The Microsoft Surface Hub has been shipping now and enterprises are getting ready to deploy these shiny new toys into their enterprises. At first glance they appear to be harmless devices but from what I have learned firsthand they can be little tricky to get integrated into an enterprise. This is especially true if you have lots of regulation to comply with.
What is it?
For those hiding under a rock and have not heard of the Microsoft Surface Hub, it is a collaboration device. Designed to bring teams together and advanced the way they work. The “Hub” as I like to refer to it as comes in 2 flavors, a 55” model that fits nicely in an office or small conference room and the 84” model for the larger conference rooms.
Some technical specs:
84” model
• Resolution: 3840 x 2160 @ 120Hz
• Contrast Ratio: 1400:1
• Touch: 100-point multi-touch
• Projective Capacitance optically bonded sensor
• SSD 128GB with 8GB RAM
• 4th Generation Intel® Core™ i7
• NVIDIA Quadro K2200
• Windows 10 + Office (Word, PowerPoint, Excel)
55” model
• Resolution: 1920 x 1080 @ 120Hz
• Contrast Ratio: 1300:1
• Touch: 100-point multi-touch
• Projective Capacitance optically bonded sensor
• SSD 128GB with 8GB RAM
• 4th Generation Intel® Core™ i5
• Intel® HD 4600
• Windows 10 + Office (Word, PowerPoint, Excel)
I like to think of the Surface Hub as a giant tablet. At first glance it may seem like a Windows 10 desktop since it does run a variant of Windows 10; however, the version it runs is tweaked and water downed especially for the “Hub”. Before you set off to deploy these giant tablets beware there some gotchas and limitations. This is especially true if you are an enterprise with strict policies, such as limiting access to USB drives.
Microsoft Surface Hub Gotchas
First off the Surface Hub cannot be managed through group policy. So, if you use group polices to manage your desktops this will not work for the Hubs. The approved methods are the following:
• On-premises MDM with System Center Configuration Manager (beginning in version 1602)
• Hybrid MDM with System Center Configuration Manager and Microsoft Intune
• Microsoft Intune standalone
• Any third-party MDM provider that can communicate with Windows 10 using the MDM protocol.
Another gotcha is that the Surface Hub does not support NTLM authentication so if you have applications that require NTLM, the Surface Hub may not work correctly for you.
Collaborating is what this device was built for so naturally you would want integrate this with your Skype for Business and Microsoft Exchange environment. The Surface Hub does require an Exchange resource account that uses ActiveSync in order to connect with Exchange. Before you create the account double check your ActiveSync polices first, because you will need to create a separate policy just for these devices that do not require a PIN or password and does not have any restrictions. You will also need to create a device rule for ActiveSync so that the device does not get quarantined every time it has to reset and make a new connection with Exchange. For those not familiar with resource accounts in Exchange, resource accounts cannot be enabled for ActiveSync. So the trick here is to create the account as standard user account, and apply the active polices to the account then convert the mailbox into a resource account. Once the conversion is complete you will need to re-enable the account in Active Directory or the device will not be able to connect.
To bring all the collaboration features alive you will then need to enable the resource accounts within Skype for Business using PowerShell. There is no way to do this via the GUI. If you do not follow those procedures your device will not connect to Skype for Business.
Ready, Set, Go!
Once all that has been done you are ready to configure the device and start playing your Microsoft Surface Hub. Keep in mind you can only install apps from the Windows Store so are somewhat limited to what kind of applications you can run on the devices. If you are looking to use it for a specific function or do any customizations I would highly recommend you work with local Microsoft account team to see if it is able to meet the requirements. These are brand new out in the field and everyone is learning what it and cannot do yet so be patient, test a lot and have with it.
Check out some of our other technology related posts here!