolkit for Business
deploy on one or more Installer.MSI
Surface devices allowing Surface Tools for IT
users to select specific logs
to collect and analyze.
MODE PRIMARY SCENARIOS DOWNLOAD LEARN MORE
Command line Directly troubleshoot Surface SDT console app Run Surface Diagnostic
devices remotely without Microsoft Surface Toolkit using commands
user interaction, using Diagnostics App Console.exe
standard tools such as Surface Tools for IT
Configuration Manager. It
includes the following
commands:
-DataCollector collects all
log files
-bpa runs health
diagnostics using Best
Practice Analyzer.
-windowsupdate checks
Windows update for missing
firmware or driver updates.
Supported devices
SDT for Business is supported on Surface 3 and later devices, including:
Surface Pro 6
Surface Laptop 2
Surface Go
Surface Go with LTE
Surface Book 2
Surface Pro with LTE Advanced (Model 1807)
Surface Pro (Model 1796)
Surface Laptop
Surface Studio
Surface Studio 2
Surface Book
Surface Pro 4
Surface 3 LTE
Surface 3
Surface Pro 3
Example:
C:\Users\Administrator>
msiexec.exe/I"C:\Users\Administrator\Desktop\Microsoft_Surface_Diagnostic_Toolkit_for_Business_Installer
.msi" ADMINMODE=1
NOTE
If the setup wizard does not appear, ensure that you are signed into the Administrator account on your computer.
NOTE
This setting is limited to only sharing data generated while running packages.
Figure 4. Select language and telemetry settings
Windows Update page
Select the option appropriate for your organization. Most organizations with multiple users will typically select to
receive updates via Windows Server Update Services (WSUS ), as shown in figure 5. If using local Windows update
packages or WSUS, enter the path as appropriate.
Next steps
Use Surface Diagnostic Toolkit for Business in desktop mode
Use Surface Diagnostic Toolkit for Business using commands
Use Surface Diagnostic Toolkit for Business in desktop
mode
11/19/2018 • 2 minutes to read • Edit Online
This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help users in your organization run the tool
to identify and diagnose issues with the Surface device. Successfully running SDT can quickly determine if a
reported issue is caused by failed hardware or user error.
1. Direct the user to install the SDT package from a software distribution point or network share. After it is
installed, you’re ready to guide the user through a series of tests.
2. Begin at the home page, which allows users to enter a description of the issue, and click Continue, as
shown in figure 1.
Display and Sound Checks brightness, stuck or dead pixels, speaker and
microphone functioning
HARDWARE TEST DESCRIPTION
Ports and Accessories Checks accessories, screen attach and USB functioning
Keyboard and touch Checks integrated keyboard connection and type cover
Related topics
Run Surface Diagnostic Toolkit for Business using commands
Run Surface Diagnostic Toolkit for Business using
commands
11/19/2018 • 3 minutes to read • Edit Online
Running the Surface Diagnostic Toolkit (SDT) at a command prompt requires downloading the STD app console.
After it's installed, you can run SDT at a command prompt via the Windows command console (cmd.exe) or using
Windows PowerShell, including PowerShell Integrated Scripting Environment (ISE ), which provides support for
autocompletion of commands, copy/paste, and other features.
NOTE
To run SDT using commands, you must be signed in to the Administrator account or signed in to an account that is a
member of the Administrator group on your Surface device.
COMMAND NOTES
-DataCollector "output file" Collects system details into a zip file. "output file" is the file
path to create system details zip file.
Example:
Microsoft.Surface.Diagnostics.App.Console.exe -
DataCollector SDT_DataCollection.zip
-bpa "output file" Checks several settings and health indicators in the device.
“output file" is the file path to create the HTML report.
Example:
Microsoft.Surface.Diagnostics.App.Console.exe -bpa
BPA.html
Example:
Microsoft.Surface.Diagnostics.App.Console.exe -
windowsupdate
NOTE
To run the SDT app console remotely on target devices, you can use a configuration management tool such as System
Center Configuration Manager. Alternatively, you can create a .zip file containing the console app and appropriate console
commands and deploy per your organization’s software distribution processes.
Value: Protection On
Condition: Optimal
SECURE BOOT
Value: True
Condition: Optimal
Value: True
Condition: Optimal
CONNECTED STANDBY
Description: Checks if Connected Standby is enabled.
Value: True
Condition: Optimal
BLUETOOTH
Value: Enabled
Condition: Optimal
Guidance:
DEBUG MODE
Value: Normal
Condition: Optimal
TEST SIGNING
Value: Normal
Condition: Optimal
Value: Balanced
Condition: Optimal
Guidance: It is highly recommended to use the "Balanced" power plan to
maximize productivity and battery life.
WINDOWS UPDATE
Guidance: Updating to the latest windows makes sure you are on the
latest firmware and drivers. It is recommended to always keep
your device up to date
Value: 66%
Condition: Optimal
Guidance: For best performance, your hard drive should have at least
10% of its capacity as free space.
NON-FUNCTIONING DEVICES
Value:
Condition: Optimal
EX TERNAL MONITOR
Value:
Condition: Optimal
Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.
Microsoft Surface Data Eraser is a tool that boots from a USB stick and allows you to perform a secure wipe of all
data from a compatible Surface device. A Microsoft Surface Data Eraser USB stick requires only the ability to boot
from USB. The USB stick is easy to create by using the provided wizard, the Microsoft Surface Data Eraser
wrapper, and is easy to use with a simple graphic interface, no command line needed. To learn more about the data
wiping capabilities and practices Microsoft uses during the service process for Surface, see Protecting your data if
you send your Surface in for service.
IMPORTANT
Microsoft Surface Data Eraser uses the NVM Express (NVMe) format command to erase data as authorized in NIST Special
Publication 800-88 Revision 1.
NOTE
Third-party devices, Surface devices running Windows RT (including Surface and Surface 2), and Surface Pro are not
compatible with Microsoft Surface Data Eraser.
NOTE
Because the ability to boot to USB is required to run Microsoft Surface Data Eraser, if the device is not configured to boot
from USB or if the device is unable to boot or POST successfully, the Microsoft Surface Data Eraser tool will not function.
NOTE
If your device does not boot to USB using these steps, you may need to turn on the Enable Alternate Boot
Sequence option in Surface UEFI. You can read more about Surface UEFI boot configuration in Manage Surface UEFI
Settings.
3. When the Surface device boots, a SoftwareLicenseTerms text file is displayed, as shown in Figure 4.
Figure 4. Booting the Microsoft Surface Data Eraser USB stick
4. Read the software license terms, and then close the Notepad file.
5. Accept or decline the software license terms by typing Accept or Decline. You must accept the license
terms to continue.
6. The Microsoft Surface Data Eraser script detects the storage devices that are present in your Surface device
and displays the details of the native storage device. To continue, press Y (this action runs Microsoft Surface
Data Eraser and removes all data from the storage device) or press N (this action shuts down the device
without removing data).
NOTE
The Microsoft Surface Data Eraser tool will delete all data, including Windows operating system files required to boot
the device, in a secure and unrecoverable way. To boot a Surface device that has been wiped with Microsoft Surface
Data Eraser, you will first need to reinstall the Windows operating system. To remove data from a Surface device
without removing the Windows operating system, you can use the Reset your PC function. However, this does not
prevent your data from being recovered with forensic or data recovery capabilities. See Recovery options in Windows
10 for more information.
Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser
7. If you pressed Y in step 6, due to the destructive nature of the data erasure process, an additional dialog
box is displayed to confirm your choice.
8. Click the Yes button to continue erasing data on the Surface device.
NOTE
When you run Surface Data Eraser on the Surface Data Eraser USB drive, a log file is generated in the
SurfaceDataEraserLogs folder.
NOTE
Surface Data Eraser v3.2.45.0 and above can be used to restore Surface Pro or Surface Laptop devices with the 1TB storage
option in the scenario that the device shows two separate 512GB volumes or encounters errors when attempting to deploy
or install Windows 10. See Surface Pro Model 1796 and Surface Laptop 1TB display two drives for more information.
Version 3.2.36.0
This version of Microsoft Surface Data Eraser adds support for the following:
Surface Pro
Surface Laptop
NOTE
The Microsoft Surface Data Eraser USB drive creation tool is unable to run on Windows 10 S. To wipe a Surface Laptop
running Windows 10 S, you must first create the Microsoft Surface Data Eraser USB drive on another computer with
Windows 10 Pro or Windows 10 Enterprise.
Top support solutions for Surface devices
5/10/2018 • 2 minutes to read • Edit Online
Microsoft regularly releases both updates and solutions for Surface devices. To ensure your devices can receive
future updates, including security updates, it's important to keep your Surface devices updated. For a complete
listing of the update history, see Surface update history and Install Surface and Windows updates.
These are the top Microsoft Support solutions for common issues experienced when using Surface devices in an
enterprise.
This topic lists new and updated topics in the Surface documentation library.
November 2018
NEW OR CHANGED TOPIC DESCRIPTION
Download the latest firmware and drivers for Surface devices Added Surface Pro 6
October 2018
NEW OR CHANGED TOPIC DESCRIPTION
Download the latest firmware and drivers for Surface devices Added Surface GO
May 2018
NEW OR CHANGED TOPIC DESCRIPTION
Surface device compatibility with Windows 10 Long-Term Removed note box around content
Servicing Channel (LTSC)
February 2018
NEW OR CHANGED TOPIC DESCRIPTION
January 2018
NEW OR CHANGED TOPIC DESCRIPTION
Surface device compatibility with Windows 10 Long-Term Updated Current Branch (CB) or Current Branch for Business
Servicing Channel (LTSC) (CBB) servicing options with Semi-Annual Channel (SAC)
information
Wake On LAN for Surface devices Added Surface Book 2, Surface Laptop, Surface Pro, Surface
Pro with LTE Advanced, and Surface Pro information
December 2017
NEW OR CHANGED TOPIC DESCRIPTION
Download the latest firmware and drivers for Surface devices Added Surface Book 2, Surface Laptop, Surface Pro, and
Surface Pro with LTE Advanced information
November 2017
NEW OR CHANGED TOPIC DESCRIPTION
October 2017
NEW OR CHANGED TOPICS DESCRIPTION
Microsoft Surface Diagnostic Toolkit Topic removed. The Microsoft Surface Diagnostic Toolkit is no
longer available for download.
September 2017
NEW OR CHANGED TOPIC DESCRIPTION
June 2017
NEW OR CHANGED TOPIC DESCRIPTION
Surface Data Eraser Update compatible devices, added version 3.2.36 information
Surface device compatibility with Windows 10 Long-Term New (supersedes Long-Term Servicing Branch for Surface
Servicing Branch devices)
January 2017
NEW OR CHANGED TOPIC DESCRIPTION
December 2016
NEW OR CHANGED TOPIC DESCRIPTION
Download the latest firmware and drivers for Surface devices Added driver info for Surface Studio; updated info for Surface
Book and Surface Pro 4 (Windows 10 .zip cumulative update),
Surface Pro 3 (Windows8.1-KB2969817-x64.msu), and Surface
3 (UEFI Asset Tag management tool)
November 2016
NEW OR CHANGED TOPIC DESCRIPTION
Surface Enterprise Management Mode Added procedure for viewing certificate thumbprint.
October 2016
NEW OR CHANGED TOPIC DESCRIPTION