| title | description | ms.assetid | manager | ms.service | author | ms.author | ms.topic | ms.date | ms.localizationpriority | appliesto | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Manage Surface Hub with an MDM provider | Microsoft Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution. | 18EB8464-6E22-479D-B0C3-21C4ADD168FE | frankbu | surface-hub | coveminer | chauncel | how-to | 02/08/2023 | medium |
|
Surface Hub allows IT administrators to manage settings and policies using a mobile device management (MDM) provider such as Microsoft Intune. Surface Hub has a built-in management component to communicate with the management server. There is no need to install additional clients on the device.
To enroll, see Enroll Surface Hub into MDM management.
The foundational building block of policy settings management in Intune and other MDM providers is the XML-based Open Mobile Alliance-Device Management (OMA-DM) protocol. Windows implements OMA-DM XML via one of many available Configuration service providers (CSPs) with names like AccountManagement CSP, DeviceStatus CSP, WiFi-CSP, and so on. For a complete list, refer to CSPs supported in Microsoft Surface Hub.
Microsoft Intune and other MDM providers use CSPs to deliver a UI that enables you to configure policy settings within Configuration profiles. Intune uses the Surface Hub CSP for its built-in template — Device restrictions (Windows 10 Team) — letting you configure basic settings such as preventing Surface Hub from "waking up" whenever anyone moves nearby within its proximity range. To manage Hub settings and features outside of Intune's built-in profile, you'll need to use a custom profile, as shown below.
To summarize, options to configure and manage policy settings within Intune include the following:
- Create a Device restriction profile. Use Intune's built-in Surface Hub template and configure settings directly in the Intune UI. See Create device restriction profile.
- Create a Device configuration profile. Select a template focused on a specific feature or technology such as Microsoft Defender or security certificates. See Create Device configuration profile.
- Create a Custom configuration profile. Extend your scope of management using an OMA Uniform Resource Identifier (OMA URI) from any of the CSPs supported in Microsoft Surface Hub. See Create custom configuration profile.
Note
Profiles should be assigned to device groups containing the enrolled Surface Hub devices.
Sign in to Microsoft Intune admin center, select Devices > Configuration profiles > +Create profile.
Under Platform, select Windows 10 and later >
Under Profile type, select Templates and then select Device restrictions (Windows 10 Team)
Select Create, add a name and then select Next.
You can now browse and choose from preset device restriction settings for Surface Hub across the following categories: Apps and experience, Azure operational insights, Maintenance, Session, and Wireless projection. The example shown in the following figure specifies a 4-hour maintenance window and a 15 minute timeout for screen, sleep and session resume.
For more information about creating and managing profiles, see Restrict devices features using policy in Microsoft Intune.
For more information about how to manage Surface Hub features and settings, see Windows 10 Team settings to allow or restrict features on Surface Hub using Intune
Sign in to Microsoft Intune admin center, select Devices > Configuration profiles > + Create profile.
Under Platform, select Windows 10 and later >
Under Profile type, select Templates and choose from the following templates supported on Surface Hub:
- Device restrictions (Windows 10 Team), as described in the previous section.
- Microsoft Defender for Endpoint (Windows 10 Desktop)
- PKCS certificate
- PKCS imported certificate
- SCEP certificate
- Trusted certificate
You can extend the scope of management by creating a custom profile using an OMA URI from any of the CSPs supported in Microsoft Surface Hub. Each setting in a CSP has a corresponding OMA-URI that you can set by using custom configuration profiles in Intune. For details on the CSPs supported by Surface Hub, you can reference the following resources:
Note
Managing the device account using settings from SurfaceHub CSP is not currently possible with Intune and requires using a third-party MDM provider.
To implement CSP-based policy settings, begin by generating an OMA URI and then add it to a custom configuration profile in Intune.
To generate the OMA URI for any setting:
- In the CSP documentation, identify the root node of the CSP. Generally, this looks like ./Vendor/MSFT/NameOfCSP.
- Example: The root node of the SurfaceHub CSP is ./Vendor/MSFT/SurfaceHub.
- Identify the node path for the setting you want to use.
- Example: The node path for the setting to enable wireless projection is InBoxApps/WirelessProjection/Enabled.
- Append the node path to the root node to generate the OMA URI.
- Example: The OMA URI for the setting to enable wireless projection is ./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Enabled.
- The data type is also stated in the CSP documentation. The most common data types are:
- char (String)
- int (Integer)
- bool (Boolean)
- In Microsoft Intune, select Devices > Configuration profiles > Create profile.
- Under Platform select Windows 10 and later. Under Profile, select Custom, and then select Create.
- Add a name and optional description and then select Next.
- Under Configuration settings > OMA-URI Settings, select Add.
This section highlights Teams and Skype for Business settings that you can manage via Intune or other MDM provider. This includes:
To ensure optimal video and audio quality on Surface Hub, add the following QoS settings to the device.
| Name | Description | OMA-URI | Type | Value |
|---|---|---|---|---|
| Audio Ports | Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/Audio/SourcePortMatchCondition | String | 50000-50019 |
| Audio DSCP | Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/Audio/DSCPAction | Integer | 46 |
| Video Ports | Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/Video/SourcePortMatchCondition | String | 50020-50039 |
| Video DSCP | Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/Video/DSCPAction | Integer | 34 |
| Sharing Ports | Sharing Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/Sharing/SourcePortMatchCondition | String | 50040-50059 |
| Sharing DSCP | Sharing ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/Sharing/DSCPAction | Integer | 18 |
Note
The table shows default port ranges. Administrators may change the port ranges in the Skype for Business and Teams control panel.
You can create a Custom configuration profile to manage Teams Coordinated Meetings, Proximity Join, and other features. To learn more, see Manage Microsoft Teams configuration on Surface Hub.
The default app for meetings & calls on the Surface Hub varies depending on how you install Windows 10 Team 2020 Update (aka Windows 10 20H2 Team edition). If you re-image a Surface Hub to Windows 10 20H2, Microsoft Teams will be set as the default, with Skype for Business not available (Mode 1). If you upgrade your Hub from an earlier OS version, Skype for Business will remain as the default, with Teams functionality available (Mode 0) unless you had already configured Teams as your default.
To change the default installation, use a custom profile to set the Teams Meeting Mode as follows:
- Mode 0 — Skype for Business with Microsoft Teams functionality for scheduled meetings.
- Mode 1 — Microsoft Teams only.
| Name | Description | OMA-URI | Type | Value |
|---|---|---|---|---|
| Teams App ID | App name | ./Vendor/MSFT/SurfaceHub/Properties/VtcAppPackageId | String | Microsoft.MicrosoftTeamsforSurfaceHub_8wekyb3d8bbwe!Teams |
| Teams App Mode | Teams mode | ./Vendor/MSFT/SurfaceHub/Properties/SurfaceHubMeetingMode | Integer | 0 or 1 |
Quality of Service (QoS) is a combination of network technologies that allows the administrators to optimize the experience of real time audio/video and application sharing communications.
Configuring QoS for Teams or Skype for Business on the Surface Hub can be done using your MDM provider or through a provisioning package.
This procedure explains how to configure QoS for Surface Hub using Microsoft Intune.
In Intune, create a custom policy.
[!div class="mx-imgBorder"]
In Custom OMA-URI Settings, select Add. For each setting that you add, you will enter a name, description (optional), data type, OMA-URI, and value.
[!div class="mx-imgBorder"]
Add the following custom OMA-URI settings:
Name Data type OMA-URI
./Device/Vendor/MSFT/NetworkQoSPolicyValue Audio Source Port String /HubAudio/SourcePortMatchCondition Get the values from your Skype administrator Audio DSCP Integer /HubAudio/DSCPAction 46 Video Source Port String /HubVideo/SourcePortMatchCondition Get the values from your Skype administrator Video DSCP Integer /HubVideo/DSCPAction 34 Audio Process Name String /HubAudio/AppPathNameMatchCondition Microsoft.PPISkype.Windows.exe Video Process Name String /HubVideo/AppPathNameMatchCondition Microsoft.PPISkype.Windows.exe [!IMPORTANT] Each OMA-URI path begins with
./Device/Vendor/MSFT/NetworkQoSPolicy. The full path for the audio source port setting, for example, will be./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/SourcePortMatchCondition.When the policy has been created, deploy it to Surface Hub.
Warning
Currently, you cannot configure the setting IPProtocolMatchCondition in the NetworkQoSPolicy CSP. If this setting is configured, the policy will fail to apply.
