On-premises ad (active directory), On-premises ad – Microsoft Surface Hub 2 SmCamera User Manual

If Intune shows the non-Global Admin policy setting is successfully applied to Surface
Hub:

Is the account attempting to log in a member of the security group designated for
this policy?
Is the Surface Hub connected to the internet?
If a GA account is being used, is it a member of the security group configured on
the Surface Hub? GA accounts must also be added to this security group.
Otherwise, if non-Global Admin policy is applied to Surface Hub, the GA can no
longer access Settings.

If Intune shows the non-Global Admin policy setting fails to reach Surface Hub:

Is the security group for the accounts created in the cloud?
Is the correct

Azure AD group SID (security identifiers)

used in the XML?

Is the

XML file created correctly

?

Ensure the policy is assigned to Surface Hub device objects, not the device
accounts.

To learn more, see

Troubleshoot policies and configuration profiles in Microsoft Intune

If the Surface Hub is domain joined and connected to on-prem AD, a security group in
AD is specified during first-run setup to allow group members to sign into Settings. This
designated group can be seen on Surface Hub within Settings > Surface Hub >
Accounts. If an error message is received stating “this requires elevation” when
attempting to log into Settings, check the following issues:

Ensure the account being used is a member of the security group designated
during OOBE.
Ensure the account is enabled and the password has not expired.

Policy succeeds: Still no access to Settings

Policy fails: Intune error

On-premises AD

７

Note

If the Surface Hub loses trust with the domain and Settings can no longer be
accessed, you will need to reset Surface Hub.