Enterprise-grade security, Harden device account with password rotation – Microsoft Surface Hub 2 SmCamera User Manual

Surface Hub 2S enables admins to reinstall the device to factory settings using a
recovery image in as little as 20 minutes. Typically, you would only need to do this if
your Surface Hub is no longer functioning. Recovery is also useful if you have lost the
Bitlocker key or no longer have admin credentials to the Settings app.

Surface Hub uses a device account, also known as a "room account," to authenticate
with Exchange, Microsoft Teams, and other services. When you enable password
rotation, Hub 2S automatically generates a new password every seven days, consisting
of 15-32 characters with a combination of uppercase and lowercase letters, numbers,
and special characters. Because no one knows the password, the device account
password rotation effectively mitigates associated risks from human error and potential
social engineering security attacks.

In addition to Surface Hub-specific configurations and features addressed in this
document, Surface Hub also uses standard Windows security features. These include:

BitLocker

. The Surface Hub SSD is equipped with BitLocker to protect the data on

the device. Its configuration follows industry standards. For more information, see

BitLocker overview

.

Windows Defender.

The Windows Defender anti-malware engine runs

continuously on Surface Hub and works to automatically remediate threats found
on Surface Hub. The Windows Defender engine receives updates automatically and
is manageable via remote management tools for IT admins. The Windows
Defender engine is a perfect example of our Defense in Depth approach: If
malware can find a way around our core code-signage-based security solution, it
will be caught here. For more information, see

Windows Defender Application

Control and virtualization-based protection of code integrity

.

Plug and play drivers.

To prevent malicious code from reaching the device through

drivers, Surface Hub does not download advanced drivers for PnP devices. This
allows devices that leverage basic drivers such as USB flash drives to work as
expected while blocking more advanced systems such as printers.

Trusted Platform Module 2.0.

Surface Hub has an industry standard discrete

Trusted Platform Module (dTPM) for generating and storing cryptographic keys
and hashes. The dTPM protects keys used for the verification of boot phases, the
BitLocker master key, password-less sign-on key, and more. The dTPM meets

FIPS

Harden device account with password rotation

Enterprise-grade security