Setup worksheet (Surface Hub)

When you've finished pre-setup and are ready to start first-time setup for your Microsoft Surface Hub, make sure you have all the information listed in this section.

You should fill out one list for each Surface Hub you need to configure, although some information can be used on all Surface Hubs, like the proxy information or domain credentials. Some of this information may not be needed, depending on how you've decided to configure your device, or depending on how the environment is configured for your organization's infrastructure.

When finished, review Post deployment checklist below.

Property What this property is used for Example Learn more
Proxy information If you use a proxy for network or Internet access, you must provide a script or server/port information. Proxy script: http://contoso/proxy.pac

Or:

Server and port info: 10.10.10.100, port 80
Configure proxy using provisioning package.
Wireless network credentials (username and password) If connecting your device to Wi-Fi, and your wireless network requires user credentials. admin1@contoso.com, #MyPassw0rd Wireless network management
Device account UPN or Domain\username and device account password This is the User Principal Name (UPN) or the domain\username, and the password of the device account. Mail, calendar, Microsoft Teams, and Skype for Business depend on a compatible device account. UPN: ConfRoom15@contoso.com, #Passw0rd1

Or:

Domain and username: CONTOSO\ConfRoom15, #Passw0rd1
Create and test a device account
Mailbox properties The mailbox must be configured with the correct properties to enable the best meeting experience on Surface Hub. See Microsoft Exchange properties
EWS URL for device account's mailbox This is the device account's Exchange server. Mail, calendar, Microsoft Teams, and Skype for Business depend on a compatible device account. For mail and calendaring to work, the device account must have a valid Exchange server. The device tries to find this automatically. https://outlook.office365.com/EWS/exchange.asmx Create and test a device account

Microsoft Exchange properties
Device account Session Initiation Protocol (SIP) address This is the device account's SIP address. Mail, calendar, Microsoft Teams, and Skype for Business depend on a compatible device account. For Teams or Skype for Business to work, the device account must have a valid SIP address. The device tries to find this automatically. sip: ConfRoom15@contoso.com
Device account password To simplify management, you can either disable password expiration for the device account or allow Surface Hub to automatically rotate the device account password.

Note: If adding the account in domain\username format, affiliate the Hub with on-premises Active Directory during initial setup. If adding the account in username@domain.com format, affiliate the Hub with Microsoft Entra ID during initial setup. Otherwise, password rotation won't work.
Password management
Exchange Web Services (EWS) Enable EWS. Surface Hub uses EWS to sync its calendar. Modern authentication on Surface Hub
Multifactor authentication Disable multifactor authentication on the device account. As the Surface Hub logs into Exchange in the background without user interaction, it can't respond to any interactive prompts, such as multifactor authentication.
MDM enrollment details If you would like to manually enroll the device to MDM, you'll need to have user credentials that are valid for the MDM provider and the enrollment URL. The device tries to find the enrollment URL automatically. manage.microsoft.com Manage Surface Hub with an MDM provider
Friendly name The friendly name of the device is the broadcast name that people will see when they try to wirelessly connect to the Surface Hub. This name is displayed prominently on the Surface Hub's screen. We suggest that the friendly name you choose is recognizable and unique so that people can distinguish one Surface Hub from another when trying to connect. Conference Room 15 First time Setup for Surface Hub
Device name The device name is the name that will be used for domain join, and is the identity you'll see in your MDM provider if the device is enrolled into MDM. The device name you choose must not be the same name as any other device in your Active Directory domain (if you decide to domain join the device). The device can't join the domain without a unique name. confroom15 First time Setup for Surface Hub
Teams App Mode - Mode 0 — Skype for Business with Microsoft Teams functionality for scheduled meetings.
- Mode 1 — Microsoft Teams only
Changing default app for meetings & calls

Device affiliation

Use Device affiliation to manage user access to the Settings app on Surface Hub. With the Windows 10 Team operating system (that runs on Surface Hub), only authorized users can adjust settings using the Settings app. Since choosing the affiliation can impact feature availability, plan appropriately to ensure that users can access features as intended.

Note

You can only set Device affiliation during the initial out-of-box experience (OOBE) setup. If you need to reset Device affiliation, you’ll have to repeat OOBE setup.

If you’re joining Microsoft Entra ID

Property What this property is used for Example Learn more
Microsoft Entra tenant user credentials (username and password) If you decide to have people in your Microsoft Entra organization become admins on the device, then you'll need to join the Surface Hub to Microsoft Entra ID. To join it to Microsoft Entra ID, you'll need valid credentials for an account in the tenant. admin1@contoso.com, #MyPassw0rd Admin group management
Non Global Admin accounts For Surface Hub devices joined to Microsoft Entra ID, you can limit admin permissions to management of the Settings app on Surface Hub. This permission confinement enables you to scope admin permissions for Surface Hub only and prevent potentially unwanted admin access an entire Microsoft Entra domain. Configure non-Global Admin accounts on Surface Hub

Important

Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. To learn more, see the recommended guidance in Configure non-Global Admin accounts on Surface Hub.

If you’re joining a domain

Property What this property is used for Example
Domain to join This is the domain you'll need to join so that a security group of your choice can be admins for the device. You may need the fully qualified domain name (FQDN). contoso (short name) OR contoso.corp.com (FQDN)
Domain account credentials (username and password) A domain can't be joined unless you provide sufficient account credentials to join the domain. Once you provide a domain to join and credentials to join the domain, then a security group of your choice can change settings on the device. admin1, #MyPassword
Admin security group alias This is a security group in your Active Directory (AD); any members of this security group can change settings on the device. SurfaceHubAdmins

If you're using a local admin

Property What this is used for Example
Local admin account credentials (username and password) If you decide not to join an AD domain or Microsoft Entra ID, you can create a local admin account on the device. admin1, #MyPassword

If you need to install certificates or apps

Property What this is used for
USB drive If you know before first run that you want to install certificates or universal apps, follow the steps in Create provisioning packages for Surface Hub. Your provisioning packages are created on a USB drive.

Post deployment checklist

Check Response
Device account syncing ☐ Yes

☐ No
Bitlocker key ☐ Saved to file (no affiliation)

☐ Saved in Active Directory (AD affiliation)

☐ Saved in Microsoft Entra ID (Microsoft Entra affiliation)
Device OS updates ☐ Completed
Windows Store updates ☐ Automatic

☐ Manual
Microsoft Teams scheduled meeting ☐ Confirmation email received

☐ Meeting appears on start screen

☐ One-touch join functions

☐ Able to join audio

☐ Able to join video

☐ Able to share screen
Skype for Business scheduled meeting ☐ Confirmation email received
☐ Meeting appears on start screen
☐ One-touch join functions correctly
☐ Able to join audio
☐ Able to join video
☐ Able to share screen
☐ Able to send/receive IM
Scheduled meeting when already invited ☐ Meeting declined
Microsoft Teams ad-hoc meeting ☐ Invite other users work

☐ Able to join audio

☐ Able to join video

☐ Able to share screen
Microsoft Whiteboard ☐ Launch from Welcome / Start screen

☐ Launch from Microsoft Teams
Incoming Teams/Skype call ☐ Able to join audio
☐ Able to join video
☐ Able to share screen
☐ Able to send/receive IM (Skype for Business only)
Incoming live video streams ☐ Maximum 2 (Skype for Business)
☐ Maximum 4 (Microsoft Teams)
Microsoft Teams Mode 0 behavior ☐ Skype for Business tile on Welcome/Start screen
☐ Can join scheduled Skype for Business meetings (Skype UI)
☐ Can join scheduled Teams meetings from Welcome screen calendar
Microsoft Teams Mode 1 behavior ☐ Teams tile on Welcome / Start screen
☐ Can join scheduled Teams meetings
☐ Cannot join Skype for Business meetings