Security and lockdown management – Microsoft Surface Hub 2 SmCamera User Manual

To help preserve the appliance-like nature of the device, Surface Hub only supports
installing Universal Windows Platform (UWP) apps, and doesn't support installing classic
Win32 apps, services and drivers. Furthermore, only admins have access to install UWP
apps.

Potential impact on organization policies:

Employees can only use the apps that have been installed by admins, helping
mitigate against unintended use. Surface Hub doesn't support installing Win32
agents required by most traditional PC management and monitoring tools.

For Surface Hub to be used in communal spaces, such as meeting rooms, its custom OS
implements many of the security and lockdown features available in Windows 10 or
Windows 11. To learn more, see

Surface Hub Security Overview

Surface Hub implements these Windows security features:

Secure Boot
Windows Defender Application Control and virtualization-based protection of
code integrity
Application restriction policies using AppLocker
BitLocker Drive Encryption
Trusted Platform Module (TPM)
Microsoft Defender Antivirus in Windows
User Account Control (UAC)

for access to the Settings app

These Surface Hub features provide more security:

Custom UEFI firmware
Custom shell and Start menu limits device to meeting functions
Custom File Explorer only grants access to files and folders under My Documents
Custom Settings app only allows admins to modify device settings
Downloading advanced Plug and Play drivers is disabled

Potential impact on organization policies:

Consider these features when performing your security assessment for Surface
Hub.

Security and lockdown

Management