Manage Surface Pro 3 UEFI Through PowerShell

After the v3.11.760.0 UEFI update is installed on a Surface device, an additional UEFI menu becomes available named Advanced Device Security. Clicking this option brings up a menu with new options. Some of this options is to enable/disable features like the Front and/or Rear Camera, Wireless, Bluetooth, Network Boot as well as some other cool features.

But what if your are to deploy hundreds or even more devices? Going manually through all this devices is not a good way to go. So in this post I am gonna give an introduction to how you can do this in PowerShell instead.

On TechNet it is some documentation and some sample scripts of how to identify and configure the settings. I will cover some of the same information here to provide a good base, but also provide some suggestions to make the process easier.

Before you can use any of the PowerShell scripts, you need to install the Surface Pro 3 Firmware Tools MSI on the device that you wish to configure. You can push out that MSI through your normal software distribution processes (i.e. System Center Configuration Manager).You also need the latest firmware on your devices: UEFI Firmware v3.11.760.0

Now that you have the Surface Firmware Tool installed, let’s see what you can do with it. Go ahead and open up the Powershell ISE to begin developing your script that you will use to configure your Surface Pro 3 devices.

The first thing that you need to do is load the Extension that will allow you to access the UEFI options. You do that by running the command below:

[System.Reflection.Assembly]::Load(“SurfaceUefiManager, Version=1.0.5483.22783, Culture=neutral, PublicKeyToken=20606f4b5276c705”)

If your device is already configured to use an Administrator Password, you’ll need to provide the current UEFI Administrator password. If you don’t have a password currently assigned, then this option will be ignored if you try to run it. You’ll just need to run the line below and substitute 1234 with your currently configured Password.

[Microsoft.Surface.FirmwareOption]::Unlock(“1234”)

At this point, you should now have access to the UEFI via Powershell, but now what? If you’ll take a look at the TechNet page, you’ll see a few script samples to give you some ideas of what you can do. The first thing I would like to do is to list out all available options and their allowed values:

[Microsoft.Surface.FirmwareOption]::All() | Foreach {
 [PSCustomObject]@{
             Name              = $_.Name
             Description       = $_.Description
             CurrentValue      = $_.CurrentValue
             DefaultValue      = $_.DefaultValue
             ProposedValue     = $_.ProposedValue
             AllowedValues     = $_.FriendlyRegEx
             RegularExpression = $_.RegEx
             }
        }

The result will look something like this: (just a snip from the output)

script01

Now that you know what you can set and the values that you need to set, how do you actually set them? To make this easier I am gonna make an function in PowerShell to be able to just call the function with parameters to change the settings.

Function Set-SurfaceUEFISetting
{
  param(
        [Parameter(mandatory=$true)]$Setting,
        [Parameter(mandatory=$true)]$Value) 

       $UEFISetting = [Microsoft.Surface.FirmwareOption]::Find($Setting)    
       $UEFISetting.ProposedValue = “$Value”
}

So what have I done here? I created a function that allows me to set the UEFI options by using parameters. The function has two mandatory parameters in order to set the UEFI option correctly. The actual name of the setting and the value that you want to set. From the output of the first script you will fine the value NAME and the allowed values for that setting.

Below you will find commands to set different settings available on the Surface Pro 3:

Set-SurfaceUEFISetting -Setting “Password” -Value “Password”
Set-SurfaceUEFISetting -Setting “FrontCamera” -Value “00”
Set-SurfaceUEFISetting -Setting “TPM” -Value “0”
Set-SurfaceUEFISetting -Setting “PxeBoot” -Value “FE”
Set-SurfaceUEFISetting -Setting “SideUsb” -Value “FE”
Set-SurfaceUEFISetting -Setting “DockingPorts” -Value “00”
Set-SurfaceUEFISetting -Setting “FrontCamera”-Value “00”
Set-SurfaceUEFISetting -Setting “RearCamera” -Value “00”
Set-SurfaceUEFISetting -Setting “WiFi” -Value “00”
Set-SurfaceUEFISetting -Setting “Bluetooth” -Value “00”
Set-SurfaceUEFISetting -Setting “Audio” -Value “00”
Set-SurfaceUEFISetting -Setting “SdPort” -Value “00”
Set-SurfaceUEFISetting -Setting “AltBootOrder” -Value “2”

After you have applied settings through PowerShell you need to restart your Surface Pro 3 to make the settings active.

References:

Technet Article: (Link)
Surface Pro 3 Firmware Tools MSI : (Link)
Firmware and Drivers MSI: (Link)

4 thoughts on “Manage Surface Pro 3 UEFI Through PowerShell

  1. Jan,

    I am trying to set UEFI settings on a surface next to me. After I run your scripts I see the values I have specified in the ProposedValue field. However, after I reboot those values are lost. What am I doing wrong?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s