IT best practices for Surface devices

Microsoft Surface devices provide a unique and innovative experience, and the IT management of these devices should be tailored to your organization. We’ve gathered some best practices and tips from the field to help. 1 Device updates and deployments

1. Always test and deploy the latest 3. With Windows Semi-Annual Channel, version of the device’s firmware and Surface devices make excellent drivers. Historically, many IT departments candidates for piloting and targeted haven’t paid much attention to drivers and deployments. With the Semi-Annual firmware updates released from Channel, each year Microsoft targets the for first and third-party devices, but it is release of two Windows Feature Updates, critical for these devices to run smoothly. each with an 18-month servicing timeline. These updates often improve security, The modern form factor, chipsets, reliability, connectivity, compatibility, and Microsoft-tested and approved performance and battery life. environment make Surface devices the logical choice for your first wave of 2. Transform a device with Windows deployments. You’ll also often find the AutoPilot instead of re-imaging latest features and capabilities of Windows it. If you are using legacy imaging on Surface first. Keeping your Microsoft technologies, or even System Center 365 services up to date using the Semi- Configuration Manager, it is not a good Annual Channel, ensures the devices in idea to push a legacy FAT image to a your organization get the latest updates Surface device. While it can be done, less frequently, in a controlled manner, there are many dependencies and it may expected only twice a year. impact the modern engineering and device integration with the operating system. Instead, it is recommended to use Windows AutoPilot and Microsoft Intune to transform the operating system, rather than re-imaging the whole device. Imaging best practices

If you must re-image a Surface device, here are some important recommendations before doing so:

1. Ensure your Configuration Manager 3. Drivers and firmware are delivered environment is up to date. This using MSI files, which are cumulative includes your Windows PE (WinPE) and packages with drivers and firmware Windows Assessment and Deployment updates combined. There are 3 ways to Kit (ADK) add-ons. If they are being used, update a Surface business device: via they should also be kept up to date as Windows Update for Business (preferred), Microsoft premier field engineers (PFEs) or SCCM, or deployment of an MSI have seen issues with this in the past. package.

2. Windows PE boot images are often 4. Never pick and choose drivers or overlooked and can cause issues with firmware from an update package, the deployments. They might work always apply the entire package. but they can cause random issues and Microsoft only tests the package as a should be updated regularly when System whole, so if you pick apart the package Center Configuration Manager (SCCM) you will be running an untested undergoes maintenance. You must use configuration that has not been tested by a WinPE or ADK version that is currently Microsoft. supported and is at least the minimum supported version of Windows for the device.

3 5. SCCM will be able to pick up on 8. To extract drivers, the command is updated drivers missing from Surface similar to this: devices if the Update Point msiexec /a SurfacePro_ (SUP) is running Windows Server Win10_15063_1704007_0. 2016 or better. However, the suggested msi targetdir=C:\Surface way is to move to Microsoft InTune Pro\ Version for the patching workload. SCCM Co- 1703\1704007 /qn Management can assist with this. The build number in the MSI means it’s designed for the corresponding version of 6. If required, add in the most recent Windows or higher (e.g. 1703+). Always Surface Ethernet adapter driver from use the most recent MSI available for your the Microsoft Update Catalog as this is not Windows version. included by default. Ethernet adapters and Surface deployment information can be 9. Make sure to document key software found here. bits from a version, such as Visual C++ Redistributable, the Surface app, etc. 7. If you are re-imaging and injecting They should all be pre-installed. drivers, make sure to only apply the driver packages that are directly 10. Avoid using disk cloning tools for applicable. Do not just dump drivers image installation. into an SCCM or Windows Deployment Services (WDS) folder. Please read this 11. Capture your Windows Imaging blog post describing the WMI query to Format (WIM) files in a Virtual Machine use, and learn how to manage Surface (VM). driver updates within SCCM here.

4 Office tips

1. Keep Office up to date. Office is 3. The 64-bit version of Office is frequently updated with new and pre-installed on select Surface devices. innovative features, security updates, Previously, the 32-bit version was pre- and performance improvements. There installed by default, however now the 64- are fantastic inking and 3D functionality bit version is the new default. across the various apps. There are also many improvements such as DPI scaling 4. Enable and use OneDrive for Business. fixes when connected to external displays. With features such as Known Folder Redirection, Ransomware Protection, Files 2. Consider the 64-bit version of Office. On-Demand, and Files Restore, OneDrive The 32-bit version may have memory for Business is a very compelling cloud constraints that can cause issues on high storage solution for your organization. DPI devices. Protect users’ data from damage or theft of the device. Hardware tips

Surface Dock 5. 2K and 4K external displays circumvent most DPI scaling issues. Consider displays 1. It’s recommended not to use DisplayPort that are field serviceable (i.e. the firmware (DP) 1.2 to Multi-Stream Transport (MST) can be updated). splitters or hubs (aka daisy chaining). Instead, use the dual Mini DisplayPort To access Surface Unified (mDP) ports on the Surface Dock. Use Extensible Firmware Interface mDP-to-DP cables whenever the monitor (UEFI): supports native DisplayPort input. 1. Turn off the Surface device 2. Always disable video source/port 2. Press and hold the volume-up button and autodetection. It’s better to hard code the at the same time, press and release the input (e.g. DP, HDMI, DVI, etc.). power button 3. When you see the Surface boot-up logo, 3. Update the Surface Dock before giving release the volume-up button. it to your user. Make sure to update all Surface Docks deployed with the latest Standby: firmware and drivers. The numerous 1. Do not change any of the Modern connections provided by the Surface Dock Standby settings, unless you know what are enabled by a smart chipset within you are doing. the dock. This chipset is controlled by firmware. It’s critical to keep it up to date and running smoothly.

4. For help with getting your Surface Dock to work with your Surface, read the Troubleshoot Surface Dock and docking stations support article.

6 User considerations

1. Educate users – Users should learn to take advantage of the features and form- factors of their modern Surface devices so that they can be more productive than on legacy devices.

2. Tips for making users’ experience easier, while staying secure: a. Disable the BitLocker PIN at boot time (as Surface devices are immune to DMA attacks). b. Disable the Ctrl+Alt+Delete requirement to log in. With Windows Hello enabled, it enables form-factor versatility and drives multi-modal use. c. Disable the login banner and revise 3. Revise your acceptable use policies and Acceptable Use Policy, if possible. Most get corporate buy-in. Set it for enabling businesses want their users to have work-life balance scenarios. access outside of work hours. d. Don’t block Miracast 4. Have users run through the Tips app. e. Don’t chain down a user’s Surface In Windows, open the Tips app and search work device with a cable lock. This for Surface tips. There are over 70 relevant defeats the purpose of the mobility tips for them to explore. and usability of the device. f. Allow users to add a Microsoft account 5. Use Pen Settings in Windows as a secondary account for syncing to customize your Surface Pen their personal preferences. experience. From configuring the eraser g. Enable the for both tip to opening OneNote in a click of the business and personal. The idea is to pen. There are many ways to customize get people using their devices during your Surface Pen. both personal and work time and loving it.

7 Resources

Education on Surface Recommended do’s for IT

• Subscribe to the Surface Blog • Start planning for governance and process • Subscribe to the Surface Update History changes in the organization page for your Surface device models • Windows cumulative and feature • Use the Surface page in Windows IT Pro upgrades Center • Driver and firmware updates • Watch the playlist • Office updates videos from Microsoft Mechanics • Find a sponsor and cross-team on tasks • Download the Surface Tools for IT that take time and approval • Watch the Surface sessions from Microsoft • Enabling Windows Analytics Ignite 2018. • Take advantage of in-box tools (e.g. BitLocker, Defender, etc.) instead of relying on 3rd-party tools Surface tools • Acceptable use policies (for enabling work and life scenarios) • How to Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices • Surface Enterprise Management Mode via o Surface UEFI Configurator or o Surface UEFI Manager • Surface Data Eraser • Surface Dock Updater • Wake on LAN for Surface devices • Asset Tag Tool for 3 (and newer models) • Surface Diagnostic Toolkit

8 © 2019 Microsoft Canada