Manage USB ports on Surface devices

With USB port functionality enabled by default on Surface devices, many devices with Surface UEFI allow admins to turn off connectivity to USB ports. For example, you may wish to prevent users from copying data from USB thumb drives or external hard disks.

Prerequisites

Before you begin the process outlined in this article, familiarize yourself with the following technologies and tools:

Get started

The process consists of the following parts:

  1. Enrollment: Enroll Surface devices and docks into SEMM using the Surface UEFI Configurator, as outlined in Secure Surface Dock ports with SEMM. Supported docks include Surface Dock 2 and Surface Thunderbolt 4 Dock. Key to this workflow is the ability to turn off USB-C data, Ethernet data, and USB-C audio whenever devices are disconnected from an authorized Surface Dock located, for example, in a workplace environment handling highly sensitive information.

  2. Client configuration: Install UEFI Manager, available from the Surface IT Toolkit Library, on all Surface devices targeted for management.

  3. PowerShell scripts: Go to the Surface IT Toolkit to download and modify the PowerShell scripts as appropriate for your environment. Use Microsoft Configuration Manager to deploy the scripts (as applications) to target devices, following the instructions in Use Microsoft Configuration Manager to manage devices with SEMM.

Refer to the embedded comments for usage guidance. See Appendix: SEMM PowerShell Scripts tech reference for definitions and prerequisites.

Manage USB-A ports

For USB-A ports supporting USB-2 and USB-3, you can turn off the USB data protocol from the USB controller to prevent all functionality.

Granular USB-C Disablement

Managing USB-C ports with their support for DisplayPort and USB Power Delivery provides more options beyond turning off all functionality. For example, you can prevent data connectivity to stop users from copying data from USB storage but retain the ability to extend displays and charge the device via a USB-C dock.

Beginning with Surface Pro 8, Surface Laptop Studio, and Surface Go 3, granular USB-C management options are available via the SEMM PowerShell scripts.

  1. Go to Surface Tools for IT and download SEMM_PowerShell.zip.

  2. If you don't already have your own certificates, you can obtain certificates via the appropriate sample script, as documented in the Appendix on this page.

Caution

Keep certificates in a safe location and ensure they're properly backed up. Without them it's impossible to reset Surface UEFI, change managed Surface UEFI settings, or remove SEMM from an enrolled Surface device.

Dynamic USB-C Disablement

Dynamic USB-C Disablement enables customers operating in highly secure environments to prevent unauthorized data transfer via USB, thereby offering organizations more control. When paired with the Surface Thunderbolt 4 Dock, IT admins can lock down USB-C ports whenever eligible Surface devices are undocked or connected to an unauthorized dock.

Tip

This feature is available on Surface Pro 10, Surface Laptop 6, and Surface Laptop Studio 2.

In this scenario, when users are connected to an authorized dock in the office, the USB-C ports will have full functionality over their devices. However, when they go off-site, they can still connect to a dock to use accessories or a monitor but can't use the USB ports to transfer data.

Dynamic USB-C Disablement provides IT admins with greater flexibility to manage devices with a new "Mode 3" in addition to existing operational modes:

  • Mode 0 (Default Mode): The default mode when SEMM isn't configured.

  • Mode 1 (Data Disabled): USB-C and Ethernet data are disabled. Audio via USB-C is also disabled. Display out and Power functionality is enabled.

  • Mode 2 (Fully Disabled): USB-C and Ethernet data are disabled. Audio via USB-C is also disabled. Display out and Power functionality is disabled.

  • Mode 3 (USB Port Authenticated) also known as Dynamic USB-C Disablement. USB-C data, Ethernet data, USB-C audio, display out and power functions only when the device is connected to an authorized Surface Thunderbolt 4 Dock. If connected to an unauthorized dock, only display out and Power functions will work.

Manage USB-C ports with Surface IT Toolkit

You can now manage USB-C ports across all modes via either of the following methods:

  • The new UEFI Configurator included in the Surface IT Toolkit provides UI-support to configure ports without use of PowerShell scripts.
  • PowerShell scripts, as described in this article.

Target behaviors

Host USB Port State Enabled Data Disabled Hardware Disabled Port Authenticated (Unauthorized or no dock) Port Authenticated (Authorized Dock)
USB 2.0, 3.x, 4.x Enabled Disabled Disabled Disabled Enabled
Thunderbolt 3 or 4 Enabled Disabled Disabled Disabled Enabled
Audio Accessories Enabled Disabled Disabled Disabled Enabled
Network Enabled Disabled Disabled Disabled Enabled
USB Type C Power Enabled Enabled Disabled Enabled Enabled
PD Power >0W Enabled Enabled Disabled Enabled Enabled
DisplayPort Alt Mode Enabled Enabled Disabled Enabled Enabled

Provisioning Surface docks

  1. Use the appropriate provisioning script, as documented in the Appendix on this page.

    • ConfigureSEMM - Dock2.ps1
    • ConfigureSEMM - Thunderbolt(TM)4Dock-Provisioning
  2. Open ConfigureSEMM.ps1 and modify as appropriate. For example, to disable USB-C ports, enable the following setting: UsbPortHwDisabled. See the following table for all available options.

Table 1. USB port management options for Surface devices

Device USB-A options
(if present on device)
USB-C options
(if present on device)
Settings SEMM IDs
Surface Laptop
Surface Laptop 2
Surface Pro
Surface Pro 4
Surface Pro 6
Surface Studio
Surface Studio 2
Enable or disable data N/A: No USB-C port on device USBPortEnabled (default)

USBPortHWDisabled
370-379
Surface Laptop SE
Surface Pro 7
Surface Pro 7+
Surface Go
Surface Go 2
Surface Laptop Go
Surface Laptop Go 2
Surface Laptop Go 3
Surface Laptop 3 (Intel only)
Surface Laptop 4 (Intel only)
Surface Laptop 5 (Intel only)
Surface Studio 2+
Enable or disable data Enabled data, display out, and power delivery

Disabled data, display out, and power delivery
USBPortEnabled (default)

USBPortHWDisabled
370-379
Surface Pro 8
Surface Pro 9
Surface Pro (11th Edition)
Surface Laptop (7th Edition)
Surface Laptop Studio
Surface Laptop Studio 2
Surface Go 3
Surface Go 4
Enable or disable data Enabled data, display-out, and power delivery

Disabled data but enabled display-out and power delivery

Disabled data, display-out, and power delivery
USBPortEnabled (default)
USBPortDataDisabled
USBPortHwDisabled
380-389
Surface Laptop Studio 2
Surface Pro 10
Surface Pro 10 with 5G
Surface Laptop 6
Enable or disable data Enabled data, display-out, and power delivery

Disabled data but enabled display-out and power delivery

Disabled data, display-out, and power delivery

Data dynamically enabled or disabled
USBPortEnabled (default)
USBPortDataDisabled
USBPortHwDisabled
USBPortAuthenticated
380-389
Surface Book 2 and later Base USB ports are always enabled Base USB ports are always enabled n/a
Surface Book with Performance Base
Surface Book
Base USB ports are always enabled N/A: No USB-C port on device n/a

Department vs. organizational provisioning

Dynamic USB-C Disablement allows for a many-to-many relationship between the host and dock. This lets customers have hosts and docks configured to work with all hosts/docks or make it department-specific to help with asset management.

Table 2. Example relationships: Host device with Surface Thunderbolt 4 Dock

Host Device (Surface Laptop Studio 2) Unprovisioned Dock Global Dock Department-X Dock Department-Y Dock
Not Provisioned - Host USB-C: Enabled
- Dock USB: Enabled
- Host USB-C: Enabled
- Dock USB: Limited, based on Unauthenticated dock policy
- Host USB-C: Enabled
- Dock USB: Limited, based on Unauthenticated dock policy
- Host USB-C: Enabled
- Dock USB: Limited, based on Unauthenticated dock policy
Global - Host USB-C: Data disabled
- Dock USB: Data disabled
- Host USB-C: Enabled
- Dock USB: Authenticated policy
- Host USB-C: Enabled
- Dock USB: Authenticated policy
- Host USB-C: Enabled
- Dock: Authenticated policy
Department-X - Host USB-C: Data disabled
- Dock USB: Data disabled
- Host USB-C: Enabled
- Dock USB: Authenticated policy
- Host USB-C: Enabled
- Dock USB: Authenticated policy
- Host USB-C: Data disabled
- Dock USB: Data disabled & limited, based on Unauthenticated dock policy
Department-Y - Host USB-C: Data disabled
- Dock USB: Data disabled
- Host USB-C: Enabled
- Dock USB: Authenticated policy
- Host USB-C: Data disabled
- Dock USB: Data disabled & limited, based on Unauthenticated dock policy
- Host USB-C: Enabled
- Dock: Authenticated policy
Host Device
(Surface Laptop Studio 2)
Unprovisioned Dock Global Dock Department-X Dock Department-Y Dock
Not Provisioned - Host USB-C: Enabled
- Dock USB: Enabled
- Host USB-C: Enabled
- Dock USB: Limited, based on Unauthenticated dock policy
- Host USB-C: Enabled
- Dock USB: Limited, based on Unauthenticated dock policy
- Host USB-C: Enabled
- Dock USB: Limited, based on Unauthenticated dock policy
Global - Host USB-C: Data disabled
- Dock USB: Data disabled
- Host USB-C: Enabled
- Dock USB: Authenticated policy
- Host USB-C: Enabled
- Dock USB: Authenticated policy
- Host USB-C: Enabled
- Dock: Authenticated policy
Department-X - Host USB-C: Data disabled
- Dock USB: Data disabled
- Host USB-C: Enabled
- Dock USB: Authenticated policy
- Host USB-C: Enabled
- Dock USB: Authenticated policy
- Host USB-C: Data disabled
- Dock USB: Data disabled & limited, based on Unauthenticated dock policy
Department-Y - Host USB-C: Data disabled
- Dock USB: Data disabled
- Host USB-C: Enabled
- Dock USB: Authenticated policy
- Host USB-C: Data disabled
- Dock USB: Data disabled & limited, based on Unauthenticated dock policy
- Host USB-C: Enabled
- Dock: Authenticated policy

Appendix: SEMM PowerShell Scripts tech reference

Script Purpose Prerequisites
ApplyProvisioningPackage.ps1 - Demonstrates how to apply the owner and permission packages. - Run with administrator privileges

- Surface Device has installed the SurfaceUEFI_Manager_(version).msi

- Package was generated via CreateSettingsPackage.ps1 or similar
ApplySettingsPackage.ps1 - Demonstrates how to apply the settings package. - Run with administrator privileges

- Surface Device has installed the SurfaceUEFI_Manager_(version).msi

- Package was generated via CreateSettingsPackage.ps1 or similar
ConfigureSEMM - Dock2.ps1 - Creates a Surface Dock Provisioning Package

- Applies the created provisioning package
- SurfaceUEFI_Manager_(version).msi has been installed

- Dock Certification Authority (DockCA) - a p7b cert, used to control ownership of a Surface Dock 2

- Dock Provisioning Certificate (ProvCert) - a pfx cert, used to sign the Dock Configuration Package with EKU 1.3.6.1.4.1.311.76.9.21.3

- This certificate and its full trust chain MUST be installed on the Surface Computer during Provisioning Package Creation to -CertStoreLocation Cert:\LocalMachine\Root

- Dock Host Authorization Certificate (HostCert) - a pfx cert, used to authorize a Surface Computer to use the authorized user dock security policies

- This certificate and its full trust chain MUST be installed on the Surface Computer during Dock Provisioning (and only this certificate) to -CertStoreLocation Cert:\LocalMachine\Root

- This certificate MUST NOT be installed on the Surface Computer during Provisioning Package Creation

- Surface Dock 2

-WMI Instance Provider for Surface Dock. To learn more, see Manage Surface Docks with WMI
ConfigureSEMM - Thunderbolt(TM)4Dock-Host-SAM.ps1 - Creates and applies a SEMM/DFCI package that sets the USB-C port and contains the Certificate Authority hashes

- Creates and applies a SAM Certificate Authority CFU payload
- SurfaceUEFI_Manager_(version).msi has been installed

- Dock Certification Authority (DockCA) - a p7b cert, used to control ownership of a Surface Thunderbolt 4 Dock

- One of the following Surface Computers (other models not yet supported): Surface Laptop Studio 2
ConfigureSEMM - Thunderbolt(TM)4Dock-Host.ps1 - Creates and applies a CFU package for SAM - SurfaceUEFI_Manager_(version).msi has been installed

- A list of certificate authority files (.p7b). SAM can support up to 10 different CAs

- One of the following Surface Computers (other models not yet supported): Surface Laptop Studio 2
ConfigureSEMM - Thunderbolt(TM)4Dock-Policy.ps1 - Creates a Surface Thunderbolt 4 Dock policy package

- Applies the created policy package
- SurfaceUEFI_Manager_(version).msi has been installed

- Dock Provisioning Certificate (ProvCert) - a pfx cert, used to sign the Dock Configuration Package with EKU 1.3.6.1.4.1.311.76.9.21.3

- This certificate and its full trust chain MUST be installed on the Surface Computer during Provisioning Package Creation to -CertStoreLocation Cert:\LocalMachine\Root

- Dock Host Authorization Certificate (HostCert) - a pfx cert, used to authorize a Surface Computer to use the authorized user dock security policies

- This certificate and its full trust chain MUST be installed on the Surface Computer during Dock Provisioning (and only this certificate) to -CertStoreLocation Cert:\LocalMachine\Root

- This certificate MUST NOT be installed on the Surface Computer during Provisioning Package Creation

- Dock Authentication Certificate (DockAuthCert)

- Surface Thunderbolt 4 Dock
ConfigureSEMM - Thunderbolt(TM)4Dock-Provisioning.ps1 - Creates a Surface Thunderbolt 4 Dock provisioning package

- Applies the created provisioning package
- SurfaceUEFI_Manager_(version).msi has been installed

- Dock Certification Authority file (DepartmentCA and/or OrganizationCA) - a p7b cert, used to control ownership of a Surface Thunderbolt 4 Dock

- Dock Provisioning Certificate (ProvCert) - a pfx cert, used to sign the Dock Configuration Package with EKU 1.3.6.1.4.1.311.76.9.21.3

- This certificate and its full trust chain MUST be installed on the Surface Computer during Provisioning Package Creation to -CertStoreLocation Cert:\LocalMachine\Root

- Dock Host Authorization Certificate (HostCert) - a pfx cert, used to authorize a Surface Computer to use the authorized user dock security policies

- This certificate and its full trust chain MUST be installed on the Surface Computer during Dock Provisioning (and only this certificate) to -CertStoreLocation Cert:\LocalMachine\Root

- This certificate MUST NOT be installed on the Surface Computer during Provisioning Package Creation

- Dock Authentication Certificate (DockAuthCert)

- Surface Thunderbolt 4 Dock
ConfigureSEMM - Thunderbolt(TM)4Dock-USBC.ps1 - Creates and applies a USB-C Mode 3 SEMM/DFCI package - SurfaceUEFI_Manager_(version).msi has been installed

- Ownership Certificate signing key has been generated and is accessible

- One of the following Surface Computers (other models not yet supported): Surface Laptop Studio 2
ConfigureSEMM.ps1 - Creates the signer provisioning (also known as "owner") package and a universal reset package

- Creates a permission package

- Applies the created owner and permission packages
- SurfaceUEFI_Manager_(version).msi has been installed

- Ownership Certificate signing key has been generated and is accessible

- Surface device with compatible SEMM-enabled UEFI
CreateOwnerPackage.ps1 - Creates the signer provisioning (also known as "owner") package and a universal reset package.

- Can run on an IT Administrator workstation (doesn't need to be a Surface device)
- IT admin workstation has installed the SurfaceUEFI_Manager_(version).msi

- Ownership Certificate signing key has been generated and is accessible
CreateOwnerUpgradePackage.ps1 - Creates the signer upgrade provisioning (also known as "owner") package and a universal reset package. - IT admin workstation has installed the SurfaceUEFI_Manager_(version).msi

- A new ownership certificate signing key has been generated and is accessible

- An existing ownership certificate signing key has been generated and is accessible
CreatePermissionPackages.ps1 - Demonstrates how to create a permission package. - IT admin workstation has installed the SurfaceUEFI_Manager_(version).msi

- Ownership Certificate signing key has been generated and is accessible
CreateSettingsPackage.ps1 - Demonstrates how to create a settings package. - IT admin workstation has installed the SurfaceUEFI_Manager_(version).msi

- Ownership Certificate signing key has been generated and is accessible
CreateSurfaceDock2Certificates.ps1 - Creates a set of certificates suitable for configuring a Surface Dock 2

- They may be used in conjunction with the configure and reset scripts, or configurator
- N/A
CreateSurfaceThunderbolt(TM)4DockCertificates.ps1 - Creates a set of certificates suitable for configuring a Surface Thunderbolt 4 Dock

- They may be used in conjunction with the configure and reset scripts, or configurator
- N/A
CreateTestCertificates.ps1 - Demonstrates how to create the digital certificates used in the system.

- Note: The certificates created here will work for testing purposes but are simplistic and not recommended for actual deployment.

- We strongly recommend that you learn more about PKI Best Practices by reading topics on PKI such as the following: Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure
- N/A
CurrentSettings.ps1 - Display the current SEMM settings on the device at boot. - Run with administrator privileges

- Surface Device has installed the SurfaceUEFI_Manager_(version).msi
ResetSEMM - Dock2.ps1 - Creates a Surface Dock Reset Package

- Applies the created reset package
- SurfaceUEFI_Manager_(version).msi has been installed

- Dock Certification Authority (DockCA) - the p7b certificate file, used to control ownership of a Surface Dock 2

- Dock Provisioning Certificate (ProvCert) - a pfx certificate file, used to sign the Dock Configuration Package with EKU 1.3.6.1.4.1.311.76.9.21.3

- This certificate and its full trust chain MUST be installed on the Surface Computer during Provisioning Package Creation to -CertStoreLocation Cert:\LocalMachine\Root

- Dock Host Authorization Certificate (HostCert) - a pfx certificate file, used to authorize a Surface Computer to use the authorized user dock security policies

- This certificate and its full trust chain MUST be installed on the Surface Computer during Dock Provisioning (and only this certificate) to -CertStoreLocation Cert:\LocalMachine\Root

- This certificate MUST NOT be installed on the Surface Computer during Provisioning Package Creation

- Surface Dock 2

- WMI Instance Provider for Surface Dock 2. To learn more, see Manage Surface Docks with WMI.
ResetSEMM - Thunderbolt(TM)4Dock.ps1 - Creates a Surface Thunderbolt 4 Dock Reset Package

- Applies the created reset package
- SurfaceUEFI_Manager_(version).msi has been installed

- Dock Provisioning Certificate (ProvCert) - a pfx certificate file, used to sign the Dock Configuration Package with EKU 1.3.6.1.4.1.311.76.9.21.3

- This certificate and its full trust chain MUST be installed on the Surface Computer during Provisioning Package Creation to -CertStoreLocation Cert:\LocalMachine\Root

- Dock Host Authorization Certificate (HostCert) - a pfx certificate file, used to authorize a Surface Computer to use the authorized user dock security policies

- This certificate and its full trust chain MUST be installed on the Surface Computer during Dock Provisioning (and only this certificate) to -CertStoreLocation Cert:\LocalMachine\Root

- This certificate MUST NOT be installed on the Surface Computer during Provisioning Package Creation

- Surface Thunderbolt 4 Dock
ResetSemm.ps1 - Creates and applies a SEMM reset package for a specific device. - Administrative privileges on the device.

- Surface Device has installed the SurfaceUEFI_Manager_(version).msi

- Certificate has been generated and is accessible (and password is 1234)

- This Surface device was formerly enrolled with the same certificate
ShowSettingsOptions.ps1 - Prints the UEFI settings that can be applied to Surface devices. - IT admin workstation has installed the SurfaceUEFI_Manager_(version).msi
VerifyDockSettings.ps1 - To capture and display the current configuration of the connected Surface Dock - Surface Dock 2 or Surface Thunderbolt 4 Dock

VerifySettings.ps1 - Demonstrates how to see the current settings and state of recent updates. - Run with administrator privileges

- Surface Device has installed the SurfaceUEFI_Manager_(version).msi

- Packages were applied and the session ID files saved.

Learn more