Manage USB ports on Surface devices
With USB port functionality enabled by default on Surface devices, many devices with Surface UEFI allow admins to turn off connectivity to USB ports. For example, you may wish to prevent users from copying data from USB thumb drives or external hard disks.
Prerequisites
Before you begin the process outlined in this article, familiarize yourself with the following technologies and tools:
- Surface IT Toolkit is available to download from Surface Tools for IT.
- Surface UEFI
- Surface Enterprise Management Mode (SEMM)
- PowerShell scripting
- Deploy applications with Configuration Manager
Get started
The process consists of the following parts:
Enrollment: Enroll Surface devices and docks into SEMM using the Surface UEFI Configurator, as outlined in Secure Surface Dock ports with SEMM. Supported docks include Surface Dock 2 and Surface Thunderbolt 4 Dock. Key to this workflow is the ability to turn off USB-C data, Ethernet data, and USB-C audio whenever devices are disconnected from an authorized Surface Dock located, for example, in a workplace environment handling highly sensitive information.
Client configuration: Install UEFI Manager, available from the Surface IT Toolkit Library, on all Surface devices targeted for management.
PowerShell scripts: Go to the Surface IT Toolkit to download and modify the PowerShell scripts as appropriate for your environment. Use Microsoft Configuration Manager to deploy the scripts (as applications) to target devices, following the instructions in Use Microsoft Configuration Manager to manage devices with SEMM.
Refer to the embedded comments for usage guidance. See Appendix: SEMM PowerShell Scripts tech reference for definitions and prerequisites.
Manage USB-A ports
For USB-A ports supporting USB-2 and USB-3, you can turn off the USB data protocol from the USB controller to prevent all functionality.
Granular USB-C Disablement
Managing USB-C ports with their support for DisplayPort and USB Power Delivery provides more options beyond turning off all functionality. For example, you can prevent data connectivity to stop users from copying data from USB storage but retain the ability to extend displays and charge the device via a USB-C dock.
Beginning with Surface Pro 8, Surface Laptop Studio, and Surface Go 3, granular USB-C management options are available via the SEMM PowerShell scripts.
Go to Surface Tools for IT and download SEMM_PowerShell.zip.
If you don't already have your own certificates, you can obtain certificates via the appropriate sample script, as documented in the Appendix on this page.
Caution
Keep certificates in a safe location and ensure they're properly backed up. Without them it's impossible to reset Surface UEFI, change managed Surface UEFI settings, or remove SEMM from an enrolled Surface device.
Dynamic USB-C Disablement
Dynamic USB-C Disablement enables customers operating in highly secure environments to prevent unauthorized data transfer via USB, thereby offering organizations more control. When paired with the Surface Thunderbolt 4 Dock, IT admins can lock down USB-C ports whenever eligible Surface devices are undocked or connected to an unauthorized dock.
Tip
This feature is available on Surface Pro 10, Surface Laptop 6, and Surface Laptop Studio 2.
In this scenario, when users are connected to an authorized dock in the office, the USB-C ports will have full functionality over their devices. However, when they go off-site, they can still connect to a dock to use accessories or a monitor but can't use the USB ports to transfer data.
Dynamic USB-C Disablement provides IT admins with greater flexibility to manage devices with a new "Mode 3" in addition to existing operational modes:
Mode 0 (Default Mode): The default mode when SEMM isn't configured.
Mode 1 (Data Disabled): USB-C and Ethernet data are disabled. Audio via USB-C is also disabled. Display out and Power functionality is enabled.
Mode 2 (Fully Disabled): USB-C and Ethernet data are disabled. Audio via USB-C is also disabled. Display out and Power functionality is disabled.
Mode 3 (USB Port Authenticated) also known as Dynamic USB-C Disablement. USB-C data, Ethernet data, USB-C audio, display out and power functions only when the device is connected to an authorized Surface Thunderbolt 4 Dock. If connected to an unauthorized dock, only display out and Power functions will work.
Manage USB-C ports with Surface IT Toolkit
You can now manage USB-C ports across all modes via either of the following methods:
- The new UEFI Configurator included in the Surface IT Toolkit provides UI-support to configure ports without use of PowerShell scripts.
- PowerShell scripts, as described in this article.
Target behaviors
| Host USB Port State | Enabled | Data Disabled | Hardware Disabled | Port Authenticated (Unauthorized or no dock) | Port Authenticated (Authorized Dock) |
|---|---|---|---|---|---|
| USB 2.0, 3.x, 4.x | Enabled | Disabled | Disabled | Disabled | Enabled |
| Thunderbolt 3 or 4 | Enabled | Disabled | Disabled | Disabled | Enabled |
| Audio Accessories | Enabled | Disabled | Disabled | Disabled | Enabled |
| Network | Enabled | Disabled | Disabled | Disabled | Enabled |
| USB Type C Power | Enabled | Enabled | Disabled | Enabled | Enabled |
| PD Power >0W | Enabled | Enabled | Disabled | Enabled | Enabled |
| DisplayPort Alt Mode | Enabled | Enabled | Disabled | Enabled | Enabled |
Provisioning Surface docks
Use the appropriate provisioning script, as documented in the Appendix on this page.
- ConfigureSEMM - Dock2.ps1
- ConfigureSEMM - Thunderbolt(TM)4Dock-Provisioning
Open ConfigureSEMM.ps1 and modify as appropriate. For example, to disable USB-C ports, enable the following setting: UsbPortHwDisabled. See the following table for all available options.
Table 1. USB port management options for Surface devices
| Device | USB-A options (if present on device) |
USB-C options (if present on device) |
Settings | SEMM IDs |
|---|---|---|---|---|
| Surface Laptop Surface Laptop 2 Surface Pro Surface Pro 4 Surface Pro 6 Surface Studio Surface Studio 2 |
Enable or disable data | N/A: No USB-C port on device | USBPortEnabled (default) USBPortHWDisabled |
370-379 |
| Surface Laptop SE Surface Pro 7 Surface Pro 7+ Surface Go Surface Go 2 Surface Laptop Go Surface Laptop Go 2 Surface Laptop Go 3 Surface Laptop 3 (Intel only) Surface Laptop 4 (Intel only) Surface Laptop 5 (Intel only) Surface Studio 2+ |
Enable or disable data | Enabled data, display out, and power delivery Disabled data, display out, and power delivery |
USBPortEnabled (default) USBPortHWDisabled |
370-379 |
| Surface Pro 8 Surface Pro 9 Surface Pro (11th Edition) Surface Laptop (7th Edition) Surface Laptop Studio Surface Laptop Studio 2 Surface Go 3 Surface Go 4 |
Enable or disable data | Enabled data, display-out, and power delivery Disabled data but enabled display-out and power delivery Disabled data, display-out, and power delivery |
USBPortEnabled (default) USBPortDataDisabled USBPortHwDisabled |
380-389 |
| Surface Laptop Studio 2 Surface Pro 10 Surface Pro 10 with 5G Surface Laptop 6 |
Enable or disable data | Enabled data, display-out, and power delivery Disabled data but enabled display-out and power delivery Disabled data, display-out, and power delivery Data dynamically enabled or disabled |
USBPortEnabled (default) USBPortDataDisabled USBPortHwDisabled USBPortAuthenticated |
380-389 |
| Surface Book 2 and later | Base USB ports are always enabled | Base USB ports are always enabled | n/a | |
| Surface Book with Performance Base Surface Book |
Base USB ports are always enabled | N/A: No USB-C port on device | n/a |
Department vs. organizational provisioning
Dynamic USB-C Disablement allows for a many-to-many relationship between the host and dock. This lets customers have hosts and docks configured to work with all hosts/docks or make it department-specific to help with asset management.
Table 2. Example relationships: Host device with Surface Thunderbolt 4 Dock
| Host Device (Surface Laptop Studio 2) | Unprovisioned Dock | Global Dock | Department-X Dock | Department-Y Dock |
|---|---|---|---|---|
| Not Provisioned | - Host USB-C: Enabled - Dock USB: Enabled |
- Host USB-C: Enabled - Dock USB: Limited, based on Unauthenticated dock policy |
- Host USB-C: Enabled - Dock USB: Limited, based on Unauthenticated dock policy |
- Host USB-C: Enabled - Dock USB: Limited, based on Unauthenticated dock policy |
| Global | - Host USB-C: Data disabled - Dock USB: Data disabled |
- Host USB-C: Enabled - Dock USB: Authenticated policy |
- Host USB-C: Enabled - Dock USB: Authenticated policy |
- Host USB-C: Enabled - Dock: Authenticated policy |
| Department-X | - Host USB-C: Data disabled - Dock USB: Data disabled |
- Host USB-C: Enabled - Dock USB: Authenticated policy |
- Host USB-C: Enabled - Dock USB: Authenticated policy |
- Host USB-C: Data disabled - Dock USB: Data disabled & limited, based on Unauthenticated dock policy |
| Department-Y | - Host USB-C: Data disabled - Dock USB: Data disabled |
- Host USB-C: Enabled - Dock USB: Authenticated policy |
- Host USB-C: Data disabled - Dock USB: Data disabled & limited, based on Unauthenticated dock policy |
- Host USB-C: Enabled - Dock: Authenticated policy |
| Host Device (Surface Laptop Studio 2) |
Unprovisioned Dock | Global Dock | Department-X Dock | Department-Y Dock |
|---|---|---|---|---|
| Not Provisioned | - Host USB-C: Enabled - Dock USB: Enabled |
- Host USB-C: Enabled - Dock USB: Limited, based on Unauthenticated dock policy |
- Host USB-C: Enabled - Dock USB: Limited, based on Unauthenticated dock policy |
- Host USB-C: Enabled - Dock USB: Limited, based on Unauthenticated dock policy |
| Global | - Host USB-C: Data disabled - Dock USB: Data disabled |
- Host USB-C: Enabled - Dock USB: Authenticated policy |
- Host USB-C: Enabled - Dock USB: Authenticated policy |
- Host USB-C: Enabled - Dock: Authenticated policy |
| Department-X | - Host USB-C: Data disabled - Dock USB: Data disabled |
- Host USB-C: Enabled - Dock USB: Authenticated policy |
- Host USB-C: Enabled - Dock USB: Authenticated policy |
- Host USB-C: Data disabled - Dock USB: Data disabled & limited, based on Unauthenticated dock policy |
| Department-Y | - Host USB-C: Data disabled - Dock USB: Data disabled |
- Host USB-C: Enabled - Dock USB: Authenticated policy |
- Host USB-C: Data disabled - Dock USB: Data disabled & limited, based on Unauthenticated dock policy |
- Host USB-C: Enabled - Dock: Authenticated policy |
Appendix: SEMM PowerShell Scripts tech reference
| Script | Purpose | Prerequisites |
|---|---|---|
| ApplyProvisioningPackage.ps1 | - Demonstrates how to apply the owner and permission packages. | - Run with administrator privileges - Surface Device has installed the SurfaceUEFI_Manager_(version).msi - Package was generated via CreateSettingsPackage.ps1 or similar |
| ApplySettingsPackage.ps1 | - Demonstrates how to apply the settings package. | - Run with administrator privileges - Surface Device has installed the SurfaceUEFI_Manager_(version).msi - Package was generated via CreateSettingsPackage.ps1 or similar |
| ConfigureSEMM - Dock2.ps1 | - Creates a Surface Dock Provisioning Package - Applies the created provisioning package |
- SurfaceUEFI_Manager_(version).msi has been installed - Dock Certification Authority (DockCA) - a p7b cert, used to control ownership of a Surface Dock 2 - Dock Provisioning Certificate (ProvCert) - a pfx cert, used to sign the Dock Configuration Package with EKU 1.3.6.1.4.1.311.76.9.21.3 - This certificate and its full trust chain MUST be installed on the Surface Computer during Provisioning Package Creation to -CertStoreLocation Cert:\LocalMachine\Root - Dock Host Authorization Certificate (HostCert) - a pfx cert, used to authorize a Surface Computer to use the authorized user dock security policies - This certificate and its full trust chain MUST be installed on the Surface Computer during Dock Provisioning (and only this certificate) to -CertStoreLocation Cert:\LocalMachine\Root - This certificate MUST NOT be installed on the Surface Computer during Provisioning Package Creation - Surface Dock 2 -WMI Instance Provider for Surface Dock. To learn more, see Manage Surface Docks with WMI |
| ConfigureSEMM - Thunderbolt(TM)4Dock-Host-SAM.ps1 | - Creates and applies a SEMM/DFCI package that sets the USB-C port and contains the Certificate Authority hashes - Creates and applies a SAM Certificate Authority CFU payload |
- SurfaceUEFI_Manager_(version).msi has been installed - Dock Certification Authority (DockCA) - a p7b cert, used to control ownership of a Surface Thunderbolt 4 Dock - One of the following Surface Computers (other models not yet supported): Surface Laptop Studio 2 |
| ConfigureSEMM - Thunderbolt(TM)4Dock-Host.ps1 | - Creates and applies a CFU package for SAM | - SurfaceUEFI_Manager_(version).msi has been installed - A list of certificate authority files (.p7b). SAM can support up to 10 different CAs - One of the following Surface Computers (other models not yet supported): Surface Laptop Studio 2 |
| ConfigureSEMM - Thunderbolt(TM)4Dock-Policy.ps1 | - Creates a Surface Thunderbolt 4 Dock policy package - Applies the created policy package |
- SurfaceUEFI_Manager_(version).msi has been installed - Dock Provisioning Certificate (ProvCert) - a pfx cert, used to sign the Dock Configuration Package with EKU 1.3.6.1.4.1.311.76.9.21.3 - This certificate and its full trust chain MUST be installed on the Surface Computer during Provisioning Package Creation to -CertStoreLocation Cert:\LocalMachine\Root - Dock Host Authorization Certificate (HostCert) - a pfx cert, used to authorize a Surface Computer to use the authorized user dock security policies - This certificate and its full trust chain MUST be installed on the Surface Computer during Dock Provisioning (and only this certificate) to -CertStoreLocation Cert:\LocalMachine\Root - This certificate MUST NOT be installed on the Surface Computer during Provisioning Package Creation - Dock Authentication Certificate (DockAuthCert) - Surface Thunderbolt 4 Dock |
| ConfigureSEMM - Thunderbolt(TM)4Dock-Provisioning.ps1 | - Creates a Surface Thunderbolt 4 Dock provisioning package - Applies the created provisioning package |
- SurfaceUEFI_Manager_(version).msi has been installed - Dock Certification Authority file (DepartmentCA and/or OrganizationCA) - a p7b cert, used to control ownership of a Surface Thunderbolt 4 Dock - Dock Provisioning Certificate (ProvCert) - a pfx cert, used to sign the Dock Configuration Package with EKU 1.3.6.1.4.1.311.76.9.21.3 - This certificate and its full trust chain MUST be installed on the Surface Computer during Provisioning Package Creation to -CertStoreLocation Cert:\LocalMachine\Root - Dock Host Authorization Certificate (HostCert) - a pfx cert, used to authorize a Surface Computer to use the authorized user dock security policies - This certificate and its full trust chain MUST be installed on the Surface Computer during Dock Provisioning (and only this certificate) to -CertStoreLocation Cert:\LocalMachine\Root - This certificate MUST NOT be installed on the Surface Computer during Provisioning Package Creation - Dock Authentication Certificate (DockAuthCert) - Surface Thunderbolt 4 Dock |
| ConfigureSEMM - Thunderbolt(TM)4Dock-USBC.ps1 | - Creates and applies a USB-C Mode 3 SEMM/DFCI package | - SurfaceUEFI_Manager_(version).msi has been installed - Ownership Certificate signing key has been generated and is accessible - One of the following Surface Computers (other models not yet supported): Surface Laptop Studio 2 |
| ConfigureSEMM.ps1 | - Creates the signer provisioning (also known as "owner") package and a universal reset package - Creates a permission package - Applies the created owner and permission packages |
- SurfaceUEFI_Manager_(version).msi has been installed - Ownership Certificate signing key has been generated and is accessible - Surface device with compatible SEMM-enabled UEFI |
| CreateOwnerPackage.ps1 | - Creates the signer provisioning (also known as "owner") package and a universal reset package. - Can run on an IT Administrator workstation (doesn't need to be a Surface device) |
- IT admin workstation has installed the SurfaceUEFI_Manager_(version).msi - Ownership Certificate signing key has been generated and is accessible |
| CreateOwnerUpgradePackage.ps1 | - Creates the signer upgrade provisioning (also known as "owner") package and a universal reset package. | - IT admin workstation has installed the SurfaceUEFI_Manager_(version).msi - A new ownership certificate signing key has been generated and is accessible - An existing ownership certificate signing key has been generated and is accessible |
| CreatePermissionPackages.ps1 | - Demonstrates how to create a permission package. | - IT admin workstation has installed the SurfaceUEFI_Manager_(version).msi - Ownership Certificate signing key has been generated and is accessible |
| CreateSettingsPackage.ps1 | - Demonstrates how to create a settings package. | - IT admin workstation has installed the SurfaceUEFI_Manager_(version).msi - Ownership Certificate signing key has been generated and is accessible |
| CreateSurfaceDock2Certificates.ps1 | - Creates a set of certificates suitable for configuring a Surface Dock 2 - They may be used in conjunction with the configure and reset scripts, or configurator |
- N/A |
| CreateSurfaceThunderbolt(TM)4DockCertificates.ps1 | - Creates a set of certificates suitable for configuring a Surface Thunderbolt 4 Dock - They may be used in conjunction with the configure and reset scripts, or configurator |
- N/A |
| CreateTestCertificates.ps1 | - Demonstrates how to create the digital certificates used in the system. - Note: The certificates created here will work for testing purposes but are simplistic and not recommended for actual deployment. - We strongly recommend that you learn more about PKI Best Practices by reading topics on PKI such as the following: Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure |
- N/A |
| CurrentSettings.ps1 | - Display the current SEMM settings on the device at boot. | - Run with administrator privileges - Surface Device has installed the SurfaceUEFI_Manager_(version).msi |
| ResetSEMM - Dock2.ps1 | - Creates a Surface Dock Reset Package - Applies the created reset package |
- SurfaceUEFI_Manager_(version).msi has been installed - Dock Certification Authority (DockCA) - the p7b certificate file, used to control ownership of a Surface Dock 2 - Dock Provisioning Certificate (ProvCert) - a pfx certificate file, used to sign the Dock Configuration Package with EKU 1.3.6.1.4.1.311.76.9.21.3 - This certificate and its full trust chain MUST be installed on the Surface Computer during Provisioning Package Creation to -CertStoreLocation Cert:\LocalMachine\Root - Dock Host Authorization Certificate (HostCert) - a pfx certificate file, used to authorize a Surface Computer to use the authorized user dock security policies - This certificate and its full trust chain MUST be installed on the Surface Computer during Dock Provisioning (and only this certificate) to -CertStoreLocation Cert:\LocalMachine\Root - This certificate MUST NOT be installed on the Surface Computer during Provisioning Package Creation - Surface Dock 2 - WMI Instance Provider for Surface Dock 2. To learn more, see Manage Surface Docks with WMI. |
| ResetSEMM - Thunderbolt(TM)4Dock.ps1 | - Creates a Surface Thunderbolt 4 Dock Reset Package - Applies the created reset package |
- SurfaceUEFI_Manager_(version).msi has been installed - Dock Provisioning Certificate (ProvCert) - a pfx certificate file, used to sign the Dock Configuration Package with EKU 1.3.6.1.4.1.311.76.9.21.3 - This certificate and its full trust chain MUST be installed on the Surface Computer during Provisioning Package Creation to -CertStoreLocation Cert:\LocalMachine\Root - Dock Host Authorization Certificate (HostCert) - a pfx certificate file, used to authorize a Surface Computer to use the authorized user dock security policies - This certificate and its full trust chain MUST be installed on the Surface Computer during Dock Provisioning (and only this certificate) to -CertStoreLocation Cert:\LocalMachine\Root - This certificate MUST NOT be installed on the Surface Computer during Provisioning Package Creation - Surface Thunderbolt 4 Dock |
| ResetSemm.ps1 | - Creates and applies a SEMM reset package for a specific device. | - Administrative privileges on the device. - Surface Device has installed the SurfaceUEFI_Manager_(version).msi - Certificate has been generated and is accessible (and password is 1234) - This Surface device was formerly enrolled with the same certificate |
| ShowSettingsOptions.ps1 | - Prints the UEFI settings that can be applied to Surface devices. | - IT admin workstation has installed the SurfaceUEFI_Manager_(version).msi |
| VerifyDockSettings.ps1 | - To capture and display the current configuration of the connected Surface Dock | - Surface Dock 2 or Surface Thunderbolt 4 Dock |
| VerifySettings.ps1 | - Demonstrates how to see the current settings and state of recent updates. | - Run with administrator privileges - Surface Device has installed the SurfaceUEFI_Manager_(version).msi - Packages were applied and the session ID files saved. |