Enable 802.1x wired authentication
The November 14, 2017 update to Windows 10 (build 15063.726) enabled 802.1x wired authentication policy configuration on Surface Hub devices. The feature allows organizations to enforce standardized wired network authentication using the IEEE 802.1x authentication protocol. This was already available for wireless authentication using WLAN profiles via MDM or provisioning package. This topic explains how to configure a Surface Hub for use with wired authentication.
Enforcement and enablement of 802.1x wired authentication on Surface Hub can be done through MDM OMA-URI profiles or provisioning package.
The primary configuration to set is the LanProfile policy. Depending on the authentication method selected, other policies may be required, either the EapUserData policy or through MDM policies for adding user or machine certificates (such as ClientCertificateInstall for user/device certificates or RootCATrustedCertificates for device certificates).
LanProfile policy element
To configure Surface Hub to use one of the supported 802.1x authentication methods, utilize the following OMA-URI.
./Vendor/MSFT/SurfaceHub/Dot3/LanProfile
This OMA-URI node takes a text string of XML as a parameter. The XML provided as a parameter should conform to the Wired LAN Profile Schema including elements from the 802.1X schema.
In most instances, an administrator or user can export the LanProfile XML from an existing PC that is already configured on the network for 802.1X using this following NETSH command.
netsh lan export profile folder=.
Running this command gives the following output and place a file titled Ethernet.xml in the current directory.
Interface: Ethernet
Profile File Name: .\Ethernet.xml
1 profile(s) were exported successfully.
To disable 802.1x completely on the Surface Hub, a provisioning package can be used to set the SurfaceHub\Dot3\LanProfile node to the following xml:
<?xml version="1.0" encoding="UTF-8"?>
<LANProfile xmlns="https://www.microsoft.com/networking/LAN/profile/v1">
<MSM>
<security>
<OneXEnforced>false</OneXEnforced>
<OneXEnabled>false</OneXEnabled>
</security>
</MSM>
</LANProfile>
EapUserData policy element
If your selected authentication method requires a username and password as opposed to a certificate, you can use the EapUserData element to specify credentials for the device to use to authenticate to the network.
./Vendor/MSFT/SurfaceHub/Dot3/EapUserData
This OMA-URI node takes a text string of XML as a parameter. The XML provided as a parameter should conform to the PEAP MS-CHAPv2 User Properties example. In the example, you need to replace all instances of test and ias-domain with your information.
Adding certificates
If your selected authentication method is certificate-based, you need to create a provisioning package, utilize MDM, or import a certificate from settings (Settings > Update and Security > Certificates) to deploy those certificates to your Surface Hub device in the appropriate Certificate Store. When adding certificates, each PFX must contain only one certificate (a PFX can't have multiple certificates).