Authenticated user refers to a Surface Device that has the appropriate certificates installed, as configured in the.The following figure shows port access turned on for authenticated users and turned off for unauthenticated users. UEFI Configurator lets you configure policy settings for authenticated users (Authenticated Policy) and unauthenticated users (Unauthenticated Policy). Specify your policy settings for USB data, Ethernet, and Audio ports. When you create a configuration package for multiple Surface Dock 2 devices, instead of entering each RN manually, you can use a. Host certificate with 256-bit elliptic-curve cryptography (ECC) Root certificate with 384-bit prime elliptic curve digital signature algorithm (ECDSA) Root and Dock Certificate requirements Certificate The required EKU values are listed in Table 1 and Table 2. The host and provisioning certificates require entering EKU IDs otherwise known as Client Authentication Enhanced Key Usage (EKU) object identifiers (OIDs). Prior to creating the configuration package, you need to prepare public key certificates that authenticate ownership of Surface Dock 2 and facilitate any subsequent changes in ownership during the device lifecycle.
The certificates documented on this page require expiration terms of 30 years for the Dock Certificate Authority, and 20 years for the Host Authentication Certificate.įor more information, see Certificate Services Architecture documentation and review the appropriate chapters in Windows Server 2019 Inside Out, or Windows Server 2008 PKI and Certificate Security available from Microsoft Press. You should be familiar with and follow the general recommendations for creating certificates as described in Surface Enterprise Management Mode (SEMM) documentation, with one exception.
This article assumes that you either obtain certificates from a third-party provider or you already have expertise in PKI certificate services and know how to create your own. This section provides specifications for creating the certificates needed to manage ports for Surface Dock 2.
Install SEMM by running SurfaceUEFI_Configurator_v2.83.139.0.msi. Install SEMM and Surface UEFI Configurator The RN may also be obtained during the purchase transaction and is recorded in Microsoft inventory systems. This ensures proof of ownership is primarily established only by reading the RN when physically accessing the device.
The RN differs from most serial numbers in that it can't be read electronically.
The Random Number (RN) is a unique 16-digit hex code identifier which is provisioned at the factory, and printed in small type on the underside of the dock. Build and apply the configuration package to targeted Surface devices (Surface Book 3, Surface Laptop 3, or Surface Pro 7.).Enter the 16-digit RN number for your Surface Dock 2 devices.Create or obtain public key certificates.Install Surface UEFI Configurator from Surface Tools for IT.This section provides step-by-step guidance for the following tasks:
Configuring and deploying UEFI settings for Surface Dock 2 For a video demo, check out SEMM for Surface Dock 2. We anticipate SEMM used with Surface Dock 2 will be particularly useful in open offices and shared spaces especially for customers who want to lock USB ports for security reasons. This ability to lock down Surface Dock 2 is critical for specific customers in highly secure environments who want the functionality and productivity benefits of the dock while maintaining compliance with strict security protocols. Restricting Surface Dock 2 to authorized persons signed into a corporate host device provides another layer of data protection. Any device that doesn't receive the UEFI Authenticated policy settings is inherently an unauthenticated device. You can manage Surface Dock 2 ports only when the dock is connected to one of the following compatible devices: Surface Book 3, Surface Laptop 4, Surface Laptop 3, Surface Pro 7+, and Surface Pro 7.