Rawpixel - Fotolia


UEFI positions the Surface Pro 4 2-in-1 as a PC replacement

Many IT shops are considering 2-in-1s to replace PCs. With the addition of UEFI, Microsoft puts the Surface Pro 4 into that conversation.

IT shops looking to replace PCs with Microsoft's Surface Pro 4 2-in-1 must prepare for a change in the way they support firmware access and management.

Like the Surface Book, the Surface Pro 4 uses the Unified Extensible Firmware Interface (UEFI) to start up the computer system after users turn their devices on. UEFI also manages data that passes between the operating system and devices such as hard disks and keyboards. It replaces the basic input/output system (BIOS) the Surface Pro 3 and earlier versions use.

UEFI provides faster startup and better security than BIOS and supports the Surface Enterprise Management Mode (SEMM), an administrative layer in the interface that lets IT configure and secure firmware settings on Surface Pro 4. To enable SEMM, Microsoft also provides the UEFI Configurator tool, which works with SEMM to make it easier to administer the Surface Pro 4 2-in-1 in place of PCs across the enterprise.

What does UEFI bring to the Surface Pro 4 2-in-1?

Microsoft engineered UEFI specifically for the latest Surface devices. UEFI provides greater control over firmware and supports touch, mouse and keyboard operations. With UEFI, admins can enable or disable internal device components and adjust boot settings. They can also configure security to prevent users from altering the UEFI settings.

UEFI provides faster startup and better security than BIOS.

As with BIOS, users can view and configure the UEFI settings manually. When admins manage the firmware, users have limited access to the settings and data available through UEFI. Even with limited access, users can still access basic information, such as the Surface model and universal unique identifier (UUID).

Administrators can use the Configurator and SEMM to access and configure any of the UEFI security settings. For example, they can:

  • Set or change the UEFI password to limit the changes users can make.
  • Turn Secure Boot on to prevent unauthorized code from booting the device, or turn the feature off to allow the device to boot with third-party software or from bootable media.
  • Enable or disable the Trusted Platform Module, which provides a hardware-based extension to the device's BitLocker encryption.

Through the Configurator and SEMM, admins can also enable specific device components and services, such as Wi-Fi, Bluetooth and cameras. In addition, they can change the order of boot devices as well as enable or disable internal storage, USB storage or Windows Boot Manager.

A look at the UEFI Configurator

The key to administering UEFI is enrolling a device in SEMM. An SEMM-enabled device provides a secure structure for configuring the UEFI settings and protecting the firmware from unauthorized access.

Think of SEMM as a configuration layer that admins can enable and manage with the Configurator. They start by using the Configurator to create a UEFI configuration package that lets them enroll Surface devices in SEMM and configure the UEFI settings.

The configuration package is actually a Windows Installer (.msi) that package admins can run on Surface devices. The package contains a configuration file that defines the UEFI settings, plus a signing certificate that secures the settings. The certificate is installed in the firmware to verify the signature of the configuration file before admins apply the UEFI settings.

After admins create the configuration package, they should run the .msi file on the target Surface device. This step provisions the configuration file in the firmware. They must then restart the device, which loads the configuration file and determines whether SEMM is already enabled.

If the device is not enrolled in SEMM upon startup, it will prompt IT to provide the last two characters of the certificate thumbprint to confirm enrollment. So, the admin must be physically present to enroll a device. The enrollment process applies the UEFI configuration settings, which it uses each time the user starts the device.

Admins can update the configuration settings at any time by using the Configurator to generate a new configuration package. Because admins already enrolled the device in SEMM, they can apply the new configurations automatically, using tools such as Microsoft System Center Configuration Manager. This process only works if the new configuration package is signed with the same certificate as the one admins used when they enrolled the device.

IT can also use the Configurator to create a reset package to unenroll a device. As with configuration updates, the reset package must be signed with the same certificate admins used to enroll the device. IT must also provide the device's serial number, which means they have to create reset packages on a per-device basis -- unlike a configuration package, which admins can use on multiple devices. When admins run the reset package on the target Surface device, the package removes the certificate, unenrolls the device from SEMM and resets the UEFI configuration to its default settings.

Next Steps

The Surface Book impresses

Do 2-in-1s have a place in the enterprise?

Can tablets usurp the enterprise PC?

Dig Deeper on Unified endpoint management