Manage Surface Hub with an MDM provider

• 03/25/2021
• 7 minutes to read
• • D
  • D
  • C
  • S

Surface Hub allows IT administrators to manage settings and policies using a mobile device management (MDM) provider such as Microsoft Intune. Surface Hub has a built-in management component to communicate with the management server. There is no need to install additional clients on the device.

Enrolling Surface Hub into MDM management

You can enroll Surface into Microsoft Intune or other MDM provider via manual or auto enrollment.

Manual enrollment

1. Open the Settings app and sign in as a local administrator. Select Surface Hub > Device management and then select +Device management.
2. You will be prompted to sign in with the account to use for your MDM provider. After authenticating, the device automatically enrolls with your MDM provider.

Auto Enrollment — Azure AD affiliated

During the initial setup process, when affiliating Surface Hub with an Azure Active Directory (AD) tenant that has Intune auto enrollment enabled, the device will automatically enroll with Intune. To learn more, refer to Intune enrollment methods for Windows devices. Azure AD affiliation and Intune auto enrollment is required for the Surface Hub to be a "compliant device" in Intune.

Manage Surface Hub Windows 10 Team settings with Intune

The foundational building block of policy settings management in Intune and other MDM providers is the XML-based Open Mobile Alliance-Device Management (OMA-DM) protocol. Windows 10 implements OMA-DM XML via one of many available Configuration service providers (CSPs) with names like AccountManagement CSP, DeviceStatus CSP, Wirednetwork-CSP, and so on. For a complete list, refer to CSPs supported in Microsoft Surface Hub.

Microsoft Intune and other MDM providers use CSPs to deliver a UI that enables you to configure policy settings within Configuration profiles. Intune uses the Surface Hub CSP for its built in profile — Device restrictions (Windows 10 Team) — letting you configure basic settings such as preventing Surface Hub from "waking up" whenever anyone moves nearby within its proximity range. To manage Hub settings and features outside of Intune's built-in profile, you'll need to use a custom profile, as shown below.

To summarize, options to configure and manage policy settings within Intune include the following:

• Create a Device restriction profile. Use Intune's built in profile and configure settings directly in the Intune UI. See Create device restriction profile.
• Create a Device configuration profile. Select a template focused on a specific feature or technology such as Microsoft Defender or security certificates. See Create Device configuration profile.
• Create a Custom configuration profile. Extend your scope of management using an OMA Uniform Resource Identifier (OMA URI) from any of the CSPs supported in Microsoft Surface Hub. See Create custom configuration profile.

Create Device restriction profile

1. Sign in to Microsoft Endpoint Manager admin center, select Devices > Configuration profiles > + Create profile.

2. Under Platform, select Windows 10 and later >

3. Under Profile type, select Templates and then select Device restrictions (Windows 10 Team)

4. Select Create, add a name and then select Next.

5. You can now browse and choose from preset device restriction settings for Surface Hub across the following categories: Apps and experience, Azure operational insights, Maintenance, Session, and Wireless projection. The example shown in the following figure specifies a 4-hour maintenance window and a 15 minute timeout for screen, sleep and session resume.

   

For more information about creating and managing profiles, see Restrict devices features using policy in Microsoft Intune.

For more information about how to manage Surface Hub features and settings, see Surface Hub Windows 10 Team device restrictions in Microsoft Intune

Create Device configuration profile

1. Sign in to Microsoft Endpoint Manager admin center, select Devices > Configuration profiles > + Create profile.

2. Under Platform, select Windows 10 and later >

3. Under Profile type, select Templates and choose from the following templates supported on Surface Hub:

   • Device restrictions (Windows 10 Team), as described in the previous section.
   • Microsoft Defender for Endpoint (Windows 10 Desktop)
   • PKCS certificate
   • PKCS imported certificate
   • SCEP certificate
   • Trusted certificate

Create Custom configuration profile

You can extend the scope of management by creating a custom profile using an OMA URI from any of the CSPs supported in Microsoft Surface Hub. Each setting in a CSP has a corresponding OMA-URI that you can set by using custom configuration profiles in Intune. For details on the CSPs supported by Surface Hub, you can reference the following resources:

• Configuration service provider reference
• Policy CSPs supported by Microsoft Surface Hub
• SurfaceHub CSP

To implement CSP-based policy settings, begin by generating an OMA URI and then add it to a custom configuration profile in Intune.

Generate OMA URI for target setting

To generate the OMA URI for any setting:

1. In the CSP documentation, identify the root node of the CSP. Generally, this looks like ./Vendor/MSFT/.
   • Example: The root node of the SurfaceHub CSP is ./Vendor/MSFT/SurfaceHub.
2. Identify the node path for the setting you want to use.
   • Example: The node path for the setting to enable wireless projection is InBoxApps/WirelessProjection/Enabled.
3. Append the node path to the root node to generate the OMA URI.
   • Example: The OMA URI for the setting to enable wireless projection is ./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Enabled.
4. The data type is also stated in the CSP documentation. The most common data types are:
   • char (String)
   • int (Integer)
   • bool (Boolean)

Add OMA URI to Custom configuration profile

1. In Endpoint Manager, select Devices > Configuration profiles > Create profile.
2. Under Platform select Windows 10 and later. Under Profile, select Custom, and then select Create.
3. Add a name and optional description and then select Next.
4. Under Configuration settings > OMA-URI Settings, select Add.

Manage specific Surface Hub features

This section highlights information about features that you can manage via Intune or other MDM provider. This includes:

• Quality of Service (QoS)
• Microsoft Teams and Skype for Business

Quality of Service settings

To ensure optimal video and audio quality on Surface Hub, add the following QoS settings to the device.

Skype for Business QoS settings

Microsoft Teams and Skype for Business settings

You can create a Custom configuration profile to manage Teams Coordinated Meetings, Proximity Join, and other features. To learn more, see Manage Microsoft Teams configuration on Surface Hub.

Changing default business communications platform

The default business communications platform on Surface Hub varies depending on how you install Windows 10 Team 2020 Update (aka Windows 10 20H2). If you re-image Surface Hub to Windows 10 20H2, Microsoft Teams will be set as the default, with Skype for Business functionality available (Mode 1). If you upgrade your Hub from an earlier OS version, Skype for Business will remain as the default, with Teams functionality available (Mode 0) unless you had already configured Teams as your default.

To change the default installation, use a custom profile by setting the Teams App Mode as follows:

• Mode 0 — Skype for Business with Microsoft Teams functionality for scheduled meetings.
• Mode 1 — Microsoft Teams with Skype for Business functionality for scheduled meetings.
• Mode 2 — Microsoft Teams only.