Microsoft Surface

Windows 10 Multi-Factor Authentication

Posted on Updated on


Windows 10 Multi-Factor Authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.  MFA provides additional protection against brute force and other password based attacks.  Three common MFA options available in Windows 10 include:

  1. Picture Password
  2. PIN
  3. Windows Hello (Biometric support for facial, iris, fingerprint recognition, companion device, etc.)

Active Directory Integration

All three of the MFA options in scope for this briefing can be enabled and disabled through Active Directory Group Policies.

Dependencies & Prerequisites

In order to implement Device Guard, the following capabilities need to be present:

 MFA Option  Requirement  Description 
Picture Password  Windows 8 or newer The PC must be running Windows 8, 8.1 or 10. Of course Windows 8 is no longer in mainstream support.
Picture Password  Touch Interface The device must support a touch interface
PIN  TPM The Trusted Platform Module is required to store the PIN and password hashes.
Windows Hello  PIN enabled Windows Hello requires that PIN access be enabled.
Windows Hello Facial Recognition  Supported Camera Windows Hello facial recognition requires a supported camera.  Currently the Intel RealSense 3D camera is one the most common supported.  Over time other cameras will also be supported
Windows Hello Fingerprint  Supported Fingerprint Reader Windows Hello fingerprint recognition requires a supported fingerprint reader.
Windows Hello Companion Device Supported Companion Device Use an authenticator app on a companion device such as a mobile phone or wearable to authorize access


Windows 10 MFA integrates with Microsoft Passport and with Active Directory to provide seamless authentication through a number of common use cases.


The Microsoft MFA options considered for this briefing are typically intended to act as a substitute for regular password authentication.  Here will be scenarios where the password will still be required however for the majority of use cases, the password may not be required if the end user is using one of the described MFA options.

Microsoft MFA solutions addressed are designed to strike a balance between security and ease of use.  Most users report that using a MFA is convenient enough that they do not feel it is an undue burden.

MFA Option  Functionality Description 
Picture Password  They user must correctly reproduce three gestures on an image of his/her choosing.  Gestures can include, shapes, lines, and spots.
PIN  They user must correctly enter a PIN (complexity controlled through GPO).
Hello Facial Recognition  The device camera constantly looks for the users face.  Once detected, the device unlocks itself.
Hello Finger Print Recognition  The user must place a digit with a registered finger print on the devices finger print reader.  If it matches a registered print, the user is granted access to the device with the account with which the print is registered.
Hello Companion Device The user is prompted to authorize access on a companion device either with a PIN, Push, or biometric prompt

If the user fails one of the authentication methods, they will need to use a password to unlock the device.

Deployment Considerations

All of the MFA solutions considered can be deployed using GPO with minimal impact on current end user login methods.  Once enabled, additional options are regularly becoming available.

All of the addressed solutions consider the device as one of the authentication factors.  Pins, Picture passwords, and biometric signatures are not stored or managed centrally.  They will need to be managed on a per device basis.

It is recommended that end user training take place to ensure that staff understand the additional authentication options and any additional precautions that might be required to safeguard the additional factors.

Consider integrating with Azure Active Directory for more advance Conditional Access options

Issues and Caveats

There are known issues and methods to bypass some of the Microsoft MFA options addressed.

MFA Option  Known Issues 
Picture Password  Users must take care to avoid others from watching them while they enter a picture password.  This may not be ideal for crowded environments.  Additionally, users must take care to clean the device screen regularly to avoid leaving smudges that simplify guessing to reproduce the picture password.
PIN  Users must take care to avoid others from watching them while they enter a PIN.  This may not be ideal for crowded environments.  Additionally, users must take care to clean the device screen regularly to avoid leaving smudges that simplify reproducing the PIN.
Hello Facial Recognition  User can inadvertently unlock a device if they enter the camera’s field of view.  An unsuspecting user may also be “tricked” into unlocking a device by somebody who quickly “flashes” the device in front of them.

Hello Facial Recognition relies on infrared scanning of features and cannot be “fooled” by photographs or even identical twins.

Hello Finger Print Recognition  There are know issues with false negatives based on changes to digits based on injury or environmental conditions (cold, heat, humidity, etc.)

New Children in the Surface Pro 3 Family of Devices

Posted on Updated on

Surface Family Tree

Microsoft just announced a new model to the Surface Pro 3 family of devices. It is the Intel Core i7 with 8GB of RAM and a 128GB SSD. Previously the i7 models were only available with either a 256GB or 512GB SSD.

Here’s what the modern Surface Pro 3 family looks like now:

Processor Memory Storage
Intel Core i3 4GB RAM 64GB SSD
Intel Core i5 4GB RAM 128GB SSD
Intel Core i5 8GB RAM 256GB SSD
Intel Core i7 8GB RAM 128GB SSD
Intel Core i7 8GB RAM 256GB SSD
Intel Core i7 8GB RAM 512GB SSD

And of course there’s the other branch of the family, the Surface 3, announced last month at Microsoft Ignite and currently available in four flavours including two new LTE models released this month:

Processor Memory Storage LTE
Intel Atom x7-Z8700 2GB RAM 64GB SSD Yes
Intel Atom x7-Z8700 2GB RAM 64GB SSD No
Intel Atom x7-Z8700 4GB RAM 128GB SSD Yes
Intel Atom x7-Z8700 4GB RAM 128GB SSD No

This generation of the Surface family tree is growing quickly. I guess success breeds new devices.

So who do the new devices appeal to? Sales figures will ultimately determine that but my guess is that the new i7 is targeted at somebody that prioritizes price and performance over storage (remember that the SP3 has a SD slot and has a USB3 port). If most of your data is stored on a corporate network, OneDrive or some other location, this may be a reasonable compromise.

The LTE devices are targeted at vertical applications that require constant connectivity (think jobsite) or the user that doesn’t want to tether to a mobile phone (for any number of reasons, data plan, battery, etc.).

Let me know the use cases that you think these devices would be good for and I will discuss them on an upcoming episode of the Surface Smiths Podcast.

Small Logo

Managing Windows 8.1 and the MS Surface in the Enterprise – Part 1: Who’s Minding the Store?

Posted on Updated on

Love it or hate it, but Windows 8.1 was intended to be both a desktop and “device” operating system. There have been many articles written about how well it succeeds or fails at one or both of those objectives. Regardless of how you feel about Windows 8.1, if you are tasked with managing it in you enterprise, you don’t need another rant / rave post. You need some guidance on how to manage some of the intricacies that Windows 8.1 and some device form factors like the Surface bring into play. That’s what this series of posts aims to do.

I’ve been selected to deliver a session next month as part of the Microsoft MVP Virtual Conference – You can register here. My session is focussed on the managing the MS Surface in the Enterprise and as part of my preparation I’ve been assembling lots of nuggets that will be scattered throughout the presentation. This blog post series is an attempt to aggregate some of the more significant pieces from the session that may have broader appeal.

As part of Microsoft’s attempt to create an OS that is appealing to tablet device users, Microsoft introduced the Windows Store. The Windows Store is Microsoft’s version of Google Play, Apples iTunes App Store, the Amazon Appstore for Android and many other sources for device based apps. The current incarnation of the Windows Store showcases Modern UI (formerly known as Metro) applications.

Like the other AppStores, the Windows store is designed for consumers to purchase applications to run on their devices. Unlike the other AppStores, the Windows Store model needs to coexist with legacy software delivery methods in use by enterprise IT departments such as SCCM.  While inconvenient, this is not a knock against the Windows Store.  Other platforms don’t have this issue because they don’t have any legacy applications or enterprise software delivery models.

What can we do Today?

For now there are really two methods for managing Modern Apps in an enterprise setting:

1. Sideload the application

  • Requires Certificate to sign the app since it will bypass the store validation
  • Requires .Appx Bundle from the application developer / vendor
  • Applications can be inserted into image with DISM
  • Applications can be distributed with System Center Configuration Manager

2. Deep Link the application

  • Requires Windows Store account for each user (does not need to be linked to domain account)
  • Associates application with user
  • Applications cannot be included in image
  • Still requires some user input (not truly silent)

Access to the Windows store can be controlled through group policy.

If you choose to permit users to access the store there is still the ability to restrict or allow specific applications with AppLocker.

Coming with Windows 10

Microsoft has announced that this will get easier with Windows 10. Organizations will be able to setup a private “boutique” within the Windows Store and curate which applications their users will be able to browse and install. Organizations will also be able to use a single store account to make volume purchases and download the installation files and distribute them in ways that make sense for their use cases (machines without internet access, reassigning applications, etc.).

The Microsoft Surface FAQ

Posted on Updated on

The following is a copy of the content you would have found if you followed the link above to Microsoft Surface FAQ today.  The FAQ is evolving and I have been adding content regularly.  I feel it now has sufficient content to post a copy of it as a blog post to inform you about it.  Bookmark the actual FAQ for future reference as this post will be static but the FAQ won’t be.


This is a series of questions and answers cobbled together from questions I have been asked, questions on Reddit and questions on SurfaceForums.Net.  It is still a work in progress.  If you find it helpful please share with others (if you don’t find it helpful, share it with somebody you don’t like).  If you have any questions that you would like to see here, please leave a comment.

BTW – a great resource for Surface owners and prospective Surface owners is

What’s the difference between Surface RT and Surface Pro?

My friend can install Windows 7 programs on his Surface Pro. Why can’t I install them on my Surface RT/Surface 2?

How do I use CTRL+Fn keys like I do on a normal keyboard?

Can I use the Surface Pro 1/2 pen with the Surface Pro 3?

My speakers aren’t loud enough.  How can I increase the volume?

How can I extend the battery life on my Surface?

Are Picture Passwords secure?

How do I enable a Picture Password?

How can I convert handwriting to text?

How can I connect my Surface to a wireless display?

How can I use the Surface Pro pen for navigation?

My Surface only has a headphone jack. How can I connect a microphone to it?

How can I improve my battery life?

How can I monitor my battery usage?

What’s the difference between Surface RT and Surface Pro?

Surface RT (and Surface 2) run Windows RT. Windows RT is a special build of Windows that only runs on the ARM processor architecture. The Surface devices with “Pro” in their names (Surface Pro, Surface Pro 2 and Surface Pro 3 at the time of this writing ) run the same versions of Windows available for desktops and laptops.  This version of Windows is designed to run on the Intel x64 architecture and run Windows 8.x using the same binaries as Windows 8.x on a normal desktop or laptop computer. The RT is more like  a traditional tablet with long battery life, running cooler, and instant on.  Of course the dimensions are a little different as the RT is slimmer than the Pro.

My friend can install Windows 7 programs on his Surface Pro. Why can’t I install them on my Surface Rt/Surface 2?

Just as the version of Windows that runs on the Arm processor is different, so are the binaries for the applications that run on the different processor architectures.  The application would need to be recompiled to and potentially modified to run on Windows RT.

How Do I use CTRL+Fn keys like I do on a normal keyboard?

Press the Fn key at the same time as the function keys to have them act as normal function keys. You can also toggle them between special/normal by pressing Fn and CapsLock.

Can I use the Surface Pro 1/2 pen with the Surface Pro 3?

The Surface Pro 3 switched from the Wacom pen technology to the n-Trig pen technology.  As a result, while the pen used with the Surface Pro 1 and 2 is interchangeable with each other, the Surface Pro 3 pen cannot be used on earlier models and the Surface Pro ½ pens will not work on the Surface Pro 3.  Windows RT devices do not support either the Wacom or the n-Trig pens.

My speakers aren’t loud enough.  How can I increase the volume?

Turning on the loudness equalization might help.  Navigate to Control Panel, click Sound > click on Speakers click on Properties click the Enhancements tab, select the Enable check box.

How can I extend the battery life on my Surface?

There are several ways you can extend battery life—reduce the brightness of your screen, unplug USB devices you aren’t using, or turn off Wi-Fi and Bluetooth if you don’t need it for a while. If you have Surface Pro (1, 2 or 3) you can also save your battery by enabling a power-saving power plan. For more info about your Surface battery, see:

Are Picture Passwords secure?

That depends.  They definitely harder to crack through automated brute force attack methods than a text based password.  For more information on the security of Picture Passwords see here

How do I enable a Picture Password?

  1. Swipe in from the right edge of the screen, tap Settings, and then tap Change PC settings.  (If you’re using a mouse, point to the lower-right corner of the screen, move the mouse pointer up, click Settings, and then click Change PC settings.)
  2. Tap or click Accounts, and tap or click Sign-in options.
  3. Under Picture password, tap or click Add.
  4. Sign in with your Microsoft account info, then follow the steps on the screen to choose a picture and pick your gestures.

Follow this link to for more detailed information about how to enable Picture Passwords

How can I convert handwriting to text?

OneNote has the ability to convert handwriting to text.  On the draw menu, simply select the Ink to Text button on the ribbon.

How can I connect my Surface to a wireless display?

Windows 8.1 has support for Miracast that allows devices to connect to a display using wireless technology . If you have a compatible display (or a wireless display adapter such as this one or this one) you can connect tot he display and either extend your display or duplicate it following these steps:

  1. Add the Display to your Surface
    1. Swipe in from the right edge of the screen, and then tap Devices.
      (If you’re using a mouse, point to the lower-right corner of the screen, move the mouse pointer up, and then click Devices.)
    2. Tap or click Project, and then tap or click Add a wireless display.
    3. Choose the wireless display in the list of devices found, and follow the instructions on the screen.
  2. Project your screen to the device that has been added
    1. Swipe in from the right edge of the screen, and then tap Devices.
      (If you’re using a mouse, point to the lower-right corner of the screen, move the mouse pointer up, and then click Devices.)
    2. Tap or click Project, and then tap or click the wireless display you want.

For more detailed information read this article.

How can I use the Surface Pro pen for navigation?

Hover pen above screen: Moves the mouse cursor around, allowing you to perform mouse hover actions.
Tap pen on screen: Performs a left-click.
Press on screen and hold down: Performs a right-click after a moment’s wait.
Hold button on pen and tap pen on screen: Performs a right-click immediately.

My Surface only has one audio jack. How can I connect a microphone to it?

The 3.5mm audio jack on the Surface supports both output (headphones and speakers) and input (microphones) using a single connection.  There are four options for attaching a microphone to your Surface:

  1. Connect a combo headset/microphone that uses the a single 3.5mm jack.  These are commonly used with smartphones.
  2. Use a splitter to create two separate jacks:  one for input and one for output.
  3. Use a bluetooth to connect a headset/microphone.
  4. Use a USB microphone/headset.

How can I improve my battery life?

There are many factors that affect battery life.  The following are some easy ways to help improve battery life:

  1. Make sure you have the latest firmware
  2. Use lower screen brightness settings as appropriate.
    1. You can set it manually from the Charms>Settings>Screen or Fn+Del / FN+Backspace.
    2. You can also setup a powerplan that automatically dims the display based on battery level and/or ambient light conditions fromControl Panel>All Control Panel Items>Power Options>Edit Plan Settings>Change Advanced Settings
  3. Avoid using Chrome.  Many Surface users have reported high CPU and fan usage when using Chrome (especially multiple tabs).  This may not be an issue in the future.

How can I monitor my battery usage?

If you want to get an idea of how you use your battery, how it fast it discharges and charges and other useful information (usage, expected life, etc.)simply run the following command to generate the file battery_report.html on your desktop:

powercfg /batteryreport /output %USERPROFILE%\Desktop\battery_report.html