Use Surface MSIs to deploy driver and firmware updates

In 2015, I had the privilege of attending the Microsoft Ignite conference on the Gold Coast. While I loaded up my schedule with plenty of sessions on Azure and Office 365, I also made sure to attend as many Surface-centric events as possible: And I managed to get to quite a few. One of the biggest take-aways from the event, was two-fold: How insistent certain some of the Microsoft people were, that Surface devices always get and run the most up-to-date drivers and firmware possible; And how those updates should be deployed via the Surface Driver/Firmware installers instead of relying on solutions such as Microsoft Update.

In case you were unaware, Microsoft has the following sites for Surface admins:

  1. The Download drivers and firmware for Surface page is the place to go, to get the download links for each specific Surface device. This page may take a little while to add recently-released devices – for example, it doesn’t have an entry for the Surface Go – but it does have links for everything else, right back to the first generation Surface Pro.
  2. For each of the Surface devices listed above, there is an always-available link you can bookmark to get back to the device you want. For example, here’s the direct link to the new Surface Pro. Save the link, and check back often, as Microsoft constantly  updates the drivers and firmware, and some of them can make a massive difference to the performance, reliability, or battery life of the device. These links also tend to include downloads for model-specific tools, as well as versions for multiple Windows 10 versions… so also make sure you get the version that matches your Windows build.
  3. The Surface update history page is the place to go, to check out what has recently changed across Surface driver/firmware updates. Importantly, each installer (MSI) is cumulative, so while there may only be a single driver or firmware update, each MSI will contain all the latest updates to build/update a device from scratch. The history pages also come in very handy when attempting to deploy these updates via ConfigMgr: As you’ll need a detection method, and using a PowerShell detection method that looks for the latest update’s component version, is a perfect way to handle that. If you’d like to know more about that, let me know and I’ll post it to the ConfigMgr channel. 
  4. The Surface Tools for IT page is the place to go, to get Data Eraser, UEFI Configurator, Deployment Accelerator, and Surface Dock Updater downloads. Definitely bookmark this page, if only to ensure that you have the latest Surface Dock firmware installed: Which can make a huge difference to performance and compatibility… but it does take some time to update, and needs to be done on each dock individually.

Bookmark these links, and check them at least monthly, and you’ll find that you can keep your Surface fleet performing at their peak. But please, don’t just assume that Microsoft Update will do all this work for you, as it is quite common for certain updates to not be made available, and running an out-of-sync driver set has been known to significantly impact performance and reliability… even cause BSODs if you’re unlucky.

And to prove my point, here’s a little test I performed: I decided to unbox two new Surface Pro (2017) devices, perform some updates, and see what the difference is between Windows Update and the Surface MSIs. In the list below, I’ll focus on the Display driver, the Wireless driver, and the core Firmware. The items in particular, and the abbreviations used, are:

  • SISH = Surface Integrated Sensor Hub firmware version
  • SME = Surface Management Engine (Intel Management Engine)
  • SSA = Surface System Aggregator firmware driver
  • ST = Surface Touch firmware version
  • Video = Intel Integrated HD/Iris Graphics driver version
  • WLAN = Marvell AVASTAR Wireless-AC driver version

While I could have included other drivers and firmware, these are the main components being updated, and were all I needed to illustrate my point. So here we go:

  1. Here we have an as-is delivered Surface Pro (new). The device ships with Windows 10 Pro v1703 (15063.332) installed. Looking at the key drivers and firmware, you’ll note that everything is v1.0 out of the box.
    –    SISH:  (01/11/2016)
    –    SME:  (01/11/2016)
    –    SSA:   (01/11/2016)
    –    ST:     (01/11/2016)
    –    Video: (21/03/2017)
    –    WLAN:        15.68.9114.29 (09/02/2017)
  2. As you might all know, nothing is every perfect out of the box, and day 1 patches are definitely a thing. Now, to give this device the best chance of finding updates, and to avoid any expired update issues, I performed a 1709 in-place upgrade on the device, which took the Surface to Windows 10 Education v1709 (16299.15). Oh, and by the way, WIndows doesn’t include in-box drivers for Surface devices, so take a look at what I ended up with.
    –    SISH:  (01/11/2016)
    –    SME:  (01/11/2016)
    –    SSA:   (01/11/2016)
    –    ST:     (01/11/2016)
    –    Video: (21/03/2017)
    –    WLAN:        15.68.9114.29 (09/02/2017)
  3. Now, obviously v1.0 drivers will not do, as I am sure most of you likely remember the issues with the launch of the Surface Pro 4 and Surface Book due to Intel Skylake, so let’s feed this device the older drivers first, just to see what changes. Here, without any other changes, I installed the “SurfacePro_Win10_16299_1710007_0.msi” from December/January, then rebooted. Now that looks a lot better.
    –    SISH: (01/11/2016)
    –    SME: (01/11/2016)
    –    SSA:           233.1763.257.0 (03/07/2017)
    –    ST:    (18/05/2017)
    –    Video: (25/07/2017)
    –    WLAN:      15.68.9120.47 (24/08/2017)
  4. But that’s not all, at the time of this test, there was a newer installer available. So to track the changes, I proceeded to install the “SurfacePro_WIFI_Win10_16299_1802107_6.msi” update from February/March and restarted. Now we’re looking better, and this includes the required TPM updates and mitigation for Spectre and Meltdown as well. Nice.
    –    SISH:          56.495.10.0 (17/02/2017)
    –    SME:  (30/03/2017)
    –    SSA:            233.2111.256.0 (31/08/2018)
    –    ST:     (18/05/2017)
    –    Video: (25/07/2017)
    –    WLAN:       15.68.9120.47 (24/08/2017)
  5. To date, we’ve not let this device check in with Microsoft Update at all, and have relied solely on default, in-box, and Surface driver MSIs to perform updates. This just works. But surely, I hear you protest, Microsoft’s own Update mechanism should be able to manage Surface updates the same, right? Well I tested that too, on a completely different device, and I present to you the “fully compliant and updated” Surface Pro using Windows Update:
    –    SISH:  (12/09/2017)
    –    SME:  (12/09/2017)
    –    SSA:            234.2110.770.0 (reporting as from 12/09/2017 in Device Manager)
    –    ST:     (12/09/2017)
    –    Video: (23/09/2017)
    –    WLAN:        15.68.9120.47 (24/08/2017)

    But wait, you say, that is a complete mess, right? Indeed. Not only are some of the drivers newer and out of sync with the validated MSI versions, but many of the firmware items are seemingly stuck at v1.0.0.1 and aren’t reporting correctly. Moreover, there appears to be a crazy issue with the Surface System Aggregator (SSA) version, where it is way newer and yet not reporting correctly in Device Manager. And yes, that’s a problem. In fact, after this configuration was applied by Windows Update, there were all sorts of performance issues on this device, which almost made it unusable.

    The concerning part is, however, that the 234.2110.770.0 firmware that applied, is part of the TPM bypass KB article, that says the new Surface Pro 5 is unaffected. And if you attempt to find this update via the Windows Update Catalog, you can’t: The update only exists for the affected Surface Pro 3, Surface Pro 4, Surface Studio, and Surface Book. Somehow, this device must have received an update that was later pulled by Microsoft, and this has seemingly caused huge issues with the device that can’t be undone. Case in point, why you probably shouldn’t trust Windows Update, and should deploy the drivers and firmware via MSIs.

Thank you for your time, and I hope this is useful.

Comments are closed.

Create a website or blog at

Up ↑

%d bloggers like this: