Surface Hub 2S with on-premise Exchange 2019 CU09: room account problems

Copper Contributor


This post follows this one:

Our 2 Surface Hub 2S ran well for several months now.

We had some intrusion attacks on our Exchange 2019 on premise server end of February. Our IT provider restored the server to a previous safe state, installed CU09, and reimported all email database.

I'm not sure if it's related with CU09, but since this time, our Surface Hub 2S have random loss of connection with the Exchange server. When I tried to check the device account, I had Sync status error 0x85010002.

On this help page: it says "The password must be updated."

I tried to change the passwords, without success. I wasn't able to update the device account in the settings.

I did several tests with one of them:

- USB-key reinstall of the Surface, with Windows 10 Team 2020 image, with all data deletion

- deleting the computer account in AD

- the room account worked well on a Windows 10 pro computer in Outlook app and Teams app

- start the Surface Hub, create a new computer account in AD, add the Domain-Admins group as administrator

- in the settings of the Surface Hub: complete apps update on Microsoft Store, and complete Windows update, Microsoft Teams configured as default communication app

- after a reboot, impossible to log in with the room account, as before the reinstall of the system

- I run the Surface Hub diagnostic tool, and everything is fine, the room account test says "Your account was successfully contacted"

- on the Surface Hub, no problem to log in Outlook webapp or Teams webapp via Microsoft Edge

- after several unsuccessul tests, I moved the room account in the default Users folder of AD, and after 20 minutes I was able to log in in the settings of the Surface with the room account: Exchange parameters autodected, and SIP address also

- but after a reboot, impossible to open Teams, it showed a black rectangle in place of Teams. I closed the session several times and retried, same problem with Teams

- I moved again the room account in its default folder in AD, and after several dozens of minutes I was able to open the Teams app, and the meetings appeared on the Surface welcome screen, I thought that everything was good again!


Then began a strange thing: after several hours, I got this message again on welcome screen: "Appointments may be out of date (invalid credentials)". And after several hours, it disappears, then comes back again and so on. Sometimes we can click on the meetings on the welcome screen and it opens Teams successfully, and sometimes it does nothing.

If I go again in the settings, in the device account settings, I can see sync status error 0x85010002, I can click on Sync button, then it says "Account is up to date", but if I close the session and go back to the welcome screen, nothing has changed, we go back to the problem of invalid credentials and normal status in loop. If I try to go in the device account settings and click on "change" to reenter the email address and the password, it always refuses these credentials with different error codes (0x801131537 or 0x80070057 or others). But these credentials work well when I test with a Windows PC with Outlook and Teams apps or webapps.

I also tried to create an OU in AD for the room accounts with GPO inheritance deactivated, but it doesn't change anything.

6 Replies

This requires log analysis and therefore, please open a support ticket to resolve this

Thank you,
Thank you, we will open a ticket in the next days.
Hello, with the help of Microsoft ticket, we resolved the problem.
With our on premise servers, modern authentication was not possible, but the modern authentication was forced by a Windows Update beginning of February.

We installed the package ExchangeModernAuthDisabled.ppkg and all works again !

I am facing the same issue you got. let me describe what I understand and correct me:
- ModernAuthentication is forced on Surface hub and need to be disabled?
- No way to apply ModernAuthentication on on-premise server?

- Can you advise on the steps to assign on-premise device account? normally I add the 

  DomainName\email address removed for privacy reasons. by doing this , I am getting the error you mentioned.  

Hello @Abdul_Mohammed 


I don't manage the on-premise servers, it's done by another company.

I only configure the client side with their help.


When I configure a Surface Hub, in the settings/account, I just enter the email address and password of the Surface account.

Thanks @Joel_S, your description for the issue in details was helpful. it works now. to connect Surface Hub to on-premises, I was needed to disable Modern Authentication from Surface Hub, assign the device account in format "Domain\username."