Setup worksheet for Surface Hub
When you've finished pre-setup and are ready to start first-time setup for your Microsoft Surface Hub, make sure you have all the information listed in this section.
You should fill out one list for each Surface Hub you need to configure, although some information can be used on all Surface Hubs, like the proxy information or domain credentials. Some of this information may not be needed, depending on how you've decided to configure your device, or depending on how the environment is configured for your organization's infrastructure.
When finished, review Post deployment checklist below.
| Property | What this property is used for | Example | Learn more |
|---|---|---|---|
| Proxy information | If you use a proxy for network or Internet access, you must provide a script or server/port information. | Proxy script: http://contoso/proxy.pac Or: Server and port info: 10.10.10.100, port 80 |
Configure proxy using provisioning package. |
| Wireless network credentials (username and password) | If connecting your device to Wi-Fi, and your wireless network requires user credentials. | admin1@contoso.com, #MyPassw0rd | Wireless network management |
| Device account UPN or Domain\username and device account password | This is the User Principal Name (UPN) or the domain\username, and the password of the device account. Mail, calendar, Microsoft Teams, and Skype for Business depend on a compatible device account. | UPN: ConfRoom15@contoso.com, #Passw0rd1 Or: Domain and username: CONTOSO\ConfRoom15, #Passw0rd1 |
Create and test a device account |
| Mailbox properties | The mailbox must be configured with the correct properties to enable the best meeting experience on Surface Hub. | See Microsoft Exchange properties | |
| EWS URL for device account's mailbox | This is the device account's Exchange server. Mail, calendar, Microsoft Teams, and Skype for Business depend on a compatible device account. For mail and calendaring to work, the device account must have a valid Exchange server. The device tries to find this automatically. | https://outlook.office365.com/EWS/exchange.asmx | Create and test a device account Microsoft Exchange properties |
| Device account Session Initiation Protocol (SIP) address | This is the device account's SIP address. Mail, calendar, Microsoft Teams, and Skype for Business depend on a compatible device account. For Teams or Skype for Business to work, the device account must have a valid SIP address. The device tries to find this automatically. | sip: ConfRoom15@contoso.com | |
| Device account password | To simplify management, you can either disable password expiration for the device account or allow Surface Hub to automatically rotate the device account password. Note: If adding the account in domain\username format, affiliate the Hub with on-premises Active Directory during initial setup. If adding the account in username@domain.com format, affiliate the Hub with Microsoft Entra ID during initial setup. Otherwise, password rotation won't work. |
Password management | |
| Exchange Web Services (EWS) | Enable EWS. Surface Hub uses EWS to sync its calendar. | Modern authentication on Surface Hub | |
| Multifactor authentication | Disable multifactor authentication on the device account. As the Surface Hub logs into Exchange in the background without user interaction, it can't respond to any interactive prompts, such as multifactor authentication. | ||
| MDM enrollment details | If you would like to manually enroll the device to MDM, you'll need to have user credentials that are valid for the MDM provider and the enrollment URL. The device tries to find the enrollment URL automatically. | manage.microsoft.com | Manage Surface Hub with an MDM provider |
| Friendly name | The friendly name of the device is the broadcast name that people will see when they try to wirelessly connect to the Surface Hub. This name is displayed prominently on the Surface Hub's screen. We suggest that the friendly name you choose is recognizable and unique so that people can distinguish one Surface Hub from another when trying to connect. | Conference Room 15 | First time Setup for Surface Hub |
| Device name | The device name is the name that will be used for domain join, and is the identity you'll see in your MDM provider if the device is enrolled into MDM. The device name you choose must not be the same name as any other device in your Active Directory domain (if you decide to domain join the device). The device can't join the domain without a unique name. | confroom15 | First time Setup for Surface Hub |
| Teams App Mode | - Mode 0 — Skype for Business with Microsoft Teams functionality for scheduled meetings. - Mode 1 — Microsoft Teams only |
Changing default app for meetings & calls |
Device affiliation
Use Device affiliation to manage user access to the Settings app on Surface Hub. With the Windows 10 Team operating system (that runs on Surface Hub), only authorized users can adjust settings using the Settings app. Since choosing the affiliation can impact feature availability, plan appropriately to ensure that users can access features as intended.
Note
You can only set Device affiliation during the initial out-of-box experience (OOBE) setup. If you need to reset Device affiliation, you’ll have to repeat OOBE setup.
If you’re joining Microsoft Entra ID
| Property | What this property is used for | Example | Learn more |
|---|---|---|---|
| Microsoft Entra tenant user credentials (username and password) | If you decide to have people in your Microsoft Entra organization become admins on the device, then you'll need to join the Surface Hub to Microsoft Entra ID. To join it to Microsoft Entra ID, you'll need valid credentials for an account in the tenant. | admin1@contoso.com, #MyPassw0rd | Admin group management |
| Non Global Admin accounts | For Surface Hub devices joined to Microsoft Entra ID, you can limit admin permissions to management of the Settings app on Surface Hub. This permission confinement enables you to scope admin permissions for Surface Hub only and prevent potentially unwanted admin access an entire Microsoft Entra domain. | Configure non-Global Admin accounts on Surface Hub |
Important
Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. To learn more, see the recommended guidance in Configure non-Global Admin accounts on Surface Hub.
If you’re joining a domain
| Property | What this property is used for | Example |
|---|---|---|
| Domain to join | This is the domain you'll need to join so that a security group of your choice can be admins for the device. You may need the fully qualified domain name (FQDN). | contoso (short name) OR contoso.corp.com (FQDN) |
| Domain account credentials (username and password) | A domain can't be joined unless you provide sufficient account credentials to join the domain. Once you provide a domain to join and credentials to join the domain, then a security group of your choice can change settings on the device. | admin1, #MyPassword |
| Admin security group alias | This is a security group in your Active Directory (AD); any members of this security group can change settings on the device. | SurfaceHubAdmins |
If you're using a local admin
| Property | What this is used for | Example |
|---|---|---|
| Local admin account credentials (username and password) | If you decide not to join an AD domain or Microsoft Entra ID, you can create a local admin account on the device. | admin1, #MyPassword |
If you need to install certificates or apps
| Property | What this is used for |
|---|---|
| USB drive | If you know before first run that you want to install certificates or universal apps, follow the steps in Create provisioning packages for Surface Hub. Your provisioning packages are created on a USB drive. |
Post deployment checklist
| Check | Response |
|---|---|
| Device account syncing | ☐ Yes ☐ No |
| Bitlocker key | ☐ Saved to file (no affiliation) ☐ Saved in Active Directory (AD affiliation) ☐ Saved in Microsoft Entra ID (Microsoft Entra affiliation) |
| Device OS updates | ☐ Completed |
| Windows Store updates | ☐ Automatic ☐ Manual |
| Microsoft Teams scheduled meeting | ☐ Confirmation email received ☐ Meeting appears on start screen ☐ One-touch join functions ☐ Able to join audio ☐ Able to join video ☐ Able to share screen |
| Skype for Business scheduled meeting | ☐ Confirmation email received ☐ Meeting appears on start screen ☐ One-touch join functions correctly ☐ Able to join audio ☐ Able to join video ☐ Able to share screen ☐ Able to send/receive IM |
| Scheduled meeting when already invited | ☐ Meeting declined |
| Microsoft Teams ad-hoc meeting | ☐ Invite other users work ☐ Able to join audio ☐ Able to join video ☐ Able to share screen |
| Microsoft Whiteboard | ☐ Launch from Welcome / Start screen ☐ Launch from Microsoft Teams |
| Incoming Teams/Skype call | ☐ Able to join audio ☐ Able to join video ☐ Able to share screen ☐ Able to send/receive IM (Skype for Business only) |
| Incoming live video streams | ☐ Maximum 2 (Skype for Business) ☐ Maximum 4 (Microsoft Teams) |
| Microsoft Teams Mode 0 behavior | ☐ Skype for Business tile on Welcome/Start screen ☐ Can join scheduled Skype for Business meetings (Skype UI) ☐ Can join scheduled Teams meetings from Welcome screen calendar |
| Microsoft Teams Mode 1 behavior | ☐ Teams tile on Welcome / Start screen ☐ Can join scheduled Teams meetings ☐ Cannot join Skype for Business meetings |