SEMM – Surface Enterprise Management Mode

As Microsoft Surface devices continue to gain use in enterprise environments, Microsoft has been releasing tools to ease the management of these somewhat unique devices and enable administrators to use more modern technologies in a streamlined way.

One of the biggest security improvements in Windows 10 (and Windows 8.1) over Windows 7 is UEFI. It ahs traditionally been difficult to automate the move from BIOS based firmware to UEFI without some form of manual intervention. Microsoft addressed this with specialized task sequences in SCCM. Microsoft has improved the ongoing management of the UEFI firmware once again with Surface Enterprise Management Mode (SEMM).

Once devices are enrolled with SEMM you can enable or disable the following devices:

• Docking USB Port
• On-board Audio
• DGPU
• Type Cover
• Micro SD Card
• Front Camera
• Rear Camera
• Infrared Camera, for Windows Hello
• Bluetooth Only
• Wi-Fi and Bluetooth
• LTE

You can configure the following advanced settings with SEMM:

• IPv6 support for PXE boot
• Alternate boot order, where the Volume Down button and Power button can be pressed together during boot, to boot directly to a USB or Ethernet device
• Lock the boot order to prevent changes
• Support for booting to USB devices
• Enable Network Stack boot settings
• Enable Auto Power On boot settings
• Display of the Surface UEFI Security page
• Display of the Surface UEFI Devices page
• Display of the Surface UEFI Boot page
• Display of the Surface UEFI DateTime page

The configurations are changed by running configuration packages on enrolled devices. Of course, you can uses System Center Configuration Manger to send the enrollment and configuration packages to managed devices.