Each Microsoft Surface unit is, at its core, a Microsoft Windows computer that is running custom software. Microsoft Surface units include the Windows Vista Business operating system with Service Pack 1 (SP1). Windows Vista Business provides many of the familiar advanced networking and administration tools and features, including Remote Desktop, Group Policy support, and desktop deployment tools. (For more information about how to remotely administer and update Microsoft Surface units, see Remotely Administering a Microsoft Surface Unit.)
The Microsoft Surface Administration Guide describes administration procedures and recommendations that are specific to Surface units. Because Surface units include the Windows Vista Business operating system, see the Windows Vista documentation on the Microsoft TechNet Web site for information about most standard Windows Vista administration tasks.
Table of Contents
Key Concepts
Before you start administering Microsoft Surface units, you should be familiar with the following key concepts:
- Administrator mode. Administrator mode gives you access to the Windows Vista user interface and functionality and to Microsoft Surface functionality through desktop shortcuts. Both commercial and developer Microsoft Surface units start in administrator mode after you first set up the unit and show the Windows Vista user interface and the logon screen. The Surface Input desktop shortcut enables touch input, and the Surface Shell desktop shortcut starts the active attract application and Launcher on the Microsoft Surface display. For more information, see Administrator Mode and User Mode.
- User mode. User mode displays the Microsoft Surface user interface and is designed for Microsoft Surface units in venues. In user mode, the Windows Vista user interface is suppressed, including all User Account Control prompts, all Windows Firewall prompts, access to Windows Task Manager, and automatic updates. In user mode, users see the active attract application, Launcher, and any registered Microsoft Surface applications. Optionally, you can enable troubleshooting while in user mode. For more information, see Administrator Mode and User Mode.
- TableUser user mode account. Every Microsoft Surface unit includes a preconfigured user account, with the assigned user name "TableUser" and a unique, auto-generated, cryptographically strong password. The Microsoft Surface software uses this user account to automatically log on to user mode. For more information, see Administrator and User Mode Accounts.
- Mode profiles. Based on how you log on to the Microsoft Surface unit (as an administrator, user, or user with troubleshooting enabled), Surface Shell customizes the Microsoft Surface experience by reading the appropriate Microsoft Surface-specific "mode" registry keys. These registry keys are organized into "profiles" so that it is easy for you to understand and adjust these changes, if it is necessary. For more information, see Mode Profiles.
- Surface Shell. Surface Shell is responsible for:
- Registering applications to display in Launcher.
- Starting and ending attract applications.
- Showing users a loading screen when an application is started until the application is ready to display.
- Notifying applications about changes in suggested orientation based on how users are interacting with Launcher.
- Providing an on-screen keyboard or numeric keypad that applications can use.
- Enabling applications to display notifications to users.
- Providing access points in the corners on top of applications to enable users to switch between applications and Launcher.
- Managing user sessions.
- Enabling one application to start or switch to (that is, activate) another registered application.
- Monitoring application responsiveness and application failures.
- Registering applications to display in Launcher.
- Attract application. When no user is actively using a Microsoft Surface unit, the unit enters attract mode and displays a compelling and enticing, touch-oriented attract application that is like a screen saver. Microsoft Surface includes one default attract application called Water that you can use or customize, or you can create your own attract applications. For more information, see Configuring Attract Applications.
- Launcher. Launcher is the menu that displays the applications that are available to users. It looks like a filmstrip and displays on top of any applications that are running. The Launcher filmstrip moves across the Microsoft Surface screen and displays a series of square images that preview every application. The selected image (called the application preview) is larger than the other images and includes descriptive text about the application below it.
For more information about Surface Shell, applications (standard and attract), and Launcher, see Interacting with a Surface Unit.
Microsoft Surface units can run in one of two modes: administrator mode or user mode. The modes determine what appears on the Microsoft Surface display and whether the Microsoft Windows user interface will be suppressed or available. You can easily switch between these two modes through the Microsoft Surface user interface.
Administrator Mode vs. User Mode
The following table describes the differences between administrator mode and user mode. Mode profiles determine what specific changes that Surface Shell makes when you log on in one of these modes. For more information, see Mode Profiles.
| Mode | Description | ||
|---|---|---|---|
|
Administrator mode |
Administrator mode gives you access to the Windows Vista user interface and functionality and to Microsoft Surface functionality through desktop shortcuts. Both commercial and developer units are configured to start in administrator mode after you first set up the unit and show the Windows Vista user interface and the logon screen. You can run and test a Microsoft Surface application by starting it from Microsoft Visual C# 2008 Express Edition (developer units only) or by using the Surface Input and Surface Shell tools, which are available as desktop shortcuts. Surface Input enables touch input, and Surface Shell starts the active attract application and Launcher on the Microsoft Surface display, while the Windows desktop runs in the background or on an external monitor, if you have set one up. You can also use administrator mode to directly or remotely administer the Microsoft Surface unit and Windows Vista functionality.
When you log on to a Microsoft Surface unit for the first time, you enter administrator mode. |
||
|
User mode |
User mode displays the Microsoft Surface user interface and is designed for Microsoft Surface units in venues, without a logon screen. In user mode, the Windows Vista user interface is suppressed, including all User Account Control prompts, all Windows Firewall prompts, access to Windows Task Manager, and automatic updates. In user mode, users see the Microsoft Surface user interface that you configure, including the following:
Developers should use administrator mode for general testing and troubleshooting during application development, and then switch to user mode as a final step. For issues that you cannot reproduce in user mode, turn on user mode troubleshooting by taking the steps in the following "To enable troubleshooting in user mode" procedure. When the Microsoft Surface unit enters user mode, it logs on Windows Vista by using a specific Microsoft Surface Modes and Profiles called the user mode account. By default, this account is the TableUser user account. TableUser is a standard user account and minimizes the ability of users to make any serious changes to the Microsoft Surface unit. If you want the user mode session to run under a different user account, you can create that account through Windows Vista and use the SurfUser tool to tell the Microsoft Surface unit to use that account while in user mode. For more information about the TableUser account, see Administrator Mode and User Mode.
le troubleshooting in user mode&q
|
To switch from user mode to administrator mode
-
Connect a keyboard and mouse to the I/O connections on the Microsoft Surface unit.
-
Press CTRL+ALT+DEL, and then click Log off.
-
Log on by using an administrator account. (For more information about administrator accounts, see Administrator and User Mode Accounts.)
Note You can also switch from administrator mode to user mode by using the ModeSwitcher command-line tool. For more information about how to use this tool in a script, see ModeSwitcher Tool.
To enable troubleshooting in user mode
-
Connect a keyboard and mouse to the I/O connections on the Microsoft Surface unit.
-
Press CTRL+ALT+DEL, and then click Log off.
-
Log on by using an administrator account. The Windows desktop appears.
-
Double-click the Enter User Mode shortcut.
The Do you want to log off and enter user mode? dialog box appears.
-
Select the Enable troubleshooting and debugging in user mode? check box.
Note For developer units, this check box is selected by default. For commercial units, this check box is cleared by default. -
Click Yes.
The Entering User Mode progress dialog box appears while Surface Shell updates the user debug mode profile registry key settings and Group Policy settings.
Windows Desktop in Administrator Mode
When you log on to a Microsoft Surface unit as an administrator, it displays a customized Windows desktop.
The Windows desktop contains the following Microsoft Surface-specific shortcuts:
| Shortcut | Description | ||
|---|---|---|---|
 |
1. Ambient Light Indicator Tool checks the ambient light conditions on the Microsoft Surface unit by displaying red dots for areas on the screen that have harsh lighting and green dots for areas on the screen that have satisfactory lighting. If red dots appear, you can adjust the lighting in the room until as many green dots as possible appear on the screen. Like the calibration tool, the Ambient Light Indicator tool is most effective when you use it locally. If you use Remote Desktop to run the Ambient Light Indicator tool, you will need someone located by the unit and you will need to tell them exactly how they should adjust the room lighting based on your recommendation. |
||
 |
2. Calibrate Vision System opens the calibration tool which enables you to recalibrate the Microsoft Surface cameras. The calibration tool is most effective when you use it locally. However, you can run basic calibration if you have someone to place the calibration board over the unit during the process. For more information about calibration, see Remotely Calibrating the Microsoft Surface Vision System. For more information about how to remotely calibrate a Microsoft Surface unit, see Calibrate Vision System Tool.
|
||
 |
3. Enter User Mode automatically logs you off as administrator and logs on to the Microsoft Surface unit by using the current user mode account, shifting the unit into user mode (in which users can interact with the attract application and Launcher). |
||
 |
4. (Available on developer Microsoft Surface units only) Set Up Monitors configures the Microsoft Surface unit after you connect an external monitor. For more information about how to set up an external monitor, see Installing a Keyboard, Mouse, and Monitor. |
||
 |
5. Surface Input provides Microsoft Surface touch functionality while you are logged on administrator mode. When Surface Input is enabled, a Surface Input icon appears in the notification area (to the right of the taskbar) that indicates if it is running. You can use Surface Input to test the unit setup and configuration or to test an application by starting it from Visual C# 2008 (on a developer unit). To disable Surface Input, right-click the Surface Input icon, and then click Stop. |
||
 |
6. Surface Shell replicates user mode without leaving administrator mode so that you can test and debug applications with Launcher. Use Surface Shell together with Surface Input to test that an application works correctly with Surface Shell. That is, check that the application displays in and can be started from Launcher and that your application works properly with the Microsoft Surface software and user interface. When Surface Shell is running, a Surface Shell window appears in the taskbar. To close Surface Shell, right-click the window, and then click Close. |
Mode Profiles
Based on how you log on to the Microsoft Surface unit (as an administrator, user, or user with troubleshooting enabled), Surface Shell customizes the Microsoft Surface experience by automatically changing the relevant Microsoft Surface-specific registry keys to match the "mode". These registry changes are organized into "profiles" so that it is easy for you to understand and adjust these changes, if it is necessary.
The following illustration shows the Microsoft Surface registry structure.
The three mode profiles (Administrator, User, and UserDebug) and the Default mode profile (the root profile that the other mode profiles are derived from) determine how the Microsoft Surface unit behaves when that type of user is logged on. That is:
- The Administrator mode profile makes sure that all users who log on as an administrator have access to Windows Vista.
- The User mode profile makes sure that all users have access only to Launcher and registered applications and that all Windows dialog boxes and pop-up windows are suppressed.
- The UserDebug mode profile makes sure that all developers who are testing applications have access to Launcher, registered applications, and the appropriate troubleshooting tools.
Administrator and User Mode Accounts
There are four different types of user accounts that might exist on a Microsoft Surface unit:
- The built-in administrator account ("Adressed.
- The UserDebug mode profile makes sure that all developers who are testing applications have access to Launcher, registered applications, and the appministrator"). By default, this account is disabled, and you should not use it.
- Accounts that are members of the local Administrators group. When a member of this group logs on, the system automatically switches to administrator mode. Make sure that all administrators and developers who will be working with the Microsoft Surface unit are members of this group.
- The Microsoft Surface user mode account. This account is associated with user mode and is used by the Enter User Mode shortcut to log on in user mode. By default, TableUser is the Microsoft Surface user mode account, but you can change this default by using the SurfUser tool. You can assign any non-administrator account as the Microsoft Surface user mode account.
- Other accounts. This group includes all accounts that are not members of the Administrators account and not Microsoft Surface mode user accounts. Although you can create such accounts, be aware that the Microsoft Surface software does not support interactive logon by using these accounts. If you try to log on by using an account that is not a member of the Administrators group and not a Microsoft Surface user mode account, you will see a warning message and then you will be logged off.
The rest of this topic includes:
Administrator Account
You can log on to a Microsoft Surface unit as an administrator by using the administrator account that you created when you first logged on to the Microsoft Surface unit or by using an account that is a member of the Administrators account.
| Note |
|---|
| You should not use the built-in "Administrator" account (which is disabled by default on all Microsoft Surface units) because is it less secure than the administrator account that you created when you first logged on the Microsoft Surface unit.
|
User Mode Account
Every Microsoft Surface unit includes a preconfigured user account, with the assigned user name "TableUser" and a unique, auto-generated, cryptographically strong password. The Microsoft Surface software uses this user mode account to automatically log on to user mode. You can use the preconfigured TableUser account without any changes.
| Important |
|---|
| You must not change the TableUser account name or delete this account, even if you do not use this account.
|
You can also use an existing user account (local or domain-based) as the user mode account instead of using the TableUser account. The user mode account must not be a member of the Administrators group on the Microsoft Surface unit. You can use the Windows Vista tools, such as User Accounts or the Active Directory Users and Computers snap-in, to create or modify local or domain-based user accounts that you want to use as user mode accounts. However, you must also run the SurfUser tool that is included with all Microsoft Surface units to designate a user account as the current user mode account and to assign that account's password to the registry. Specifically, the SurfUser assign command enables you to designate a different user mode account.
| Important |
|---|
| By default, the preconfigured user account (TableUser) is designated as the current user mode account. You can change the TableUser account password, but you must not change the TableUser account user name or delete the TableUser account, even if you do not use this account.
|
To change a user mode account password (including the password for TableUser), you can use the Windows User Accounts tool or the Net User command (in an elevated Command Prompt window). However, after you change the password, you must use the SurfUser tool to update the password in the registry.
The SurfUser tool assigns or updates the user mode account and its password and then assigns that password to the registry so that the auto logon process can run without error.
You might need to use the SurfUser tool in the following situations:
- Your company's security policies require that you change default passwords or to change all passwords periodically.
- You want to log on to the Microsoft Surface unit by using the TableUser account to troubleshoot an application and you need to know the password.
- You want to run the Microsoft Surface unit in user mode by using a domain account (for example, to enable a Microsoft Surface application to access protected network resources).
- You have created a Microsoft Surface unit image and deployed that image to one or multiple units on a network. (If you create an image by using the Windows System Preparation Tool [sysprep], the user password cannot be decrypted, so you must create a new password.)
For more information about how to use SurfUser, see Surlicies require that you change default passwords or to change all passwords periodically.