Troubleshoot Surface Hub Device Account
The Surface Hub device account is used to sync the Welcome Screen calendar with Exchange EWS and sign into the Teams client to join meetings. If you are experiencing issues adding the Surface Hub device account via Settings > Surface Hub > Accounts follow the troubleshooting steps on this page.
Create a Surface Hub device account ⚓︎
Reference the Microsoft documentation to create a device account manually. The Surface Hub and Microsoft Teams Rooms automated setup guide can also be used to create these accounts using an automated wizard.
Successfully adding a Surface Hub device account
If the device account and environment are meeting the necessary requirements, you can add the account to the Surface Hub by navigating to Settings > Surface Hub > Accounts. Press the Change button and enter the device account credentials. If you already have a device account added and want to change it, select Change and then select Start over with a new device account.
Surface Hub device account and network requirements
If you are experiencing issues adding the device account to the Surface Hub, it’s important to understand the device account, network and authentication requirements.
Device account requirements ⚓︎
- Microsoft Teams Rooms Basic or Pro license
- MFA disabled
- Account needs to be excluded from unsupported Conditional Access policies
- 3rd party Identity Providers are not supported (Okta, OneLogin, etc)
- Enabled for Windows sign-in
- Surface Hub system clock is correctly set
If the device account or network requirements are not met, you will be unable to add the device account to the Surface Hub.
Network requirements ⚓︎
Ensure the Surface Hub has access to a network capable of reaching the necessary Office 365 URLs and IP address range endpoints. If you are using a firewall or proxy, it’s recommended to whitelist these trusted endpoints so the Surface Hub can directly access them.
If you are not seeing device account sign-in activity in the Azure sign-in logs while connected to your internal network, this is a good indicator the network isn’t meeting the necessary requirements.
Authentication requirements ⚓︎
The Surface Hub device account supports Modern and Legacy authentication. For Surface Hubs running Windows 10 Team 2020 Update (or newer) the device will use Modern authentication to validate the device account. If your organization is not meeting the requirements for Modern authentication, you may need to disable it on the Surface Hub following the instructions below.
Modern Authentication ⚓︎
With Modern authentication the Surface Hub device account uses Exchange Web Services (EWS) and OAuth-based authentication when syncing the device account with Exchange Online.
To use Modern authentication with the device account you must meet the following requirements:
- Device account authentication provider must be Azure AD/Entra ID. For hybrid AD accounts, Cloud authentication must be configured.
- Surface Hub needs to be running Windows 10 Team 2020 Update, build 19042.572 or newer.
- Device account needs to be added to the Surface Hub in the UPN format (not DOMAIN\user)
- Device account mailbox is hosted in Exchange Online
- Surface Hub does not have the provisioning package/MDM policy deployed to disable Modern Authentication
Legacy Authentication ⚓︎
If the device account is hosted in on-prem AD or hybrid AD (ADFS), the account will use legacy authentication protocols (not recommended). To add a device account in these scenarios you will likely need to disable Modern Authentication on the Surface Hub, which can be done in two ways:
- Deploy the SurfaceHub CSP via Endpoint Manager
- Install a provisioning package.
If you encounter the below error, the device account is likely not meeting the requirements for Modern authentication. To resolve this you need to configure the account to use Modern authentication, or disable it using one of the above methods.
Troubleshoot Surface Hub device account ⚓︎
After confirming the device account, network and authentication requirements are being met, the most common reasons a device account can have issues are:
- No internet connectivity or the necessary Microsoft endpoints are not reachable
- EWS not enabled or an EWS policy is blocking sign-in
- Password is expired or account is being prompted to change its password
- Self-serve password reset (SSPR) is enabled for the device account, requiring enrollment
- 3rd party Identity Provider is used
- Device account not enabled for Windows sign-in
- System clock is not set correctly
- Surface Hub is not fully updated
- For on-prem or hybrid AD environments, the account was removed from on-prem AD
Follow the below instructions to further troubleshoot the Surface Hub device account.
1. Check Surface Hub known issues ⚓︎
If you are experiencing any issues with the Surface Hub, it’s important to check the Surface Hub known issues page to see if the problem is a documented known issue.
2. Confirm Surface Hub is fully updated ⚓︎
Follow the guidance in the below video to confirm the Surface Hub is fully updated, while referencing the Surface Hub Update History page to learn what the latest build is. If your device is not fully updated, follow the instructions on how to Troubleshoot Surface Hub not Updating.
3. Confirm Teams sign-in with browser ⚓︎
Open the Edge browser on the Surface Hub and navigate to teams.microsoft.com. Sign-in with the Surface Hub device account, which will verify the following:
- Surface Hub has internet connectivity
- Password is known and working
- Teams license is assigned
- MFA is not enabled
- No additional prompts are encountered (MFA enrollment, change password, etc)
- Account is not being redirected to a 3rd party Identity Provider (Okta, OneLogin, etc)
- Sign-in is not redirected to ADFS. If so, you must configure Cloud authentication or disable Modern authentication (not recommended).
Performing this test will also confirm the authentication method the device account is using. For Modern/Cloud authentication you will see login.microsoftonline.com/common/oath2 in the address bar after entering the device account UPN and pressing Next.
Note! To bypass ADFS or third party Identity Providers, create a cloud device account using the .onmicrosoft.com domain. This will utilize Modern authentication.
Self-serve password reset (SSPR) ⚓︎
When signing into the device account using the browser, if a prompt is shown to enroll the account into SSPR, this can prevent the device account from being added to the Surface Hub (as it’s an interactive prompt). If SSPR is set to All in your tenant, this needs to be changed to not include the Surface Hub device accounts.
4. Analyze Azure sign-in logs ⚓︎
Azure sign-in logs provide information on successful and failed sign-in attempts that occur within an Azure AD tenant. If you are able to successfully sign into the device account using the Edge browser on the Surface Hub, follow the detailed instructions on how to Troubleshoot Azure Sign-in Logs for Surface Hub.
These logs will verify if the device account is being blocked by MFA or an unsupported Conditional Access policy.
Below is an example of an unsupported Conditional Access policy blocking account sign-in.
Pro Tip! The Azure sign-in logs will default to show the last 24 hours of sign-in activity. Expand this range to analyze activity older than this.
Export Azure sign-in logs ⚓︎
You can optionally export the Azure sign-in logs, which may make analyzing them easier. When doing this, download all 6 sets for the last 7 days of Azure sign-in activity.
5. Run the What If tool ⚓︎
The Endpoint Manager What If tool can be used to identify Conditional Access policies applied to the Surface Hub device account. When using the tool, select the Surface Hub device account as the user and leave the default “Any cloud app.” More information on how to do this can be found in Troubleshooting Conditional Access using the What If tool.
6. Test with open network ⚓︎
For troubleshooting purposes you can test connecting the Surface Hub to an open network to see if the device account can be added to the Surface Hub. This will help confirm if your internal network isn’t meeting the necessary network requirements. To test with an open network do the following:
- If a proxy is configured, unconfigure it. Settings > Network & internet > Proxy
- Physically disconnect the Surface Hub from the wired network.
- Connect the Surface Hub to a mobile Wi-Fi hotspot. Settings > Network & internet > Wi-Fi
- Attempt to add the device account. Settings > Surface Hub > Accounts
If sign-in is still unsuccessful, follow the above instructions to analyze the Azure sign-in logs. With the device connected to a Wi-Fi hotspot, the Surface Hub may hit a Conditional Access policy blocking sign-in from an untrusted IP address. If this occurs, we know the Surface Hub is able to reach Azure AD (which is good). You should then ensure your internal network is meeting the necessary network requirements.
7. Network trace ⚓︎
The Surface Hub does not support x86/x64 applications or CMD/PowerShell. To run a network trace to see if traffic is being blocked you can either mirror the network port or configure the Surface Hub to proxy to a machine running Fiddler.
Pro Tip! If you have a different Surface Hub that is able to successfully add a device account, capture a trace from this device while successfully re-adding it’s account. You can then compare network traces between the working and non-working device accounts.
8. Reset Surface Hub ⚓︎
If you are still unable to successfully add the device account to the Surface Hub after following all the above troubleshooting steps, we should fully reset the device to see if that resolves the issue. For the purposes of troubleshooting and ruling out every possible variable, we will be reimaging the Surface Hub completely, instead of performing a local reset.
Note! For troubleshooting purposes start with reimaging a single Surface Hub to see if it resolves the device account issue.
Surface Hub v1
The Surface Hub v1 55″ and 84″ devices can be reimaged using the Surface Hub Recovery Tool (SHRT). You’ll need a separate Windows PC and a compatible USB-to-SATA adapter. If you experience issues with the tool not launching, downloading the recovery image or failing to fully reimage the drive, this could be due to policies/settings applied to your corporate machine. In the event you run into this, try running the tool from a vanilla non-domain joined Windows PC.
Surface Hub 2S
The Surface Hub 2S 50″ and 85″ devices are reimaged with a USB drive via the Bare Metal Recovery (BMR) process. After booting the Surface Hub from the USB recovery drive, select Recover from a drive and Fully clean the drive, and then select Recover. If you’re prompted for a BitLocker key, select Skip this drive.
Post reimaging/reset
Follow the below steps after reimaging the Surface Hub:
- During the out-of-box-experience (OOBE) choose the option to skip adding the device account, then proceed with the remainder of initial setup.
- Confirm the device has internet connectivity by opening the Edge browser. If you need to configure network authentication follow the instructions to configure 802.1x on Surface Hub.
- Fully update the Surface Hub by navigating to to Settings > Update & Security > Windows Update > Check for updates. This may require multiple reboots and then manually checking for updates again to bring the device to the latest build.
- Attempt to add the device account at Settings > Surface Hub > Accounts.
Additional troubleshooting steps ⚓︎
To better understand if the device account issue is related specifically to one account or multiple we can troubleshoot by deduction.
- If you have a separate Surface Hub that is able to successfully add a device account, are you able to add this working device account to the non-working Surface Hub.
- Are you able to add the non-working device account to a Surface Hub that has successfully added a different account.
- If the Surface is connected to a corporate wired network, are you able to add the device account when connected to a corporate Wi-Fi network (typically uses a different VLAN).
- If the Surface is connected to a corporate Wi-Fi network, are you able to add the device account when connected to a coporate wired network (typically uses a different VLAN).
- Are you able to add a device account that is hosted fully online using the .onmicrosoft.com domain. These are full cloud accounts that bypass ADFS/third party Identity Providers.
- Do you have test device accounts in Dev or QA environments that can be successfully added to the Surface Hub. If so, confirm the differences in these environments to Prod.