Just recently, I’ve been working with one of our clients who have purchased several Surface Hub 2S devices (in both 85″ and 50″ sizes) as part of their Meetings Rooms project.
If you haven’t come across them before, they are a serious hefty piece of kit (the 85″ weighs in at 130kg and it took three of us to take it out of its package so very hefty). They contain Microsoft Teams for Hubs as part of the installation and allow your users to have a Teams meeting with everyone in the room.
So how do we go about deploying them?
Determine your naming convention.
Since you’re creating a Room Mailbox for each Hub, there are certain requirements for the name. The Alias becomes the device name in Intune, so it cannot be longer than 15 characters, and will only permit Uppercase, Lowercase and hyphens.
Set up Surface Enterprise Management Mode.
Download the Microsoft Surface UEFI Configurator and install it on a spare laptop. Now create a Surface UEFI configuration package, which will configure the Hub with what tasks are available, and install the security certificate. You will need a spare USB drive which will be formatted.
Enroll and configure Surface devices with SEMM (Surface) – Surface | Microsoft Docs
Create a Provisioning Package.
Download the Windows Configuration Design and install it onto that laptop. You’ll now create a Provisioning Package (PPKG file) with the security certificates, enrolment with Azure AD, enrolment with Intune and a configuration file.
Install Windows Configuration Designer (Windows 10/11) – Configure Windows | Microsoft Docs
Create provisioning packages – Surface Hub | Microsoft Docs
Create a Configuration File.
The configuration file is simply a CSV file (named SurfaceConfiguration.csv) which has three columns: DeviceName, Password, Friendly Name. Copy that file into the root of your SEMM USB drive. Make sure you are careful in creating this file and use the UPN as the DeviceName.
A mistake can result in an OOBEPROVISIONINGENTRY error, and you will have no choice but to complete a full reset of the device (which can take up to 3 hours).
Power up the Hub, holding down the Volume Down button.
It will take you into the UEFI menu where you can import the SEMM details from the USB. It will reset the Hub and ask for the last two characters of the certificate thumbprint. After checking the certificate is installed, restart the device.
The hub will then go through the standard Out-of-Box Experience (OOBE). The provisioning package will install the certificates and enrol the device into Azure AD. If you get the OOBEPROVISIONINGENTRY error, double-check the SurfaceConfiguration.csv file.
On the other hand, it may join the Azure AD but Intune has the wrong name (look for SH-xxxxxxxxxxxxxxxx where xxxxxxxxxxxxxxxx is the serial number). That indicates the CSV has an invalid character, like an underscore.
