Manage Surface UEFI settings using Surface Enterprise Management Mode.

Microsoft Surface Enterprise Management Mode (SEMM) is a feature available on Surface devices equipped with Surface Unified Extensible Firmware Interface (UEFI). SEMM allows organizations to secure and manage firmware settings remotely. This includes the ability to adjust settings at the firmware level, such as disabling cameras, controlling access to USB ports, Bluetooth settings, and more. SEMM uses a certificate to protect the configuration from unauthorized tampering or removal, providing an additional layer of security and control for commercial customers.

Additionally, SEMM can be managed via Intune using Device Firmware Configuration Interface (DFCI) profiles, which allows for zero-touch remote configuration of UEFI settings. This is particularly useful for organizations that deploy devices using Autopilot, as it enhances security by limiting end-user control over BIOS settings.

For a practical application, SEMM can be used to manage settings such as boot order, enable or disable boot from external devices, and manage Secure Boot settings. It's a powerful tool for IT administrators to ensure that Surface devices adhere to organizational security policies and configurations.

Overview of SEMM

When Surface devices are set up with SEMM and secured using the SEMM certificate, they're considered enrolled in SEMM. Conversely, when the SEMM certificate is removed, thereby restoring the user's control over the UEFI settings, the Surface device is then regarded as unenrolled from SEMM.

This enrollment status is crucial for IT administrators to manage and secure firmware settings in line with organizational policies.

Microsoft Surface UEFI Configurator

The Microsoft Surface UEFI Configurator serves as the central platform for SEMM. With the Microsoft Surface UEFI Configurator, you can:

• Create MSI (.msi) packages: Enroll Surface devices into SEMM and manage UEFI firmware settings for enrolled devices. Enroll Surface docks into SEMM and manage UEFI firmware settings for enrolled docks.

• Use WinPE images: Use WinPE images to enroll, configure, and unenroll SEMM on a Surface device.

• DFI Packages: Create DFI packages to enroll Surface Hub devices into SEMM and manage UEFI firmware settings for enrolled Surface Hub devices.

The packages generated include a configuration file detailing the UEFI settings and a certificate. This certificate is installed and stored in the firmware, and it authenticates the configuration files' signatures before applying the UEFI settings.

You can use the Microsoft Surface UEFI Configurator tool in three modes:

• Surface UEFI Configuration Package: Use this mode to create a Surface UEFI configuration package to enroll a Surface device in SEMM and to configure UEFI settings on enrolled devices.

• Surface UEFI Reset Package. Use this mode to unenroll a Surface device from SEMM.

• Surface UEFI Recovery Request. Use this mode to respond to a recovery request to unenroll a Surface device from SEMM where a Reset Package operation isn't successful.

For more information see the following sources:

• Surface UEFI Configurator

• Get started with Surface Enterprise Management Mode (SEMM)

• SEMM certificate requirements

Install and configure the Microsoft Surface UEFI Configurator

You can download Microsoft Surface UEFI Configurator from the Surface Tools for IT page, in the Microsoft Download Center.

Microsoft Surface configuration packages

Surface UEFI configuration packages are essential for implementing SEMM on Surface devices, containing both configuration and certificate files. The configuration file, created in the Microsoft Surface UEFI Configurator, dictates the UEFI settings, while the certificate file secures the device's firmware upon SEMM enrollment. Physical presence is required during enrollment for confirmation, ensuring secure and managed UEFI settings.

To enroll a Surface device in SEMM or apply UEFI configurations, execute the .msi file with admin rights on the target device, using deployment technologies like Microsoft Endpoint Configuration Manager or the Microsoft Deployment Toolkit. Enrollment in SEMM requires physical presence for confirmation on the device. However, applying configurations to devices already enrolled in SEMM doesn't necessitate user interaction.

Another package is the Reset package. A Surface UEFI reset package is designed to unenroll a Surface device from SEMM, reverting UEFI settings to default and removing the SEMM certificate from the firmware. It must be signed with the SEMM certificate already provisioned on the device and is tailored to the serial number of the specific Surface device intended for reset. Unlike configuration packages, reset packages are unique to each device and can't be universally applied.

In certain situations where a Surface UEFI reset package can't be used, such as when Windows is inoperable on the device, you can unenroll from SEMM via the Enterprise Management page of Surface UEFI using a Recovery Request operation. This process generates a Reset Request that can be saved to a USB drive, copied as text, or scanned as a QR Code, then processed through the Microsoft Surface UEFI Configurator to produce a verification code. Entering this code on the Surface device and restarting it will unenroll it from SEMM.

Create a Surface Enterprise Management Mode certificate

When utilizing SEMM with the Microsoft Surface UEFI Configurator for applying UEFI settings, a certificate is essential to authenticate configuration files. This certificate guarantees that post-enrollment in SEMM, only packages with the authorized certificate can alter UEFI settings. Thus, packages crafted with the Microsoft Surface UEFI Configurator are signed with this certificate to ensure secure and controlled modification of UEFI settings after enrollment.

To create a self-signed certificate, perform the following steps:

1. Copy the following text into Notepad, and then save the file as a PowerShell script (.ps1).

if (-not (Test-Path "Demo Certificate"))  { New-Item -ItemType Directory -Force -Path "Demo Certificate" } 

if (Test-Path "Demo Certificate\TempOwner.pfx") { Remove-Item "Demo Certificate\TempOwner.pfx" } 

  

# Generate the Ownership private signing key with password 12345678 

$pw = ConvertTo-SecureString "12345678" -AsPlainText -Force 

  

$TestUefiV2 = New-SelfSignedCertificate -Subject "CN=Surface Demo Kit, O=Contoso Corporation, C=US" -Type SSLServerAuthentication -HashAlgorithm sha256 -KeyAlgorithm RSA -KeyLength 2048 -KeyUsage KeyEncipherment -KeyUsageProperty All -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter (Get-Date).AddYears(25) -TextExtension @("2.5.29.37={text}1.2.840.113549.1.1.1") -KeyExportPolicy Exportable 

  

$TestUefiV2 | Export-PfxCertificate -Password $pw -FilePath "Demo Certificate\TempOwner.pfx" 

2. On your C: drive, create the folder where you'll save the script; for example, C:\SEMM.

3. Copy the example script into Notepad (or equivalent text editor), and then save the file as a PowerShell script (.ps1).

4. Sign in to your computer with administrator credentials, and then open an elevated PowerShell session.

5. Make sure that your permissions are set to allow scripts to run. By default, scripts are blocked from running unless you modify the execution policy.

6. At the command prompt, enter the full path of the script and then press Enter. The script creates a Demo Certificate named TempOwner.pfx.

For more information, see Surface Enterprise Management Mode (SEMM).

Use UEFI Assemblies & Configuration Manager to manage devices with SEMM

The Surface Enterprise Management Mode (SEMM) allows administrators to secure and manage Surface UEFI settings, typically through Windows Installer (.msi) packages created with the UEFI Configurator tool. Organizations using Endpoint Configuration Manager have an alternative with the Surface UEFI Manager, a lightweight installer for SEMM management assemblies. Once installed on a client, SEMM can be managed via Configuration Manager with PowerShell scripts, eliminating the need for the external UEFI Configurator tool. This streamlines the process of enrolling devices in SEMM and updating the Surface UEFI settings configuration.

You can download Surface UEFI Manager from the Surface IT Toolkit Tool Library.

For more information on the Surface UEFI Manager and how to configure and use it, see Use UEFI Assemblies & Configuration Manager to manage devices with SEMM - Surface.