Due to the nature of Surface Hub’s OS (Windows 10 Team Edition), and due to the fact that it’s a locked-down, secured, communal device, it will not show you any popups during the step-by-step configuration (OOBE) or later when it attempts to connect to services and servers. This makes the environment preparation task even more critical: When installing them, Surface Hubs can be configured individually by the installer if they have the required information, or using a PPKG file for mass deployments. In any case, having all the required information is crucial – as the installation will not complete if it hits an issue along the way.
One of the most common issues with Surface Hub installation and Skype for Business is the Trusted Domain List.
What is the Trusted Domain List and how to get it right?
The Trusted Domain List, also referred to as the “TrustModelData” is a List of the trusted domains that don’t match the prefix of the your SIP domain.
When a user (or a device, in this case) connects to the Skype for Business server, the client validates the connections against a list of trusted servers.
Who are the trusted servers?
- The users’ SIP URI domain
- Any server that the client connected to in the past, and that was added to the Trusted Domain List (More on this below)
- The domain of the server that the client last connected to
Let’s break these down:
Scenario 1 is pretty straight forward; if the users’ SIP URI domain and the servers’ domain are the same, there’s an automated trust and the client will sign in immediately.
|User’s SIP URI||Alan@contoso.com|
Scenario 2 is where the users’ SIP URI is different than the servers’ domain (due to internal naming convention – for example: domain.local, or due to users\resource forests, etc.)
|User’s SIP URI||Alan@contoso.com|
In this case, the Trusted Domain List can be prepopulated by the admin via GPO or manually configuring Registry keys, and also by the user:
Every time the client connects to a new server – an untrusted server – the user will receive a prompt saying “Skype for Business cannot verify that the server is trusted for your sign-in address. Sign in Anyway?”
Once the user clicks Connect, the server is added temporarily (See Scenario 3) to the Trusted Domain List. If the user will go ahead and check the “Always trust this server” box, the server will be added to the Trusted Domain List and the warning will never appear again.
Scenario 3 is what’s happening when the user connects to an untrusted server and acknowledges the ‘Sign in Anyway?’ popup. The server we’re connected to is saved in the registry and will remain there until the user connects to a new server. As long as the server is there, the user will not be prompted to trust the server:
For most workstations, the Trusted Domain List will be pushed via using Skype for Business Server 2015 in-band provisioning, but it can also be pushed using Registry keys or GPO.
What does this have to do with Surface Hub?
Surface Hub will not prompt you to ‘trust a server’ if its not on the Trusted Domain List. Instead, you’ll have to make sure that all possible domain names are represented in Surface Hub. Otherwise, the Skype for Business client will not connect:
However, other features, like Emailing the whiteboard, will work, as Exchange doesn’t require a Trusted Domain List:
The Trusted Domain List on the Surface Hub can be edited in one of the following ways:
- Add the domain name in the “Configure domain name” window , under Settings -> Surface Hub -> Calling and Audio
- Using the Windows Configuration Designer, perpare a PPKG file that contains the domain name under RuntimeSettings/WindowsTeamSettings/SkypeForBusiness/DomainName
- Using Microsoft Intune, crate a new custom configuration policy for Windows 10 Desktop and add the following OMA URI:
In the value field, add the domain name of your server:
Following these steps will ensure that Surface Hub can easily connect to Skype for Business in your environment.
For more information check the Surface Hub Admin Guide here.