Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Surface Hub 2S devices can be migrated from Windows 10 Team to either Microsoft Teams Rooms on Windows (MTR-W) or Windows 11 Pro/Enterprise, providing the same Windows 11 IoT Enterprise platform as Surface Hub 3. Both migration options use the Surface IT Toolkit and a USB-based workflow. Migrating to MTR-W is preferred for most deployments, but Windows 11 remains a supported option for organizations with specific requirements.
Important
After December 14th, 2025, the USB migration method will be the only supported path for migrating Surface Hub 2S to MTR-W.
For more information on migrating with the Migration Launcher app, see Migrate to Windows 11 via Migration Launcher app.
Tip
While you can use a single USB drive, we recommend preparing two: one for the SEMM package and one for the OS image, drivers, and firmware. This helps prevent accidental data loss during the process.
USB migration prerequisites
- Surface Hub 2S running Windows 10 Team (fully updated)
- Unified Extensible Firmware Interface (UEFI) firmware version: 699.845.768.0 or later
- Separate Windows device to prepare USB drives
- Surface IT Toolkit
- Windows 11 IoT Enterprise with the Microsoft Teams Rooms on Windows experience recovery image or your organization's Windows 11 Enterprise image
- Two USB 3.0 drives (32 GB+, FAT32 formatted):
- USB 1: SEMM package (.dfi file)
- USB 2: OS image, drivers, firmware
- Surface Enterprise Management Mode (SEMM) certificate (.pfx) and password
- Internet connection (optional if using recovery image locally)
Migration workflow summary
| Step | Summary | Action |
|---|---|---|
| 1 | Prepare SEMM certificate and package (USB 1) | Generate/obtain certificate and create SEMM package on USB 1 |
| 2 | Create bootable MTR-W or Windows 11 image (USB 2) | Build MTR-W or Windows 11 media on USB 2 |
| 3 | Confirm device readiness | Verify firmware version meets requirements |
| 4 | Activate SEMM and install Windows 11 | Unlock OS migration, boot from USB, install a Windows 11-based image |
| 5 | Configure Surface Hub 2S | Complete out-of-box experience (OOBE) and Teams Rooms setup |
Migration video overview
Here's a video overview of the Surface Hub 2S to Windows 11 using the USB migration process:
Step 1: Prepare SEMM certificate and package (USB 1)
You have several options for obtaining a SEMM certificate, depending on your organization's size and security requirements.
SEMM certificate options
| Organization Size | Certificate Acquisition Method |
|---|---|
| Large organizations | Organizations with established Public Key Infrastructure (PKI) can generate SEMM certificates internally. This approach offers the highest level of control and security, and is recommended for enterprises with dedicated IT security teams. |
| Medium-sized businesses | Purchase from non-Microsoft partners like DigiCert, Entrust, or GlobalSign. If your organization lacks a dedicated PKI or certificate management infrastructure, you can obtain SEMM certificates from non-Microsoft commercial certificate authorities (CA). To get a SEMM certificate, ensure the certificate authority supports the required specifications listed in the SEMM certificate requirements section, and follow their process for requesting and obtaining the certificate. |
| Small businesses or individuals | For limited deployments or testing scenarios, IT admins can generate a self-signed certificate. While this method is less secure, it allows for quick setup and experimentation. To learn more about creating a self-signed certificate, see Self-signed certificate via PowerShell. |
Warning
Always store your SEMM certificate and password securely. If the certificate is lost or corrupted, you can't reconfigure UEFI settings or unenroll devices from SEMM. This action is irreversible without the original certificate. Back up and protect it accordingly.
SEMM certificate requirements
Certificates must meet the following SEMM requirements:
- Key Algorithm – RSA
- Key Length – 2048
- Hash Algorithm – SHA-256
- Type – TLS/SSL Server Authentication
- Key Usage – Digital signature, Key Encipherment
- Provider – Microsoft Enhanced RSA and AES Cryptographic Provider
- Expiration Date – 15 Months from certificate creation
- Key Export Policy – Exportable
Create SEMM package
Launch Surface IT Toolkit on a separate device. In the left navigation panel, select the following options: UEFI Configurator > Configure Device(s) to create a SEMM package (DfciUpdate.dfi) on USB 1.
On the Device Configuration & Certification page, configure the following settings:
- Choose deployment build: DFI
- Import Certificate Protection: Add → select your .pfx file → enter password
- Choose DFI Package Type: Configuration Package
- Select Device: Surface Hub → Surface Hub 2S
On the Device Configuration Settings page, configure the settings as follows:
- Expand UEFI Front Page
- Toggle EnableOSMigration setting to On. Select Next.
Insert USB 1, select it as the destination, and choose Create to build the SEMM package on the USB drive.
Once devices package is created, select Finish, safely eject USB 1, and store it securely with your SEMM certificate and password.
Record the last two characters of the certificate thumbprint and keep them with your SEMM certificate and password.
Important
Note the last two characters of the certificate thumbprint. You need this information during the migration process to confirm the correct certificate is being used.
Step 2: Create bootable MTR-W or Windows 11 image (USB 2)
You have two options for preparing USB 2, depending on your organization and deployment needs:
- Option 1: Use the official Microsoft Teams Rooms on Windows (MTR-W) recovery image for Surface Hub 2S.
- Option 2: Use your organization's Windows 11 Pro or Enterprise image, manually including the required Surface Hub 2S drivers and firmware for Windows 11 Pro or Enterprise.
This flexibility allows you to deploy either the dedicated Teams Rooms on Windows experience or a standard Windows 11 environment, based on your organization's requirements. Both options follow the same USB preparation workflow, but the OS image and post-migration configuration can differ accordingly.
Note
While both options are supported, MTR-W is preferred for most deployments.
Create bootable drive with MTR-W image
Launch Surface IT Toolkit. In the left navigation panel, select: Recovery Tool > Create Recovery Drive > Create.
On the Select Device page, select the following options:
- Managed Devices: Surface Hub 2S
- All Devices: Surface Hub > Surface Hub 2S
On the Select Recovery Image page, configure the following options:
- Language: Select your preferred language
- Windows OS: MTR
- Release version: 22H2
On the Language Pack Selection page, select either Rest of World or China based on your region. Select Next.
Insert USB 2, select it as the destination, and choose Create to build the recovery image on the USB drive.
Once the recovery drive is created, select Finish, safely eject USB 2, and store it securely.
Create bootable drive with Windows 11 image
To install a Windows 11 Pro or Enterprise image (version 20H2 or later), use one of the following options:
- Existing organization image: If using your organization's Windows 11 Pro or Enterprise image, prepare it manually and include drivers from Surface Hub 2S drivers and firmware for Windows 10/11 Pro and Enterprise.
- Surface Deployment Accelerator: Use the Surface Deployment Accelerator to create a comprehensive bootable image that includes the latest updates for Windows 11, Microsoft Office, other applications, and necessary drivers and firmware.
- USB drive: You can manually create a USB drive with the downloaded recovery image. Windows 11 IoT Enterprise with the Microsoft Teams Rooms on Windows experience. After setup, download and install the Surface Hub 2S drivers and firmware for Windows 10/11 Pro and Enterprise.
Step 3: Confirm device readiness
Verify that UEFI version is 699.845.768.0 or later. If not, update the UEFI firmware before proceeding with migration.
To check the UEFI version via the Surface App on the Surface Hub 2S:
- Go to Start > All apps > Surface > Your Surface
- Under Device information, check the UEFI version.
You can also check the UEFI version in the UEFI menu:
- Turn off the Surface Hub 2S.
- Press and hold the Volume + button, then press and release the power button. Continue holding Volume + until the UEFI menu appears on the screen.
- Select System information to view the UEFI version.
- If the UEFI version is earlier than 699.845.768.0, update it via Windows Update.
Step 4: Activate SEMM and install Windows 11
After preparing both USB drives and confirming the device is ready, you can proceed with the migration process.
You first activate Surface Enterprise Management Mode (SEMM) to unlock the ability to migrate the operating system. Then, you boot from USB 2 to install either the MTR-W or Windows 11 Pro/Enterprise image.
Enable OS migration by unlocking UEFI
To unlock UEFI and enable OS migration, follow these steps:
Insert USB 1 (with the SEMM package) into the Surface Hub 2S.
Boot into UEFI by following these steps:
- Turn off the Surface Hub 2S.
- Press and hold the Volume + button, then press and release the power button. Continue holding Volume + until the UEFI menu appears on the screen.
- When prompted, enter the UEFI password you set earlier.
In the UEFI menu, navigate to Management, select Install from USB, and apply the DfciUpdate.dfi file from USB 1.
Select Restart now from the menu. The device displays a white Microsoft logo and then shuts down to complete the installation.
Turn on the Surface Hub 2S again. A red dialog box appears prompting you to activate Surface Enterprise Management Mode (SEMM).
Enter the last two characters of your certificate thumbprint and your UEFI settings password, then select OK to proceed.
Note
Activating SEMM with the EnableOSMigration setting renders Windows 10 Team inaccessible. You should now proceed to install Windows 11 Pro or Enterprise.
The device reboots automatically, displaying the white logo again before shutting down, indicating that the UEFI update and SEMM activation are complete. After the device powers off, you can now proceed to the next step of migrating the operating system.
Install MTR-W or Windows 11
Once SEMM is activated, you can boot from USB 2 to install the desired operating system.
To install MTR-W or Windows 11 Pro/Enterprise:
- Insert USB 2 (with the MTR-W or Windows 11 image) into the Surface Hub 2S.
- Boot into UEFI by following these steps:
- Turn off the Surface Hub 2S.
- Press and hold the Volume + button, then press and release the power button. Continue holding Volume + until the Windows logo appears on the screen.
- The device boots from USB 2 and begins the installation process. Follow the on-screen prompts to complete the installation of either MTR-W or Windows 11 Pro/Enterprise.
- The installation process can take up to 90 minutes. If the installation appears to stall, wait for the full duration before taking further action.
- After installation completes, the device will restart automatically. Remove USB 2 when prompted to avoid booting from it again.
Step 5: Configure Surface Hub 2S
Once installation completes:
- Complete Windows OOBE (language, region, network).
- Install updates.
- If using the MTR-W image, follow the Teams Rooms setup guide and sign in with your resource account.
- If using Windows 11, configure as needed for your organization. For more information on setup and configuration, see Configure Windows 10/11 Pro or Enterprise on Surface Hub 2S.
Best practices
- Back up your SEMM certificate securely.
- Avoid unnecessary reboots during migration.
- Use two USB drives to avoid overwriting critical files.
- Store related files together (SEMM certificate, DfciUpdate.dfi, notes with certificate thumbprint/password).
Post-migration
After migration:
- Configure security best practices for Surface Hubs.
- Optionally, use Windows Autopilot + Teams Rooms Autologin to streamline deployment.
- Remove stale device records in Intune if applicable.
To learn more about best practices for Surface Hub migrations, see:
- Get started with Surface Hub running MTR-W
- First-time setup for Surface Hub with MTR-W
- Security best practices for Surface Hub
Troubleshooting and more guidance
Although the USB migration method is straightforward, issues can arise during preparation or installation. The following guidance can help identify and resolve common problems.
Firmware mismatch
- If UEFI firmware isn't at least version 699.845.768.0, update the device before attempting migration.
- To update, go to Settings > Update & Security > Windows Update and install all pending updates.
- Repeat until both firmware meets requirements.
SEMM certificate issues
Ensure the SEMM certificate (.pfx) file and password are backed up securely. Without them, UEFI access is permanently lost.
If you lose the certificate thumbprint, it can be retrieved using PowerShell on a Windows device using the following command:
$pfx = Get-PfxCertificate -FilePath "C:\Path\To\YourCert.pfx" $pfx.Thumbprint(Optional) set UEFI password.
Record the last two characters of the certificate thumbprint.
Quick checks during migration
Use the following checks and references to quickly diagnose issues that can arise during USB migration. These checks can help identify whether the problem relates to firmware, USB media, disk space, or recovery image integrity.
| Check | What to verify | Resolution |
|---|---|---|
| Firmware version | UEFI firmware must be 699.845.768.0 or later | Update via Windows Update or UEFI update before retrying migration |
| USB media | USB 1 (SEMM) and USB 2 (OS image) must be FAT32, 32 GB+, and properly created | Reformat and rebuild drives using Surface IT Toolkit |
| Installation stalls | Device appears stuck during recovery | Allow up to 90 minutes; if stalled longer, rebuild USB 2 and retry |
| SEMM certificate | Certificate file and password must be valid | Retrieve thumbprint with PowerShell or recreate certificate if possible |