Prepare your environment for Surface Hub

This page describes dependencies for setting up and managing Surface Hub v1 or Surface Hub 2S.

Tip

As a companion to this article, we recommend using the Surface Hub and Microsoft Teams Rooms automated setup guide when signed in to the Microsoft 365 Admin Center. This guide will customize your experience based on your environment. If you're hosted in Exchange Online and using Microsoft Teams, the guide will automatically create your device account with the correct settings. Or use it to validate existing resource accounts to help turn them into compatible Surface Hub device accounts. To review best practices without signing in and activating automated setup features, go to the M365 Setup portal.

Infrastructure dependencies

Review these dependencies to make sure Surface Hub features will work in your IT infrastructure.

Dependency Description Learn more
On-premises services and Active Directory or M365 Surface Hub uses an Active Directory or Microsoft Entra account (called a device account) to access Exchange and Teams (or Skype for Business) services. The Surface Hub must be able to connect to your Active Directory domain controller or to your Microsoft Entra tenant in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and Session Initiation Protocol (SIP) address.

NOTE: Surface Hubs work with Microsoft Teams, Skype for Business Server 2019, Skype for Business Server 2015, or Skype for Business Online. Earlier platforms, such as Lync Server 2013, are not supported. Surface Hubs are not supported in GCC DoD environments.
Microsoft 365 endpoints

Create and test a device account
Windows Update, Store and Diagnostics Access to Windows Update or Windows Update for Business is required to maintain Surface Hub with OS feature and quality updates. Access to the Microsoft Store is required to maintain apps. Manage connection endpoints for Windows 10 Enterprise, version 20H2

Manage Windows updates on Surface Hub
Mobile device management (MDM) solution (Microsoft Intune, Microsoft Configuration Manager, or supported third-party MDM provider) If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up an MDM solution and enroll the device to that solution. Network endpoints for Microsoft Intune

Manage settings with an MDM provider
Azure Monitor Azure Monitor can be used to monitor the health of Surface Hub devices.

NOTE: Surface Hubs do not currently support the use of a proxy server to communicate with the Log Analytics service utilized by Azure Monitor.
Log Analytics endpoints

Monitor Surface Hubs with Azure Monitor to track their health.
Network access Surface Hubs support both wired or wireless connections (a wired connection is preferred).

802.1X authentication
In Windows 10 Team 20H2, although 802.1X authentication for wired and wireless connections is enabled by default, you need to ensure that an 802.1x network profile and authentication certificate are also installed on Surface Hub. If you manage Surface Hub with Intune or other mobile device management solution, you can deliver the certificate using the ClientCertificateInstall CSP. Otherwise you can create a provisioning package and install it during first run setup or by using the Settings app. When the certificate is applied, 802.1X authentication begins automatically.

Dynamic IP
Surface Hubs cannot be configured to use a static IP. They must be assigned an IP address through DHCP.

Ports
The Surface Hub requires the following open ports:

HTTPS: 443
HTTP: 80
NTP: 123
Enable 802.1x wired authentication

Create provisioning packages for Surface Hub

Device affiliation

Use Device affiliation to manage user access to the Settings app on Surface Hub. With the Windows 10 Team operating system (that runs on Surface Hub), only authorized users can adjust settings using the Settings app. Since choosing the affiliation can impact feature availability, plan appropriately to ensure that users can access features as intended.

Note

You can only set Device affiliation during the initial out-of-box experience (OOBE) setup. If you need to reset Device affiliation, you’ll have to repeat OOBE setup.

No affiliation

No affiliation is like having Surface Hub in a workgroup with a different local Administrator account on each Surface Hub. If you choose No affiliation, you must locally save the BitLocker Key to a USB thumb drive. You can still enroll the device with Intune; however, only the local admin can access the Settings app using the account credentials configured during OOBE. You can change the Administrator account password from the Settings app.

Active Directory Domain Services

If you affiliate Surface Hub with on-premises Active Directory Domain Services, you need to manage access to the Settings app using a security group on your domain. This helps ensure that all security group members have permissions to change settings on Surface Hub. Also note the following: When Surface Hub affiliates with your on-premises Active Directory Domain Services, the BitLocker key can be saved in the Active Directory Schema. For more information, see BitLocker planning guide.

Your organization’s Trusted Root CAs are pushed to the same container in Surface Hub, which means you don’t need to import them using a provisioning package.

You can still enroll the device with Intune to centrally manage settings on your Surface Hub.

Microsoft Entra ID

When you choose to affiliate your Surface Hub with Microsoft Entra ID, any user with the Global Administrator role can sign in to the Settings app on Surface Hub. You can also configure non-Global Admin accounts that limit permissions to management of the Settings app on Surface Hub. This enables you to scope admin permissions for Surface Hubs only and prevent potentially unwanted admin access across an entire Microsoft Entra domain.

Important

Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. To learn more, see the recommended guidance in Configure non-Global Admin accounts on Surface Hub.

Note

Surface Hub administrator accounts can only sign in to the Settings app when authenticating via Microsoft Entra ID. Third-party federated Identity Providers (IdPs) are not supported.

If you enabled Intune Automatic Enrollment for your organization, the Surface Hub will automatically enroll itself with Intune; in this scenario, the account used for Microsoft Entra affiliation during setup must be licensed for Intune and have permissions to enroll Windows devices. After the setup process is completed, the device's BitLocker key is automatically saved in Microsoft Entra ID.

To learn more about managing Surface Hub with Microsoft Entra ID, see:

Review and complete Surface Hub setup worksheet (optional)

When you go through the first-run program for your Surface Hub, there's some information that you'll need to supply. The setup worksheet summarizes that info, and provides lists of environment-specific info that you'll need when you go through the first-run program. For more information, see Setup worksheet.

Learn more