diff --git a/surface-hub/admin-group-management-for-surface-hub.md b/surface-hub/admin-group-management-for-surface-hub.md
index 4b56c37f..be4a2aab 100644
--- a/surface-hub/admin-group-management-for-surface-hub.md
+++ b/surface-hub/admin-group-management-for-surface-hub.md
@@ -57,14 +57,12 @@ Surface Hub doesn't support applying Group Policy or certificates from the domai
You can use Microsoft Entra ID to join the Surface Hub to allow IT pros from your Microsoft Entra tenant to configure settings. During first run, choose to use [Microsoft Entra ID](first-run-program-surface-hub.md#microsoft-azure-active-directory). You need to provide credentials that are capable of joining the Microsoft Entra tenant of your choice. After you successfully Microsoft Entra join, the appropriate people will be granted admin rights on the device.
-By default, all **global administrators** are given admin rights on a Microsoft Entra joined Surface Hub. With **Microsoft Entra ID P1 or P2** or **Enterprise Mobility Suite (EMS)**, you can add additional administrators:
+By default, all **Global administrators** are given admin rights on a Microsoft Entra joined Surface Hub.
-1. In the [Azure classic portal](https://portal.azure.com/), select **Active Directory**, and then select the name of your organization's directory.
-2. On the **Configure** page, under **Devices** > **Additional administrators on Microsoft Entra joined devices**, select **Selected**.
-3. Select **Add**, and select the users you want to add as administrators on your Surface Hub and other Microsoft Entra joined devices.
-4. When you finish, select the checkmark button to save your change.
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. To learn more, see the recommended guidance in [Configure non-Global Admin accounts on Surface Hub](surface-hub-2s-nonglobal-admin.md).
-
+You can add additional administrators as [detailed on this page](#configure-non-global-admin-accounts-on-microsoft-entra-joined-devices).
#### What happens when you Microsoft Entra join your Surface Hub?
@@ -92,6 +90,7 @@ If your organization is using Active Directory or Microsoft Entra ID, we recomme
| Microsoft Entra join the device | Your organization uses Microsoft Entra Basic | Global administrators only |
| | Your organization uses Microsoft Entra ID P1 or P2 or Enterprise Mobility Suite (EMS) | Global administrators and additional administrators |
+
### Configure non-Global Admin accounts on Microsoft Entra joined devices
diff --git a/surface-hub/first-run-program-surface-hub.md b/surface-hub/first-run-program-surface-hub.md
index 4d94efc2..34e8fd1f 100644
--- a/surface-hub/first-run-program-surface-hub.md
+++ b/surface-hub/first-run-program-surface-hub.md
@@ -109,6 +109,9 @@ You can only set up device admins during first-time Setup. For more information,
:::image type="content" source="images/hub-setup-signin.png" alt-text="The screenshot shows the dialog to sign in with a work or school account.":::
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. To learn more, see the recommended guidance in [Configure non-Global Admin accounts on Surface Hub](surface-hub-2s-nonglobal-admin.md).
+
> [!TIP]
> To configure who can use the Settings app to manage Surface Hubs, ensure that automatic Intune enrollment is enabled in your tenant before joining the device to Microsoft Entra ID. Intune policies can then be used to [configure non-Global admins](surface-hub-2s-nonglobal-admin.md) on Surface Hubs.
diff --git a/surface-hub/prepare-your-environment-for-surface-hub.md b/surface-hub/prepare-your-environment-for-surface-hub.md
index 3f4e4e7d..46254059 100644
--- a/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -62,6 +62,9 @@ You can still enroll the device with Intune to centrally manage settings on your
When you choose to affiliate your Surface Hub with Microsoft Entra ID, any user with the Global Administrator role can sign in to the Settings app on Surface Hub. You can also configure non-Global Admin accounts that limit permissions to management of the Settings app on Surface Hub. This enables you to scope admin permissions for Surface Hubs only and prevent potentially unwanted admin access across an entire Microsoft Entra domain.
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. To learn more, see the recommended guidance in [Configure non-Global Admin accounts on Surface Hub](surface-hub-2s-nonglobal-admin.md).
+
> [!NOTE]
> Surface Hub administrator accounts can only sign in to the Settings app when [authenticating via Microsoft Entra ID](/azure/active-directory/hybrid/choose-ad-authn#cloud-authentication). Third-party federated Identity Providers (IdPs) are not supported.
diff --git a/surface-hub/provisioning-packages-for-surface-hub.md b/surface-hub/provisioning-packages-for-surface-hub.md
index 29a88b72..f015c7f3 100644
--- a/surface-hub/provisioning-packages-for-surface-hub.md
+++ b/surface-hub/provisioning-packages-for-surface-hub.md
@@ -72,7 +72,10 @@ For advanced provisioning options, refer to the section below [Add a certificate
> [!div class="mx-imgBorder"]
> 
-You can enroll the device in Active Directory and specify a security group to use the Settings app, enroll in Microsoft Entra ID to allow global admins to use the Settings app, or create a local administrator account on the device.
+You can enroll the device in Active Directory and specify a security group to use the Settings app, enroll in Microsoft Entra ID to allow Global admins to use the Settings app, or create a local administrator account on the device.
+
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. To learn more, see the recommended guidance in [Configure non-Global Admin accounts on Surface Hub](surface-hub-2s-nonglobal-admin.md).
1. To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain. Then, specify the security group to have admin credentials on Surface Hub. If applying the package to a Surface Hub that was reset, you can use the same domain account as long as it's the same account that set up the Surface Hub initially. Otherwise, a different domain account must be used in the provisioning package.
2. Before you use Windows Configuration Designer to configure bulk Microsoft Entra enrollment, [Plan your Microsoft Entra join implementation](/azure/active-directory/devices/azureadjoin-plan). The **maximum number of devices per user** setting in your Microsoft Entra tenant determines how often the bulk token you get in the wizard can be used.
diff --git a/surface-hub/setup-worksheet-surface-hub.md b/surface-hub/setup-worksheet-surface-hub.md
index e2ff871d..fed0bd1b 100644
--- a/surface-hub/setup-worksheet-surface-hub.md
+++ b/surface-hub/setup-worksheet-surface-hub.md
@@ -55,6 +55,9 @@ Use Device affiliation to manage user access to the Settings app on Surface Hub.
| Microsoft Entra tenant user credentials (username and password) | If you decide to have people in your Microsoft Entra organization become admins on the device, then you'll need to join the Surface Hub to Microsoft Entra ID. To join it to Microsoft Entra ID, you'll need valid credentials for an account in the tenant. | admin1@contoso.com, #MyPassw0rd | [Admin group management](admin-group-management-for-surface-hub.md) |
| Non Global Admin accounts | For Surface Hub devices joined to Microsoft Entra ID, you can limit admin permissions to management of the Settings app on Surface Hub. This permission confinement enables you to scope admin permissions for Surface Hub only and prevent potentially unwanted admin access an entire Microsoft Entra domain. | | [Configure non-Global Admin accounts on Surface Hub](surface-hub-2s-nonglobal-admin.md) |
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. To learn more, see the recommended guidance in [Configure non-Global Admin accounts on Surface Hub](surface-hub-2s-nonglobal-admin.md).
+
### If you’re joining a domain
| Property | What this property is used for | Example |
diff --git a/surface-hub/surface-hub-2-post-install.md b/surface-hub/surface-hub-2-post-install.md
index 39879abf..b5b93757 100644
--- a/surface-hub/surface-hub-2-post-install.md
+++ b/surface-hub/surface-hub-2-post-install.md
@@ -1,14 +1,14 @@
---
title: Configure Windows 10/11 Pro or Enterprise on Surface Hub 2S
-description: This article includes recommendations to ensure the best experience when using a personalized large screen touch and pen computer.
+description: Learn how to configure Windows 11 Pro or Enterprise on Surface Hub 2S to optimize performance and enhance user experience with touch, pen, and connected devices.
ms.service: surface-hub
-ms.localizationpriority: low
+ms.localizationpriority: medium
manager: frankbu
author: coveminer
ms.author: chauncel
ms.collection: M365-modern-desktop
ms.topic: how-to
-ms.date: 12/08/2020
+ms.date: 07/31/2024
appliesto:
- Surface Hub 2S
- Windows 10
@@ -25,15 +25,11 @@ When performing these steps, you might find it helpful to use a wired or wireles
1. Sign in with an account that has local administrator privileges on the device.
- - The user who performs the Microsoft Entra join on Microsoft Entra joined devices is automatically added to the local administrator group. Microsoft Entra global administrators and Microsoft Entra devices administrators are also local administrators.
-
- - You can type **net localgroup administrators** at a command prompt to list the accounts that have local administrator rights.
-
2. Rename the device using a friendly name, for example, **username-SHub-Desktop**.
3. Select **Start** > **Settings** > **Accounts** > **Sync your settings** and turn **Sync settings** off.
- - The settings used here are intended to enable the best large-screen touch experience, and therefore you may not want to sync other devices.
+ - The settings used here are intended to enable the best large-screen touch experience, and therefore you might not want to sync other devices.
4. Restart the device.
@@ -47,41 +43,43 @@ When performing these steps, you might find it helpful to use a wired or wireles
- See the following example.
- 
+ 
3. Configure the touch keyboard to QWERTY and floating.
- 1. Select the **Keyboard** icon on the taskbar to show the touch keyboard.
+ - To show the touch keyboard, select the **Keyboard** icon on the taskbar.
- 1. On the touch keyboard, select the keyboard icon in the upper left corner to open keyboard settings.
+ - To open keyboard settings on the touch keyboard, select the **Keyboard** icon in the upper left corner.
- 1. Select the next to last keyboard type on the top row to enable QWERTY and the last option on the second row to enable floating, which is helpful on this large screen. See the following examples.
+ - To enable QWERTY, select the next-to-last keyboard type on the top row.
+
+ - To enable floating, select the last option on the second row. This is helpful on a large screen. See the following examples.
- 
+ 
4. Configure the soft keyboard settings.
1. Select the **Settings** icon on the touch keyboard or search for and open **Typing settings**.
- 
+ 
1. Enable all the options under Spelling, Typing, and Touch keyboard.
The following example shows the trackpad, which is useful to navigate and select options. The onscreen keyboard is being used to search the Microsoft Store:
-
+
## Configure Bluetooth keyboard and mouse (optional)
Connect a keyboard and mouse if you use the device as your primary Windows device, or you often use it for typing or precision work.
-If your Surface Hub device is near a PC, you can use Mouse without Borders to move seamlessly between the Surface Hub and the PC. For more information, see Microsoft download from The Garage: Mouse without Borders.
+If your Surface Hub device is near a PC, you can use [Mouse without Borders](https://aka.ms/mm) to move seamlessly between the Surface Hub and the PC. For more information, see [Microsoft download from The Garage: Mouse without Borders](https://blogs.microsoft.com/ai/microsoft-download-from-the-garage-mouse-without-borders/).
## Example of Taskbar layout
-After completing the below steps to set up/configure your Surface Hub 2S for Windows 10/11 Pro or Enterprise, we recommend you utilize pinning your most-used applications to the Taskbar for a quick one-touch launch of each application. Below is an example of what your taskbar could look like:
+After completing the following steps, we recommend you pin your most-used applications to the Taskbar for a quick one-touch launch of each application, as shown in the following example.
- 
+ 
### Update installed apps
@@ -93,27 +91,22 @@ To update all installed Store apps:
### Scan for and install all Windows Updates
-After migration, there may be servicing and feature updates available for you to install.
+After migration, there might be servicing and feature updates available for you to install.
- Go to **Settings** > **Update & Security** > and select **Check for updates**.
- If there are any updates, install them, reboot, and then repeat the process until you see the following notification:
-> [!div class="mx-imgBorder"]
-> 
-
-## OneDrive for Business
-
-Use OneDrive for Business to easily share tools, logs, and other files between all your work devices.
+> 
-- OneDrive lets you share your work files between your laptops, Surface Hub Desktop, and your Intune-managed mobile devices. Files can be edited on any device, and all network-connected devices will be updated with the changes.
+## OneDrive for work or school
-- Considering the size of the Surface Hub SSD (128GB), if you configure OneDrive on your Surface Hub Desktop device, make sure the default configuration is to keep the files online and download files as you use them.
+Use [OneDrive for work or school](/onedrive/onedrive) to easily share tools, logs, and other files among all your work devices.
-To configure OneDrive to download files only when needed, set the **Files On-Demand** setting to **Save space and download files as you use them**. For more information, see Query and set Files On-Demand states in Windows.
+- To conserve space on the 128-GB SSD, configure OneDrive to keep files online instead of stored locally. Set the **Files On-Demand** setting to **Save space and download files as you use them**. For more information, see [Query and set Files On-Demand states in Windows](/onedrive/files-on-demand-windows).
-
+
-> [!NOTE]
+> **Note**
> You can also repeat these steps to configure a personal OneDrive but be sure to conserve drive space and only download files as you need them.
## SharePoint and Teams
@@ -122,7 +115,7 @@ SharePoint and Teams Channel files can also sync locally to your desktop devices
To sync internal corporate files to your local drive with the OneDrive sync app:
-1. Go to a SharePoint site and navigate to the top-level document directory for files you are interested in viewing or editing from your local device.
+1. Go to a SharePoint site and navigate to the top-level document directory for files you're interested in viewing or editing from your local device.
2. Select on the **Sync** button on the top of the SharePoint ribbon.
@@ -138,11 +131,11 @@ To sync internal corporate files to your local drive with the OneDrive sync app:
3. Select **Free up space**.
- 4. The Status column will display the status of files and folders. For more information, see Sync SharePoint files with the OneDrive sync client.
+ 4. The Status column displays the status of files and folders. For more information, see [Sync SharePoint files with the OneDrive sync client](https://support.microsoft.com/office/sync-sharepoint-files-with-the-onedrive-sync-client-groove-exe-59b1de2b-519e-4d3a-8f45-51647cf291cd).
6. Teams Channel files are stored in SharePoint sites, with the same SharePoint document functionality, including version history and synchronizing to your local desktop devices. To sync Teams Channel files:
- 1. Navigate to the Teams Channel of interest and select the **Files** tab at the top. Then select **Sync**. The files will start synchronizing and be visible in File Explorer at **Desktop \ Contoso \ \**.
+ 1. Navigate to the Teams Channel of interest and select the **Files** tab at the top. Then select **Sync**. The files are visible in File Explorer at **Desktop \ Contoso \ \**.
2. Use the same procedure you used for synchronizing SharePoint sites to keep the files in the cloud and only download them when you use them, by tap and hold or right-click in File Explorer on the Teams Channel name, and then selecting **Free up space**.
@@ -166,32 +159,34 @@ Pair the pen to keep the pen firmware up to date, set the pen shortcuts, and get
7. Complete the pairing operation.
-8. If the pairing is not successful, try to pair the pen again. If that doesn't work, you can test to see if the battery is charged by verifying the pen works in the Whiteboard application. If not, replace the battery and try to pair the pen again. If necessary, restart the device and then try again.
+8. If the pairing isn't successful, try to pair the pen again. If that doesn't work, you can test to see if the battery is charged by verifying the pen works in the Whiteboard application. If not, replace the battery and try to pair the pen again. If necessary, restart the device and then try again.
**Set pen shortcuts**
-The Surface Hub pen has a shortcut button sometimes called a "tail click." Configuring shortcuts requires you to first pair the pen, as described earlier.
+The Surface Hub pen has a shortcut button sometimes called a "tail select." Configuring shortcuts requires you to first pair the pen, as described earlier.
1. Search for Pen and select **Pen & Windows Ink settings**.
-2. Near the bottom of the page, select Pen shortcuts which opens the dialog box, shown here:
+2. Near the bottom of the page, select Pen shortcuts, which opens the dialog box, shown here:
- 
+ 
## Camera configuration
-You can mount the camera on the top or either side of the device. Mount the camera in a position to optimize the camera angle if you are using the Hub with a desktop stand instead of a cart, or are near the Hub. The camera does not auto-rotate, so you need to have a 2mm hex key to manually rotate the camera.
+You can mount the camera on the top or either side of the device. Mount the camera in a position to optimize the camera angle if you're using the Hub with a desktop stand instead of a cart, or are near the Hub. The camera doesn't autorotate, so you need to have a 2-mm hex key to manually rotate the camera.
-For more information on how to side-mount the camera and rotate the camera manually, see Surface Hub 2S camera lens orientation.
+For more information on how to side-mount the camera and rotate the camera manually, see [Surface Hub 2S camera lens orientation](https://support.microsoft.com/help/4509729/surface-hub-2s-camera-lens-orientation).
## Windows Hello configuration
-Surface Hub 2S running Windows 10/11 Pro or Enterprise allows the full suite of Win32 desktop applications as well as biometric Windows Hello options. The Surface Hub Fingerprint Reader accessory can be plugged into any USB-C port on the device.
+Surface Hub 2S running Windows 10/11 Pro or Enterprise allows the full suite of Win32 desktop applications and biometric Windows
-To order a Surface Hub Fingerprint Reader or view technical specs, see (surface-hub-2-essential-add-ons.md" target="_blank">Essential add-ons for Windows 10 Pro and Enterprise on Surface Hub 2S .
+ Hello options. The Surface Hub Fingerprint Reader accessory can be plugged into any USB-C port on the device.
+
+To order a Surface Hub Fingerprint Reader or view technical specs, see [Essential add-ons for Windows 10 Pro and Enterprise on Surface Hub 2S](surface-hub-2-essential-add-ons.md).
After inserting the fingerprint reader, select **Start** > **Settings** > **Accounts** > **Sign-in options** > **Windows Hello Fingerprint** to enroll your fingerprint.
-Use a Windows Hello certified device for face recognition. The Surface Hub 2S camera does not support Windows Hello face recognition.
+Use a Windows Hello certified device for face recognition. The Surface Hub 2S camera doesn't support Windows Hello face recognition.
## Enable a Lock Screen shortcut icon on the taskbar
@@ -207,7 +202,7 @@ To add an icon to the taskbar that enables one-touch screen lock similar to the
See the following example:
- 
+ 
1. Select **OK** to save the shortcut.
@@ -223,7 +218,7 @@ To install the Microsoft Whiteboard:
- Select the **Windows Ink Workspace** icon on the lower right of the taskbar and download **Whiteboard**.
- 
+ 
Alternatively, you can install Whiteboard from the Microsoft Store:
@@ -253,7 +248,7 @@ Alternatively, you can install Whiteboard from the Microsoft Store:
### Microsoft Office
-1. Open the Office Portal and install your desired applications.
+1. Open the [Office Portal](https://portal.office.com/account#installs) and install your desired applications.
2. Pin desired Office applications to the taskbar.
@@ -265,7 +260,7 @@ Alternatively, you can install Whiteboard from the Microsoft Store:
### Microsoft Teams
-1. Download and install Microsoft Teams .
+1. Download and install [Microsoft Teams](https://teams.microsoft.com/downloads).
2. Configure settings to Auto-start application (optional).
@@ -273,14 +268,14 @@ Alternatively, you can install Whiteboard from the Microsoft Store:
4. Consider reducing Teams notifications on the device to avoid distractions (optional).
- 
+ 
### Connect app
-> [!IMPORTANT]
-> In Windows 10, version 2004 and later, the Connect app for wireless projection using Miracast is not installed by default, but is available as an optional feature. If you have installed (or updated to) Windows version 2004 or later, you may see the following on the Projecting to this PC screen in settings:
+**Important**
+In Windows 10, version 2004 and later, the Connect app for wireless projection using Miracast is not installed by default, but is available as an optional feature. If you have installed (or updated to) Windows version 2004 or later, you may see the following on the Projecting to this PC screen in settings:
-
+
1. To install the app from the “Projecting to this PC” settings page, select **Optional features** > **Add a feature** and then install the **Wireless Display** app.
@@ -302,23 +297,22 @@ Alternatively, you can install Whiteboard from the Microsoft Store:
Recommended configuration when not on the corporate network:
-
+
Recommended configuration on the corporate network:
-
+
### Your Phone
The **Your Phone** app is installed by default on Windows 10. If it is not present, you can also install it from the Windows Store.
-For information about setting up the app, see How to set up Your Phone on Windows 10 and sync data between your PC and phone. Also see How to fix common problems with Your Phone app on Windows 10.
+For information about setting up the app, see [How to set up Your Phone on Windows 10 and sync data between your PC and phone](https://www.windowscentral.com/how-set-your-phone-windows-10). Also see [How to fix common problems with Your Phone app on Windows 10](https://www.windowscentral.com/how-fix-common-problems-your-phone-app-windows-10).
### Fancy Zones
-**Fancy Zones** is part of a collection of tools called PowerToys on GitHub.. It is a great way to utilize the screen real-estate on a Surface Hub 2S by giving you the ability to define fixed layouts on your display (“zones”), and then select which app will then run in each zone.
-
+**Fancy Zones** is part of a collection of tools called [PowerToys](https://github.com/microsoft/PowerToys/releases) on GitHub. It is a great way to utilize the screen real-estate on a Surface Hub 2S by giving you the ability to define fixed layouts on your display (“zones”), and then select which app will then run in each zone.
The [PowerToys wiki](https://github.com/microsoft/PowerToys/wiki) has instructions for how to use and customize each tool, including [FancyZones](https://github.com/microsoft/PowerToys/wiki/FancyZones-Overview). At a high level – after installing PowerToys, you can select or create a custom layout, and then hold the shift key down and drag or use keyboard keys to move a running app into specific zones. Using a Bluetooth or USB keyboard and mouse will help with this, or you can use the on-screen touch keyboard and touchpad.
@@ -332,11 +326,11 @@ The [PowerToys wiki](https://github.com/microsoft/PowerToys/wiki) has instructio
### Edge Chromium browser
-Download and install Edge.
+Download and install [Edge](https://www.microsoft.com/edge?form=MY01BL&OCID=MY01BL).
### Surface Hub Hardware Diagnostic tool
-The Surface Hub Hardware Diagnostic tool available for free from the Microsoft Store. The tool is designed to help you make sure your Surface Hub is performing at its best. It contains tests to determine if your firmware is up to date and configured correctly. Interactive tests allow you to confirm essential functionality is working as expected. If problems are encountered, results can be saved and shared with the Surface Hub Support Team. Click on the link to install it from the Microsoft Store, and then pin the application to your taskbar.
+The [Surface Hub Hardware Diagnostic tool](https://www.microsoft.com/p/surface-hub-hardware-diagnostic/9nblggh51f2g) available for free from the Microsoft Store. The tool is designed to help you make sure your Surface Hub is performing at its best. It contains tests to determine if your firmware is up to date and configured correctly. Interactive tests allow you to confirm essential functionality is working as expected. If problems are encountered, results can be saved and shared with the Surface Hub Support Team. Click on the link to install it from the Microsoft Store, and then pin the application to your taskbar.
## Additional settings
@@ -348,7 +342,7 @@ The Migrate to Windows 10/11 Pro or Enterprise on Surface Hub 2S
+[Migrate to Windows 10/11 Pro or Enterprise on Surface Hub 2S](surface-hub-2s-migrate-os.md)
diff --git a/surface-hub/surface-hub-2020-update-whats-new.md b/surface-hub/surface-hub-2020-update-whats-new.md
index 5c04c061..5319acc7 100644
--- a/surface-hub/surface-hub-2020-update-whats-new.md
+++ b/surface-hub/surface-hub-2020-update-whats-new.md
@@ -91,6 +91,9 @@ To learn more, see:
- **Conditional access (CA) for Microsoft Entra joined devices**. IT admins can control user access to organizational resources from Microsoft Entra joined Surface Hubs by assigning device policies per their corporate security and compliance requirements.
- **Support for non-Global admins for Microsoft Entra joined devices**. Customers can choose a more granular set of admins within their admin hierarchy to manage Surface Hub. To learn more, see [Configure non-Global Admin accounts on Surface Hub](surface-hub-2s-nonglobal-admin.md).
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. To learn more, see the recommended guidance in [Configure non-Global Admin accounts on Surface Hub](surface-hub-2s-nonglobal-admin.md).
+
### Inking improvements
- **Support for dual-pen inking on Surface Hub 2S**. Use the whiteboard and collaborate side-by-side on Surface Hub 2S with two Surface Hub 2S Pens. Any system hardware update installed after upgrading to Windows 10 Team 2020 will add firmware support for this scenario.
diff --git a/surface-hub/surface-hub-2s-nonglobal-admin.md b/surface-hub/surface-hub-2s-nonglobal-admin.md
index 2049a8a7..15484bdb 100644
--- a/surface-hub/surface-hub-2s-nonglobal-admin.md
+++ b/surface-hub/surface-hub-2s-nonglobal-admin.md
@@ -18,6 +18,9 @@ appliesto:
The Windows 10 Team 2020 Update adds support for configuring non-Global Admin accounts that limit permissions to management of the Settings app on Surface Hub devices joined to a Microsoft Entra domain. This enables you to scope admin permissions for Surface Hub only and prevent potentially unwanted admin access across an entire Microsoft Entra domain.
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
Windows 10 Team 2020 Update 2 adds support for [LocalUsersAndGroups CSP](/windows/client-management/mdm/policy-csp-localusersandgroups). That is now the recommended CSP to use; [RestrictedGroups CSP](/windows/client-management/mdm/policy-csp-restrictedgroups) is still supported, but has been deprecated.
> [!NOTE]
@@ -142,4 +145,4 @@ To learn more about custom configuration profiles using OMA-URI strings, see [Us
Members of the newly configured **Surface Hub Local Admins** Security group can now sign in to the Settings app on Surface Hub and manage settings.
> [!IMPORTANT]
-> Unless the Update ("U") action of the [LocalUsersAndGroups CSP](/windows/client-management/mdm/policy-csp-localusersandgroups) is the only configuration used, the pre-existing access of global admins to the Settings app is removed.
+> Unless the Update ("U") action of the [LocalUsersAndGroups CSP](/windows/client-management/mdm/policy-csp-localusersandgroups) is the only configuration used, the pre-existing access of Global admins to the Settings app is removed.
diff --git a/surface-hub/troubleshoot-access-to-settings-app-surface-hub.md b/surface-hub/troubleshoot-access-to-settings-app-surface-hub.md
index 560260b7..1c9d9675 100644
--- a/surface-hub/troubleshoot-access-to-settings-app-surface-hub.md
+++ b/surface-hub/troubleshoot-access-to-settings-app-surface-hub.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
---
# Troubleshoot access to Settings app on Surface Hub
-To open the Settings app on Surface Hub, select **All apps** > **Settings**. Ease of Access settings are available to anyone using Surface Hub. For all other settings, select **View as Admin** and sign in with an Admin account. If you're unable to access settings after attempting to sign in with your Admin account, review the troubleshooting guidance on this page, beginning with Device affiliation.
+To open the Settings app on Surface Hub, select **All apps** > **Settings**. Ease of Access settings are available to anyone using Surface Hub. For all other settings, select **View as Admin** and sign in with an Admin account. If you're unable to access settings after attempting to sign in with your Admin account, review the troubleshooting guidance on this page, beginning with Device affiliation.
## Device affiliation
@@ -33,6 +33,9 @@ By default, when Surface Hub is joined to Microsoft Entra ID, only an account de
- Is Surface Hub behind a proxy or firewall that blocks access to Microsoft Entra ID?
- Did you or another admin configure [non-Global Admin policy](surface-hub-2s-nonglobal-admin.md) for Surface Hub? If yes, see the following section.
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. To learn more, see the recommended guidance in [Configure non-Global Admin accounts on Surface Hub](surface-hub-2s-nonglobal-admin.md).
+
### Troubleshoot non-Global Admin policy
When joined to Microsoft Entra ID and auto-enrolled in Intune, you can configure non-Global Admin policy to allow other accounts to access Setting on Surface Hub. If non-Global Admin policy is enabled and users can't access Settings, check the following issues:
diff --git a/surface/contact-surface-business-education-support.md b/surface/contact-surface-business-education-support.md
index bd567905..5c2e92a9 100644
--- a/surface/contact-surface-business-education-support.md
+++ b/surface/contact-surface-business-education-support.md
@@ -36,7 +36,7 @@ Depending on your company's active product subscriptions or paid support offers,
### General Surface Support
-The [Surface Support Portal](surface-support-portal.md) provides a self-serve, centralized solution to look up current warranty and protection plans, create individual or bulk service requests, and track the status of support cases.
+The [Surface Support Portal](surface-support-portal.md) provides a self-serve, centralized solution to look up current warranty and protection plans, create individual or bulk service requests, and track the status of support cases.
- [Get support](https://admin.microsoft.com/adminportal/home#/support/microsoftsurfacesupport)
diff --git a/surface/self-serve-warranty-service.md b/surface/self-serve-warranty-service.md
index 4cedc71e..56449230 100644
--- a/surface/self-serve-warranty-service.md
+++ b/surface/self-serve-warranty-service.md
@@ -45,6 +45,8 @@ When you add a Microsoft 365 tenant to the tool, the following Admin roles are g
| Global Admin | View service requests
Create/manage device replacement requests
Add/edit/delete ship-to addresses
Create/manage users and their roles |
| Service Support Admin | View service requests
Create/manage device replacement requests |
| Billing Admin | View service requests
Create/manage device replacement requests
Add/edit/delete ship-to addresses |
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
### Gain access to the Surface Support Portal
diff --git a/surface/surface-management-portal.md b/surface/surface-management-portal.md
index 9edb3429..5b214424 100644
--- a/surface/surface-management-portal.md
+++ b/surface/surface-management-portal.md
@@ -50,6 +50,9 @@ Sign in to [Microsoft Intune admin center](https://endpoint.microsoft.com), sele
1. *Requires **Read Only Operator** role for access*.
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
## Monitor Surface devices
Select **Monitor** to display insights for all your Surface devices, including: