Security enhancements in surface hub 2s, Manage uefi settings with semm – Microsoft Surface Hub 2 SmCamera User Manual

Start & All Apps.

The Start and All Apps components of Surface Hub do not

expose access to Command Prompt, PowerShell, or other Windows components
blocked via Application Control. In addition, Windows run functionality typically
accessed on PCs from the Search box is turned off for Surface Hub.

Although Surface Hub and Surface Hub 2S both run the same operating system
software, some features unique to Surface Hub 2S provide additional management and
security capabilities, enabling IT admins to perform the following tasks:

Manage UEFI settings with SEMM
Recover Hub with bootable USB
Harden device account with password rotation

UEFI is an interface between the underlying hardware platform pieces and the operating
system. On Surface Hub, a custom UEFI implementation allows granular control over
these settings and prevents any non-Microsoft entity from changing the UEFI settings of
the device — or booting to a removable drive to modify or change the operating
system.

At a high level, during the factory provisioning process, Surface Hub UEFI is
preconfigured to enable Secure Boot and is set to only boot from the internal solid-state
drive (SSD), with access to UEFI menus locked down and shortcuts removed. This seals
UEFI access and ensures the device can only boot into the Windows Team operating
system installed on Surface Hub.

When managed via Microsoft Surface Enterprise Management Mode (SEMM), IT admins
can deploy UEFI settings on Hub devices across an organization. This includes the ability
to enable or disable built-in hardware components, protect UEFI settings from being
changed by unauthorized users, and adjust boot settings.

Security enhancements in Surface Hub 2S

Manage UEFI settings with SEMM