SurfaceHub Gen1 violation error at several devices

Caution: Use this procedure at your own risk. I’m not responsible for any failures or data loss that may occur.

We got our Surface Hub v1 working again. It took some back and forth with Microsoft because we were receiving errors running the recovery USB. After a while we found out the NVRAMTool.exe was being quarantined by our Antivirus. 

In my case this is basically what we dit to get our HUB working again:

1. Disconnect all cables except the power cable.
• Power-off using the rocker switch beside the power cable.
2. Remove the internal SSD.
3. Prepare USB #1 (“BOOTME”):
• Format a USB 2.0 stick as FAT32.
• Rename its volume label to BOOTME.
• Insert the BOOTME USB in the bottom USB port under the Microsoft logo.
• Power-on using the rocker switch beside the power cable.
• Retreive the automatically generated Manufacturing.bin from the USB after booting the HUB once.
4. Submit to Microsoft Support:
• Open a support ticket and upload that Manufacturing.bin.
• Provide the Hub’s serial number.
5. Receive & apply signed binary:
• When Microsoft sends back the signed .bin, copy it (no renaming) to the same BOOTME USB.
• You will also receive any additional information you need. (If not, ask at least for the instruction video).
6. Boot Hub to unlock:
• Insert the BOOTME USB.
• Power-on using the rocker switch beside the power cable.
• Wait for on-screen confirmation that the unlock completed. (it will go into manufacturing mode)
7. Reinsert SSD & initial boot:
• Shut down via the power rocker.
• Reinstall the SSD.
• Power on once—no need to fully load Windows—then shut down again.
8. Prepare USB #2 (“PPI-INSTALL”):
• Format a second USB 2.0 stick as FAT32.
• Rename it PPI-INSTALL.
• Copy the region-specific recovery files (provided by Microsoft Support) directly onto it.
9. Recovery USB boot:
• Remove the internal SSD again.
• Insert the PPI-INSTALL USB.
• Power on via the rocker switch.
• (If prompted, enter the serial number.)
10. Run the on-screen PowerShell steps exactly—deviating risks bricking the device.
11. Finalize & reboot:

• After recovery completes, reinstall the SSD.
• Power on.
• If asked, re-enter the serial number.

Watchouts:

• Make sure your antivirus isn’t quarantining NVRAMTool.exe.
• USB sticks must be USB 2.0 and FAT32-formatted.
• Recovery files are region-specific—use the set provided for your region.

MS is/has dropped the ball.  

I uploaded the required file and wait for days.

I have to ping them back asking for an update and they state we've uploaded the signed files.  WOULD HAVE BEEN NICE IF YOU NOTIFED ME YOU'VE DONE THAT.

I have to ping them back to asking now what do I do with the signed files?

They ping me back stating they have provided the download of scripts and a pdf with detailed steps.

SORRY MS there is NO Surface_Hub_v1_Recovery_Procedure_Customer_Steps.pdf anywhere

Now I have to ping them back for the .pdf

WHY ARE WE CHASING THEM.

YOU BROKE IT!!!!!!!!!

SO frustrating 

After opening a ticket and uploading the requested files how long is it taking MS to get back to people?  I uploaded two days ago and have not heard anything from MS as what is happening and what to do.... TICK, TICK, TICK my hubs are still bricks 

So how were your Surface Hub V1 devices repaired? BrunoK1874​ Please state a detailed description of the steps taken to repair the devices, so other people with the same issue can fix it too.

As of now there is still no official solution provided by Microsoft, considering that Microsoft themself actually broke the devices and caused this problem.

Is this link intended for use by everyone? And what steps should be taken after uploading the file?

Is this link intended for use by everyone? And what steps should be taken after uploading the file?

The solution provided by MS, with creating BIN file, get this signed, unlock system, update bios... is working for us. Already several Surface Hubs we did repair.  good job (finally ;-) )  MS

I'm seeing that MS is recommending leaving the hub in the state with red error "Invalid signature detected" while they work on a plan for recovery.  I see no other information on what to do to get out of this error other than what Adam posted above.  Anyone else hearing or seeing solutions?

Hi, I'm having the same problem of "Secure Booth Violation". Any fix yet that can be done? Thanks

This is what Microsoft gave to us.

For the Serial Issue:
I was told you can press the backspace button and then you can enter the s/n. (Not tested)
I had to get the BitLocker (Recovery) keys from Active Directory. 
Once you enter in the recovery key, the unit will work until it is rebooted.
It will go back into an errored state anytime the unit reboots but simply press the ESC on your external keyboard and it will boot back up without the recovery key.

edit I was just told the reason this happens is because were did not enter in the serial number but rather pressed ESC to enter the recovery key. Be sure to enter the Serial Number.

We have not identified a fix for the boot error. We currently have over 300 units effected.

Surface Hub v1 Boot Issue After June 2025 Windows Update (KB5060533)
[Last Updated: June 12, 2025]

We are currently investigating a known issue impacting Surface Hub v1 devices following the June 2025 “6B” Windows Update (KB5060533). After installing this update, some Surface Hub v1 units may no longer boot into Windows and display one of two error messages.

Affected Devices:

• Only Surface Hub v1 is affected.
• Surface Hub 2S and Surface Hub 3 are not impacted.

What You Might See

🔴 Secure Boot Violation (Red Screen)

You may encounter the following error message on boot:

Secure Boot Violation
Invalid signature detected. Check Secure Boot Policy in Setup

This is the primary error blocking startup of affected devices. It is caused by a Secure Boot DBX update included in the June “6B” cumulative update. The Surface and Windows engineering teams have identified this as a conflict between the update and the AMI BIOS used in Hub v1 devices. A fix is actively being developed.

🔵 Invalid Serial Number (Blue Screen)

Some customers may also see this message:

Invalid Serial Number
New Serial Number: [System Serial]

This is a separate issue and not directly related to Secure Boot, but may appear if the BIOS has been fully reset to defaults. In this case, you can re-enter the correct serial number for your device and it will proceed to boot to Bitlocker recovery. If the Bitlocker key is not available, SHRT can be used to re-image the device at that point.

To locate your Surface Hub v1 serial number, refer to the label underneath the power and volume control panel, as shown below:

What Microsoft Is Doing

• As of June 11, 2025, Microsoft has blocked the 6B update from installing on additional Surface Hub v1 devices.
• Engineering teams are developing a 6B update to prevent future DBX updates from being applied to Hub v1, while still allowing all other security patches through the end of Windows 10 support in October 2025.
• We are investigating recovery options for devices already affected and will share validated recovery instructions as soon as they are available.

What You Can Do Now

• If your device is displaying the red Secure Boot error, please retain the device in its current state. We will share step-by-step recovery instructions once a fix is confirmed.
• If you see the blue Invalid Serial Number screen, manually re-enter the serial number found on the label near the control buttons.
• Stay connected with your Microsoft representative for direct updates and we will also soon be releasing a Surface IT Pro Blog post around this issue.

We understand how critical Surface Hub is to your organization, and we are working urgently across engineering teams to resolve this issue. We appreciate your patience and partnership.

If you have questions or need to report affected devices, please reach out to your Microsoft support contact.