Considerations for Surface and Microsoft Configuration Manager

Article
06/11/2024
Applies to:

Windows 10, Windows 11

Fundamentally, management and deployment of Surface devices with Microsoft Configuration Manager follows the same principles as managing other PCs. Like any PC deployment, it includes importing drivers, preparing Windows images, setting deployment task sequences, and applying those sequences to device collections. After deployment, Surface devices behave like any other Windows client, receiving apps, settings, and policies through familiar processes.

To learn more, see Microsoft Configuration Manager documentation.

Although the deployment and management of Surface devices is fundamentally similar to other PCs, some scenarios might require extra IT tasks, as described in this article.

Proactive monitoring, security, and AI-powered insights

Configuration Manager supports enhanced security, proactive monitoring, and compliance enforcement. It enables IT administrators to take advantage of virtualization-based security (VBS) to isolate critical security operations, while TPM 2.0 plays a foundational role in enabling encryption with BitLocker, secure boot, and Windows Hello for Business. Configuration Manager ensures compliance with these security baselines by monitoring device health and policy adherence, ensuring devices are protected against unauthorized access.

Additionally, Microsoft Defender for Endpoint integrates with Configuration Manager, delivering AI-powered threat detection and response capabilities, helping organizations detect anomalies and protect against sophisticated threats.

Windows 11 24H2 Update integration

Ensure compatibility by using Configuration Manager for Windows 11 24H2 deployments on Surface devices. Ensure product activation is aligned when deploying or reimaging these devices using OEM Activation 3.0 (OA 3.0) tools or Microsoft’s KMS infrastructure.

Key resources: Check the Windows Setup Edition Configuration and Product ID Files for licensing requirements. When installing or reimaging with Windows Enterprise editions, use the proper task sequences to avoid conflicts between the embedded firmware key and the new OS.

Surface Ethernet adapters and Configuration Manager deployment

When deploying Surface devices using Ethernet adapters, Configuration Manager identifies devices by MAC address. However, shared Ethernet adapters can cause deployment issues by recognizing multiple devices as a single device. To avoid this, configure Configuration Manager to use alternative identifiers, such as the System UUID.

Best practice: Exclude Surface Ethernet adapters from MAC-based identification to prevent deployment conflicts.
Driver availability: Drivers for older Windows versions are available in the Microsoft Update Catalog. For newer versions, the drivers are included by default in Windows and require no extra configuration.

Use prestaged media with Surface clients

If using prestaged media for Surface deployments, take extra steps to accommodate UEFI environments requiring multiple partitions. To learn more, see Create prestaged media.

Licensing conflicts with OEM Activation 3.0

Surface devices ship with an embedded Windows license key via OEM Activation 3.0. Be aware of potential conflicts when deploying Windows editions that differ from the preinstalled OS.

Example: If a device ships with Windows 11 Home and you want to install Windows 11 Pro, use an Ei.cfg or Pid.txt file to bypass the embedded license key.
Enterprise deployment: For organizations using Windows Enterprise editions, the embedded key is bypassed by default, and KMS or Active Directory-based activation completes the process.

Apply an asset tag during deployment

Use the Surface Asset Tag Tool to apply asset tags directly from UEFI. This allows identification even if the OS fails, streamlining asset management for IT admins. To learn more, see Introduction to asset intelligence in Configuration Manager.

Configure push-button reset

By default, push-button reset restores Surface devices to a clean state, discarding apps and settings. For professional environments, configure push-button reset to restore devices with preinstalled configurations using Deploy push-button reset features.

Additional resources

Documentation

Manage Surface driver updates in Configuration Manager - Surface

Learn how to manage and deploy Surface driver and firmware updates using Configuration Manager, including setup, synchronization, and troubleshooting tips.
Manage & deploy Surface driver & firmware updates - Surface

Learn how to manage and deploy Surface driver and firmware updates, with links to downloadable .msi packages and guidance for enterprise environments.
Managing Surface driver updates - Configuration Manager

Configuration Manager synchronizes Surface driver updates for deployment to Surface devices.
How to enable the Surface Laptop keyboard during MDT deployment - Surface

Learn how to enable the Surface Laptop keyboard during MDT deployment by importing necessary drivers into the Windows PE environment.
Deploy, manage, and service Arm processor-based Surface devices - Surface

Learn how to deploy, manage, and service Arm-based Surface devices, including Surface Pro 11th Edition and Surface Laptop 7th Edition.
Prepare Surface deployment with Microsoft Deployment Toolkit - Surface

Learn how to deploy Windows 10 on Surface devices using the Microsoft Deployment Toolkit. Follow the recommended steps for a successful deployment.

Training

Module

MD-102 3-Deploy using Endpoint Configuration Manager - Training

This module explains the common day to day tasks that Administrators would use Configuration Manager to perform.

Certification

Microsoft 365 Certified: Endpoint Administrator Associate - Certifications

Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.

Share via