Although Microsoft claims that the Surface Hub 2S is a Windows device, its Windows 10 Team operating system behaves very different to a standard Windows 10 Pro or Enterprise edition. This is because of a totally different usecase the Surface Hub covers. Instead of providing a personal workstation to one user, the Surface Hub is intended to be placed in an open meeting room where anyone can walk in and access the device. Furthermore, it must serve its basic functionality instantly without the hassle of logging in.

The main differences of Windows 10 Team compared to a standard Windows 10 edition are:

The Device Account

In Windows 10 Team a device account – usually an Exchange resource account – is always logged in. Even when rebooted, the system logs in the device account automatically. Microsoft Teams and/or Skype for Business always runs in the context of this device account.

Don’t get confused about the term “device account”. This account has actually nothing to do with a machine account you know from Active Directory or AzureAD. In fact, although it is called “device account” it is rather related to user account from an directory perspective (like an Exchange mailbox/resource account is). It is just called device account because it can be associated with the Surface Hub device, but not with an individual user.

No local admin accounts when bound to a directory

During the initial setup you have to choose how to manage the Surface Hub. You get 3 choices:

1. Local Admin
2. Active Directory Admin
3. AzureAD Admin

If you choose 2 or 3, no local admin will be available. Instead you require a domain admin (2) or a global AzureAD admin (3) to enter the Settings app on the device and make changes. Be careful what to choose here, because a change later in process is hard or impossible. Once you passed this dialog you are unable to join the device to AzureAD later on manually (you can by using a provisioning package).

No commandline or PowerShell

There is no way to access the commandline or PowerShell – even as admin. In fact the only manipulation possibility is the Settings app and only a handful GPOs/CSPs.

Only special software for Windows 10 Team allowed to be installed

You cannot install any software on the Surface Hub except from the Surface Hub Store. Similar to the Windows Store you find a number of tools – specially designed for the Hub and Windows 10 Teams there. There is no way to install software from the standard Microsoft Store or other software not designed for Windows 10 Teams.

My personal best practices for setting up Surface Hub Devices:

Before you begin you should have created a resource account and made sure that this account

• has a password assigned
• is login enabled 

Both things are usually not the case as resource accounts are not used for login!

Setup the Surface Hub using a local admin account and make all changes to the system until the device is setup properly.

Use a provisioning package to join the device to AD or AzureAD. Please note that the local admin account is now gone.