Mode Accounts

There are four different types of user accounts that might exist on a Microsoft Surface software installation:

  • The built-in Windows administrator account ("Administrator"). By default, this account is disabled, and you should not use it.

  • Accounts that are members of the local Administrators group. When a member of this group logs on, the system automatically switches to Windows mode. Make sure that all administrators and developers who will be working with Surface are members of this group.

  • The Surface mode account. This account is used by the Enter Surface Mode shortcut to log on in Surface mode. By default, SurfaceDefaultUser is the Surface mode account, but you can change this default by using the SurfUser tool. You can assign any non-administrator account as the Surface mode account.

  • Other accounts. This group includes all accounts that are not members of the Administrators group and not Surface mode accounts. Although you can create such accounts, be aware that the Surface software does not support interactive logon by using these accounts. If you try to log on by using an account that is not a member of the Administrators group and is not a Surface mode account, Surface functionality may be limited, but the account will behave like a normal Windows account.

The rest of this topic includes:

Windows Mode Administrator Account

You can log on to Surface as an administrator by using the administrator account that you created when you first logged on to the device made for Surface or by using an account that is a member of the Administrators group.

You should not use the built-in Windows "Administrator" account (which is disabled by default on all Surface installations) because is it less secure than the administrator account that you created when you first logged on the device.

Surface Mode Account

Every device made for Surface with factory-installed Surface software includes a preconfigured Surface account, with the assigned user name "SurfaceDefaultUser" and a unique, auto-generated, cryptographically strong password. The Surface software uses this Surface mode account to automatically log on to Surface mode. You can use the preconfigured SurfaceDefaultUser account without any changes.

You must not change the SurfaceDefaultUser account name or delete this account, even if you do not use this account.

You can also use an existing user account (local or domain-based) as the Surface mode account instead of using the SurfaceDefaultUser account. The Surface mode account must not be a member of the Administrators group. You can use the Windows 7 tools, such as User Accounts or the Active Directory Users and Computers snap-in, to create or modify local or domain-based user accounts that you want to use as Surface mode accounts. However, you must also run the SurfUser tool that is included with all Surface installations to designate a user account as the current Surface mode account and to assign that account's password to the registry. Specifically, the SurfUser assign command enables you to designate a different Surface mode account.

By default, the preconfigured user account (SurfaceDefaultUser) is designated as the current Surface mode account. You can change the SurfaceDefaultUser account password, but you must not change the SurfaceDefaultUser account user name or delete the SurfaceDefaultUser account, even if you do not use this account.

To change a Surface mode account password (including the password for SurfaceDefaultUser), you can use the Windows User Accounts tool or the Net User command (in an elevated Command Prompt window). However, after you change the password, you must use the SurfUser tool to update the password in the registry. If you do not, Surface mode will not work.

The SurfUser tool assigns or updates the Surface mode account and its password and then assigns that password to the registry so that the auto logon process can run without error.

You might need to use the SurfUser tool in the following situations:

  • Your company's security policies require that you change default passwords or that you change all passwords periodically.

  • You want to log on to Surface by using the SurfaceDefaultUser account to troubleshoot an application and you need to know the password.

  • You want to run Microsoft Surface in Surface mode by using a domain account (for example, to enable a Surface application to access protected network resources).

  • You have created a Surface image and deployed that image to one or multiple devices made for Surface on a network. (If you create an image by using the Windows System Preparation Tool [sysprep], the user password cannot be decrypted, so you must create a new password.)

For more information about how to use SurfUser, see SurfUser Tool.

Did you find this information useful? Please send us your suggestions and comments.

© 2011 Microsoft Corporation. All rights reserved.