Deploy Windows to Surface Pro 3 using Microsoft Deployment Toolkit

Deploy Windows to Surface Pro 3 using Microsoft Deployment Toolkit

  • Comments 20
  • Likes

Hi, my name is Scott McArthur and I am Senior Support Escalation Engineer on the Deployment/Devices team. In today’s blog I am going to go over the steps to deploy Windows 8.1 Enterprise X64 Update to a Surface Pro 3. In this example I will be using the following deployment technologies

  • Microsoft Deployment Toolkit 2013 Server
  • Windows Server 2012 R2 WDS server

I will be using the Microsoft USB to Ethernet adapter to PXE boot the MDT 2013 Lite Touch Images from the WDS server. If you don’t have the adapter you could utilize a USB hard drive and Media Deployment from MDT (not covered in this blog). There are various ways to deploy Windows to a device so this is just one example.

Before starting you need to gather up the following:

  • Note: We are going to make the download of this update easier but in the meantime you can grab this update from this link.
  • Optional: Existing Surface Pro 3 with OEM image installed. Used to gather files for Pen Pairing during OOBE

Note: In this blog I am using the Surface Pro 3 as the hardware to build the reference image on. In environment where you are building an image that will only go on a Surface Pro 3 this is generally not a problem but if you create reference image that is going to many different types of systems we recommend for you to build your reference image in a Generation 1 Hyper-V virtual machine so that the reference image is “clean” of any drivers and then you use the features of MDT or SCCM to layer the device specific drivers down during deployment. Since there are so many factors involved I opted to show the simpler of scenarios and then you can decide what fits best for your environment and goals.

Step #1: Extract the contents of the Surface Pro 3 Firmware and Driver pack

After downloading the Surface Pro 3 firmware and driver pack you will see the following files:

  • Surface Ethernet
  • Surface Gigabit Ethernet
  • Surface Pro – July
  • Surface Pro 2 – July
  • Surface Pro 3 – July

Note: This package is updated on regular basis so the filenames be slightly different but overall package organization should be similar.

Extract the contents of the following files:

  • Surface Pro 3 – July
  • Surface Ethernet
  • Surface Gigabit Ethernet

For the next steps we will assume they were extracted to the following locations

  • C:\Surface_Pro3_July_2014
  • C:\Surface_Ethernet_Adapter
  • C:\Surface_Gigabit_Ethernet_Adapter
  • C:\KB2968599

Step #2: Import OS

In this step we will import the OS. Surface Pro 3 only supports Windows 8.1 X64 Update. This can be Enterprise or Professional.

  • Right click Operating Systems and choose import
  • Browse to your location of your VL Windows 8.1 Enterprise Update X64 ISO
  • Provide directory name such as “Windows 8.1 Enterprise Update X64”
  • Click next and Finish

Step #3: Add the Surface Pro 3 Firmware and Driver pack drivers to MDT

In the Microsoft Deployment Toolkit Workbench create the following folder structure under Out-Of-Box Drivers


Note: The last folder must be called “Surface Pro 3”

  • Right click Out-Of-Box Drivers\WindowsPEX64 folder and choose import drivers. Browse to C:\Surface_Ethernet_Adapter and import the driver
  • Right click Out-Of-Box Drivers\WindowsPEX64 folder and choose import drivers. Browse to C:\Surface_Gigabit_Ethernet_Adapter and import the driver
  • Right click Out-Of-Box Drivers\X64\Surface Pro 3 and choose import drivers. Browse to C:\Surface_Pro3_July_2014

Step #4: Create Selection Profile for Windows PE drivers

This still will create a selection profile for Windows PE drivers. This helps to ensure only the necessary drivers are imported into Lite Touch boot image.

  • In the Microsoft Deployment Toolkit workbench navigate to Advanced Configuration\Selection Profiles.
  • Right click and choose new selection profile
  • Name the selection Profile WindowsPEx64
  • Browse to Out-Of-Box Drivers\WindowsPEX64
  • Select WindowsPEX64 folder


  • Next
  • Finish

Step #5: Assign Selection Profile for Windows PE

This step will assign the previously created selection profile to Windows PE Lite touch so that only the drivers under WindowsPEx64 are added to the boot image

  • Right click the Deployment share and choose properties
  • Choose Windows PE tab
  • Choose Platform X64
  • Choose Drivers and Patches tab
  • For selection profile choose WindowsPEx64


Step #6: Import Updates

In this step we will import the update that enables the Pen button functionality with modern OneNote. In most cases you would probably add other security updates and other updates to your deployment at this point also.

In the Microsoft Deployment Workbench right click packages and choose import and then browse to C:\KB2968599\Windows8.1-KB2968599-x64.msu


Step #7: Create Task Sequence

In this step we will create a task sequence to deploy Windows 8.1 Enterprise Update X64

  • In the Microsoft Deployment Workbench right click Task Sequences and choose new
  • Task Sequence ID=BLDWin81ENTUPX64
  • Task Sequence Name=Build Windows 8.1 Enterprise Update X64 reference image
  • Choose Standard Client Task Sequence
  • Choose the Windows 8.1 Enterprise Update X64 reference image OS
  • Choose Do not Specify a product key at this time
  • Fill out Organization and other information
  • Fill out local administrator password
  • Finish

Step #8: Edit Task Sequence for Drivers

In this step we will edit the task sequence to modify the driver injection step. There are a number of ways to address drivers in MDT. The key to preventing driver installation issues to make sure that the only drivers used during the deployment are the ones designed for the Surface. If your Out-Of-Box drivers contain drivers for other systems and you do not use one of the options below then you cannot control what drivers get used during the deployment. This can lead to problems so we would recommend you use Selection Profiles or other methods to ensure only the drivers designed for the Surface are used during the deployment. For additional reading on this topic I encourage you to take a look at this blog

Option #1:Create a selection profile for Out-Of-Box Drivers\Windows81Update\X64\Surface Pro 3 and then set the Inject Drivers TS step to this selection profile. It is recommended to choose the “Install all drivers from this selection profile option also. Disadvantage to this option is that this TS would be specific to Surface Pro 3. If you configure this option it will look like this in the task sequence


Option #2 (Recommended approach):Use the DriverGroup001 variable to set this based on the Model of the system. This is more flexible since it will take the Model (WMI variable from the BIOS) information and use this to decide which folder to use. This allows this task sequence to work for a variety of devices. The folder names have to match EXACTLY with the Model exposed by the system (MSINFO32 will show you the model)

We will use Option #2 for these steps

In Microsoft Deployment Toolkit workbench right click the task sequence you created earlier and choose properties

  • Choose the Task Sequence tab
  • Browse to the Preinstall phase and look for step called “Inject Drivers”
  • Click the Enable Bitlocker step which is right before the “Inject Drivers” step
  • Click Add, General, Set Task Sequence Variable
  • Set the following:

Name: Set DriverGroup001 variable to Model
Task Sequence Variable: DriverGroup001
Value: Windows81Update\x64\%model%



  • Choose the Inject Drivers step that occurs after this step and set the Selection profile to Nothing and choose “install all drivers from the selection Profile”. This is important so all the firmware updates and drivers for devices that are not present(for example keyboard) are added to the deployment


  • Click apply and save the task sequence

Step #9: Modify the Unattend.xml

In this step we will modify the Unattend.xml to make sure OOBE is completely automated. There is additional prompt during OOBE to join wireless network if the wireless driver is available. The TS Unattend.xml does not contain the entry to automate this since this is a new setting with Windows and the template in MDT 2013 doesn’t contain it

  • In Microsoft Deployment Toolkit workbench right click the TS and choose properties
  • Choose OS info tab
  • Choose Edit Unattend.xml

Note: This will take a while the first time a catalog is created. If you encounter error take a look at KB2524737.

  • Navigate to 7 OOBESyetm\Microsoft-Windows-Shell-Setup\OOBE
  • For HideWirelessSetupInOOBE choose True


Another option to consider modifying at this point is configuring whether or not the Power button shows on the start screen. The OEM image that ships with Surface Pro 3 is configured to show the Power button on the start screen. If you do a new install the default behavior is not to show the power button (by design). For additional information on this behavior and Unattend option to configure this see the following:

KB2959188: Power/shutdown button may be missing from the Windows 8.1 start screen


Step #10: Configure Image for Pen Pairing during OOBE (Optional)

During the 1st bootup of the OEM image that ships with the Surface Pro 3 you are prompted during OOBE to pair the pen. In most cases you will probably want to pairthe pen after the deployment is complete but if you would like to add this step to the deployment you can use the following instructions.

Note: The pairing prompt will occur during OOBE so it will interrupt MDT’s automated deployment. Once paired you must click next for it to continue. Ideally this is something IT person would handle for the user before handing over the device to the user.

1. Take one of your existing Surface Pro 3 devices that has the OEM image on it and copy the following files to USB flash drive or other location:


2. On the MDT server open Deployment and Imaging Tools Environment cmd prompt

3. Use the DISM command to mount the image you are deploying

Dism /mount-wim /wimfile:d:\deploymentshare\operating systems\<name of image>\sources\install.wim /index:1 /mountdir:c:\mount

4. Create the following pathing in the image


5. Copy all the files from Step #1 above into this folder

6. Close any explorer Windows and switch to C:\ to make sure no open file handles to the c:\mount folder

7. Unmount the image and save changes

Dism /unmount-wim /mountdir:c:\mount /commit

Step #11: Configure Default Display Resolution

The default display resolution for the Surface Pro 3 is 2160x1440. To set this automatically you can add the following entry to your customsettings.ini (Right click the Deployment share, properties, rules):

Priority=Model, Default

[Surface Pro 3]

This uses the MDT functionality of where it knows the Model (Surface Pro 3) and based on these entries adds the resolution settings to the Unattend.xml for you

Step #12: Update MDT server and WDS server

At this point you would want to do a full generation of the deployment share to create the Lite Touch boot images to ensure the Surface Ethernet Adapter driver is incorporated into the MDT Lite Touch boot images and then import these images to your Windows Deployment Service (WDS) server. I would recommend you utilize a 2012R2 WDS server. For additional information on support for UEFI in WDS take a look at KB2938884.

Step #13: PXE boot

The final step is to PXE boot the Surface Pro 3. To PXE boot do the following:

  • Shut the device down
  • Press and hold volume down button
  • Press the Power button
  • When you see the Surface Logo you can let go
  • You should see prompt to PXE boot. The Surface Pro 3 supports a On Screen Keyboard(OSK)
  • Press the Keyboard icon in upper right of screen
  • Press Enter button on OSK
  • Using arrow keys on OSK choose your MDT 2013 Lite Touch image from the WDS server
  • Then follow the prompts during Lite Touch to initiate the deployment

If you can’t get the Surface Pro 3 to PXE boot check the following:

  • Make sure you are using Microsoft USB to Ethernet Adapter. 3rd party adapters are not supported for PXE booting
  • Check and make sure this issue does not apply to your environment
  • 2602043: Invalid Boot File Received Error Message When PXE booting from WDS

Additional Notes

Some additional tips:

  • Check out my other blog for some additional tips for the PEN at “Deploying Surface Pro 3 Pen and OneNote Tips
  • If you do not want to see the Deployment Summary at the end of the deployment you can add the following entries customsettings.ini:

;Skip Final Summary Screen
;Control behavior after system is complete

Thanks for reading this blog and good luck with your Surface Pro 3 deployments.

Scott McArthur
Senior Support Escalation Engineer

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Thanks for the great blog. I've been telling our MS reps for the last couple of weeks this kind of guidance needed to be posted somewhere.

    There are three unique items that we had to include in our SCCM/MDT Task Sequence to have the Surface Pro 3 look as close to the OEM experience as possible. You've covered two those here, the Pen hotfix and the power button. For the power button, we took the route of updating the registry with a "Run Command Line" task.

    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ImmersiveShell\Launcher /v Launcher_ShowPowerButtonOnStartScreen /t REG_DWORD /d 1 /f

    I'm not sure KB2959188 is accurate about how Windows decides to display the power button. It says it's based on device type, but I believe it's based on Connected Standby capability. If the power button doesn't show up on a Surface Pro 3 and you enable Hyper-V, thus disabling Connected Standby, the power button will appear after a reboot. Right now I have our registry entry task WMI filtered in our deployment task sequence to only apply to the Surface Pro 3. I've unsuccessfully tried to figure out a way to detect Connected Standby capability. I'd appreciate if anyone else has any insight on how to do that to share.

    The one item you didn't cover here is the setting for "When I sign in or close all apps on a screen, go to the desktop instead of Start". By default, only device types that are designated by the PC manufacturer as a slate device type will have this checkbox unchecked so the users boot to the Start Screen instead of the desktop. I believe the detection methods described in KB2959188 may apply to this setting instead of to the power button setting. The Surface Pro 3 is designated as a mobile device, so in a default Windows 8.1 Update install, it will boot to the desktop.

    We've decided that we want all touch enabled devices to boot to the Start screen while all non-touch devices can go to the desktop by default. So here are the steps we implemented.

    First we run %DeployRoot%\Tools\OSDResults\IsTouchEnabled.exe and set a Task Sequence Variable we called IsTouchEnabled to True if it returns a 1 as the result. This task is run in Windows. Then, we reboot into PE and run the following three tasks.

    reg load HKU\Default %OSDisk%\Users\Default\ntuser.dat

    reg add HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage /v OpenAtLogon /t REG_DWORD /d 1 /f

    reg unload HKU\Default

    That's it. With those three items handled, we are ready to start deploying Surface Pro 3.

  • Hi Scott,

    Another great post!

    From a systems deployment perspective, we would love to see vendors (Microsoft, Lenovo, Dell, Samsung, etc.) standardize on one type of USB network adapter that is supported for PXE boot. Currently the alternative is to use a combination USB boot key + USB network adapter and swapping once booted into WinPE. Or having a bag full of USB network adapters for each device/vendor and the network adapter that is supported for PXE.


  • @wookie746. Thanks for the info you provided. That helps a lot. Let me try to explain a few of the items. The chart in has a column for supporting connected standby. The Surface Pro 3 falls into that 3rd category which is Supports Connected Standby=yes and screen size is >=8.5 so it does NOT by default display the power button on start screen. The image that ships with the Surface Pro 3 was modified though to show the power button. If you do a clean install of Windows you will not see the power button. I need to add a note in that article that the OEM image does have different behavior. As far as booting to desktop or start screen take a look at It outlines expected behavior. One issue I am tracking right now is that if you build your reference image on VM or other system that is not reporting PlatformRoleSlate and utilize CopyProfile when you deploy the image there are some scenarios where even on a Surface Pro 3 it might boot to desktop. Haven't worked out the exact repro steps though yet. Your info on setting the reg key for this though is a good workaround in the meantime.

  • @Scott McArthur[MSFT], thanks for the update. Evidently when doing my research and trying to pull the Power_Platform_Role from WMI, I confused that with win32_computersystem PCSystemType which is a 2, so I thought it was designated as PlatformRoleMobile. Do you know if there is a way to get the Power_Platform_Role from WMI?

    I think the reason I saw the boot to desktop behavior is as you outlined earlier. We captured our base wim with MDT and used CopyProfile.

    @hippman257, we've had great success using the "Satechi 3-Port Portable USB 3.0 Hub and Ethernet LAN Network Adapter for Windows, Mac, and Linux" that we got off Amazon to image the Surface Pro 3. Using fat32 SCCM/MDT boot media plugged into the adapter we are able to boot up and image while plugged into the network. No switching out devices required.

  • @Thanks - I appreciate the link to the combo Hub/NIC adapters, always good to be aware of good hardware alternatives. We've had good luck with the StarTech 1Gb units (SMC 7500 chipset).

    We just replaced our PXE boot server from 2003 to 2012 R2 so boot times are now ~30 seconds instead of several minutes

  • Anyone know how quickly will be updated with August updates. I would like to start deploying an image sooner than later and need this in the deployment?

  • It would be nice if you had a guide on how to do this with Configuration Manager 2012 R2 CU2..... (Without MDT)

  • here's how David, see below:-

    New Blog Post: How can I deploy Windows 8.1 to the Surface Pro 3 using CM 2012 R2 #sysctr #SurfacePro3 #awesome

  • David, you can, see this post >

  • It would be wise to note under Step #10 Procedure #5, if "Access Denied" error message occurs, use 'xcopy /e /y "File path of pen files" C:\mount\windows\system32\oobe\info\default\1033'


  • Here's a powershell script to automate setting up wds, mdt, adk, surface pro 3 drivers into a working lab -

  • VL Windows 8.1 Enterprise Update X64 ISO

    Where can I find this? Online somewhere or on the Surface itself?

  • Hi Scott,

    Thank you for a great post!
    I followed your guide and it's working great. There is just one thing I'm curious about. When i deploy Windows 8.1 it never shows the desktop during deployment. And I don't mean that it's showing the modern UI start menu that you can hide with "HideShell". It just shows the generic "performing settings for you" text, or "you can get new apps from store" (such as this etc etc. So I never see what is going on on the desktop while the PC's are being deployed. For troubleshooting this can be of interest for me.

  • Scott,

    We have been trying to get the surface pro 3 working with our SCCM environment for weeks now. Any chance we can get you to take look at our issue ? We have a ticket open with MS # 114120512130903

  • @Abdullah,

    We have got with the SCCM engineer and offered some suggestions. See if the updates listed in this article help at all

    3025419 Can't import drivers into System Center Configuration Manager

    Please continue to work with that engineer.