Manage Surface Pro 3 UEFI Through PowerShell

  • Article

After the v3.11.760.0 UEFI update is installed on a Surface device, an additional UEFI menu becomes available named Advanced Device Security. Clicking this option brings up a menu with new options. Some of this options is to enable/disable features like the Front and/or Rear Camera, Wireless, Bluetooth, Network Boot as well as some other cool features.

But what if your are to deploy hundreds or even more devices? Going manually through all this devices is not a good way to go. So in this post I am gonna give an introduction to how you can do this in PowerShell instead.

On TechNet it is some documentation and some sample scripts of how to identify and configure the settings. I will cover some of the same information here to provide a good base, but also provide some suggestions to make the process easier.

Before you can use any of the PowerShell scripts, you need to install the Surface Pro 3 Firmware Tools MSI on the device that you wish to configure. You can push out that MSI through your normal software distribution processes (i.e. System Center Configuration Manager).You also need the latest firmware on your devices: UEFI Firmware v3.11.760.0

Now that you have the Surface Firmware Tool installed, let’s see what you can do with it. Go ahead and open up the Powershell ISE to begin developing your script that you will use to configure your Surface Pro 3 devices.

The first thing that you need to do is load the Extension that will allow you to access the UEFI options. You do that by running the command below:

[System.Reflection.Assembly]::Load( “SurfaceUefiManager, Version=1.0.5483.22783, Culture=neutral, PublicKeyToken=20606f4b5276c705″ )

If your device is already configured to use an Administrator Password, you’ll need to provide the current UEFI Administrator password. If you don’t have a password currently assigned, then this option will be ignored if you try to run it. You’ll just need to run the line below and substitute 1234 with your currently configured Password.

[Microsoft.Surface.FirmwareOption]::Unlock( “1234” )

At this point, you should now have access to the UEFI via Powershell, but now what? If you’ll take a look at the TechNet page, you’ll see a few script samples to give you some ideas of what you can do. The first thing I would like to do is to list out all available options and their allowed values:

[Microsoft.Surface.FirmwareOption]::All() | Foreach {

  [PSCustomObject]@{

             Name              = $_.Name

             Description       = $_.Description

             CurrentValue      = $_.CurrentValue

             DefaultValue      = $_.DefaultValue

             ProposedValue     = $_.ProposedValue

             AllowedValues     = $_.FriendlyRegEx

             RegularExpression = $_.RegEx

             }

        }

The result will look something like this: (just a snip from the output)

script01

Now that you know what you can set and the values that you need to set, how do you actually set them? To make this easier I am gonna make an function in PowerShell to be able to just call the function with parameters to change the settings.

Function Set-SurfaceUEFISetting

{

  param(

        [Parameter(mandatory=$true)]$Setting,

        [Parameter(mandatory=$true)]$Value)  

       $UEFISetting = [Microsoft.Surface.FirmwareOption]::Find($Setting)     

       $UEFISetting.ProposedValue = “$Value”

}

So what have I done here? I created a function that allows me to set the UEFI options by using parameters. The function has two mandatory parameters in order to set the UEFI option correctly. The actual name of the setting and the value that you want to set. From the output of the first script you will fine the value NAME and the allowed values for that setting.

Below you will find commands to set different settings available on the Surface Pro 3:

Set-SurfaceUEFISetting -Setting “Password” -Value “Password”

Set-SurfaceUEFISetting -Setting “FrontCamera” -Value “00”

Set-SurfaceUEFISetting -Setting “TPM” -Value “0”

Set-SurfaceUEFISetting -Setting “PxeBoot” -Value “FE”

Set-SurfaceUEFISetting -Setting “SideUsb” -Value “FE”

Set-SurfaceUEFISetting -Setting “DockingPorts” -Value “00”

Set-SurfaceUEFISetting -Setting “FrontCamera”-Value “00”

Set-SurfaceUEFISetting -Setting “RearCamera” -Value “00”

Set-SurfaceUEFISetting -Setting “WiFi” -Value “00”

Set-SurfaceUEFISetting -Setting “Bluetooth” -Value “00”

Set-SurfaceUEFISetting -Setting “Audio” -Value “00”

Set-SurfaceUEFISetting -Setting “SdPort” -Value “00”

Set-SurfaceUEFISetting -Setting “AltBootOrder” -Value “2”

After you have applied settings through PowerShell you need to restart your Surface Pro 3 to make the settings active.

References:

Technet Article: (Link)

Surface Pro 3 Firmware Tools MSI : (Link)

Firmware and Drivers MSI: (Link)

Filed under: Client, Deployment Tagged: Deployment, Microsoft, Powershell, Surface, Technical, UEFI