Microsoft Surface Pro 3

From ArchWiki

This article or section needs language, wiki syntax or style improvements. See Help:Style for reference.

This article or section does not follow the Laptop page guidelines.

Reason: Missing some sections. This page also duplicates content of other wiki pages (sections are already flagged with Template:Merge) (Discuss in Talk:Microsoft Surface Pro 3)
Hardware PCI/USB ID Working?
GPU 8086:0a16 Yes
Wi-Fi 11ab:2b38 Yes
Bluetooth 1286:204b Yes
Webcam (front) 045e:07be Yes
Webcam (rear) 045e:07bf Yes
Warning: The warranty of the device is only valid if the OEM image of Windows is still present. A dual boot, however, will not invalidate the warranty as explained here.

This page aims to document all relevant information on getting Arch Linux working on the Microsoft Surface Pro 3 tablet.

Booting into the installer

To boot from USB, you will need to instruct the tablet to boot from USB or SD Card. Also, you may want to avoid disabling Secure Boot as this will cause each boot to display an ugly bright red background intentionally clashing with the "Surface" splash logo.

There are three types of boots in the Surface Pro 3 explained here:

  1. Normal mode
    1. Just leave the computer go. You can change it from "Alternate Boot order" in the UEFI Setup
  2. Boot into the UEFI Setup
    1. With the device powered off (or rebooting, but better play safe)
    2. Press & hold Volume up
    3. Press power button
    4. Wait until the surface logo appears
    5. Release Volume up
    6. You will be presented with the UEFI Setup Menu
  3. Boot into the USB/SD card
    1. Power off the device
    2. Press & hold Volume down
    3. Press power button
    4. Wait until the surface logo appears
    5. Release Volume down

Disable Secure Boot

Note: This will cause a red background before the logo when booting.
Warning: If your drive is BitLocker encrypted, you might lose access to its data if you disable secure boot, even if you later re-enable it, unless you backup your recovery key or suspend the protection before disabling secure boot.

Boot into the UEFI setup, and select Secure Boot Control > Disable. Now continue with the installation. See the Microsoft steps for more information.

Boot with Secure Boot

See Secure Boot.


This article or section is a candidate for merging with UEFI#Secure Boot.

Notes: These steps are on how to support Secure Boot for Arch Linux, need to try it in a regular computer. (Discuss in Talk:Microsoft Surface Pro 3)

I have done the installation with systemd's bootctl Systemd-boot (old Gummiboot). After completing the Installation guide, you should do two more things. Booting in Secure Boot will not work for the new installation, as the vmlinuz has not been registered within its loader.

The easiest way is to do all the setup is the following, just before rebooting:

  1. Exit from the chroot but do not umount anything
  2. Move /mnt/boot/EFI/boot/bootx64.efi to /mnt/boot/EFI/boot/loader.efi
  3. Copy /boot/EFI/boot/bootx64.efi and HashTool.efi to /mnt/boot/EFI/boot/

(If you are unable to find HashTool in /boot, try in /usr/run)

Here, we have enabled Preloader to boot our gummiboot loader, and if it detects that something has not been signed, it will boot the HashTool.efi to sign the vmlinuz-image binary.

The idea is, we take the systemd bootloader and make it the one that PreLoader will boot (the one in its same folder, named loader.efi). Then, we copy both the PreLoader (which is the archiso's bootx64.efi) and the HashTool (already with that name).

This way, with Secure Boot enabled, you will be able to boot your kernel whenever you wish to, signed or not, repeating the hash storing procedure on the next boot.

Extra steps

Enabling Touchpad

Ref: GitHub In order to enable full functionality of the touchpad (e.g. two-finger scrolling, right click), you need to Install the xf86-input-synaptics package, have the kernel patch applied as well as add the following to /etc/X11/xorg.conf.d/10-multitouch.conf:

Section "InputClass"
  Identifier "Default clickpad buttons"
  MatchDriver "synaptics"
  Option "ClickPad" "true"
  Option "SoftButtonAreas" "50% 0 82% 0 0 0 0 0"
  Option "SecondarySoftButtonAreas" "58% 0 0 15% 42% 58% 0 15%"

Tuning the Pen

The pen buttons might not work out of the box. Install the xf86-input-wacom package and comment the MatchIsTablet section in /usr/share/X11/xorg.conf.d/10-evdev.conf. Furthermore add 1B96:1B05 Pen in the MatchProduct line of N-Trig in /usr/share/X11/xorg.conf.d/50-wacom.conf. Note that the purple bluetooth button is recognized but able to be bound to an action. Ref:Reddit

Virtual Keyboard

Depending on the desktop environment you are using, you might want to use different virtual keyboard. onboard provides a reliable and comfortable experience. A guide for optical tweaking is provided here. If you are using GNOME, these two extension (1, 2) provide a better integration.

Booting with Secure Boot Enabled

This article or section is a candidate for merging with Secure Boot.

Notes: This duplicates parts of the page as some of this is not really specific to the device. (Discuss in Talk:Microsoft Surface Pro 3)

The recommended bootloader for UEFI with Secure Boot enabled is systemd-boot

To boot with Secure Boot, you will need the following packages: efibootmgr efitools

See Surface Pro 3 and Secure Boot post-install

Copy /boot/EFI/systemd/systemd-bootx64.efi to /boot/EFI/systemd/loader.EFI. Copy /usr/lib/prebootloader/HashTool.efi and /usr/lib/prebootloader/PreLoader.efi to /boot/EFI/systemd/. Create an NVRAM entry for PreLoader.efi:

 efibootmgr -d /dev/sdX -p Y -c -L Preloader -l /EFI/systemd/PreLoader.efi

Verify the entry was made and that it is first in the boot order:


Enrolling your kernel in the bootloader: Secure Boot Enroll HashTool.efi and vmlinuz-linux, and then reboot to system. You should now be able to boot with Secure Boot enabled.

  • Since PreLoader.efi is the default boot option per efibootmgr, if you change the kernel you will be presented with PreLoader to enroll the new kernel with HashTool again
  • Ensure that you add the entry in /boot/loader/entries/ so that you are presented the option to boot with the new kernel

Enabling Wi-Fi and Bluetooth

The package linux-firmware-marvell is required for the Wi-Fi and Bluetooth since the linux-firmware 20220119 update.


The appearance of the BIOS is pretty simple and not very colorful, so it might work well with OCR software.

The BIOS can be configured with a keyboard, mouse, or using the touch screen.


Invalid signature detected check secure boot policy in setup

This happened to me after deleting the Secure Boot database and initializing it with Microsoft & CAs. I also had to do the recovery of the BitLocker partition, but I would follow these steps:

  1. After the reset, switch off and try to boot from the SD/USB. If you do not succeed and get the message many times:
    1. Leaving all TPM & Secure Boot enabled and SSD Only alternate system order
    2. Do another database reset
    3. Enroll the Microsoft and CAs again
    4. reboot into SD/USB with volume down
    5. It should work now
  2. Follow steps in the Secure Boot installation
  3. After the full installation of Arch Linux, when you have it working, do the BitLocker recovery

If after doing these steps does not still work. Flash the Archiso image once more and try again,

Keyboard Cover not working

This can happen sometimes when you restart. The solution was to shutdown and reboot. (not restart)

Pen/Touchscreen issues in Xournal

When using the xf86-input-wacom package there is a bug in the last official release of xournalAUR (0.48.2) where it will incorrectly detect the Surface Pen as the touchscreen device. However it has been fixed in the latest Xournal source as per this bug. Installing the AUR package xournal-gitAUR builds the latest source including this fix. Note that you will need to select 'NTRG0001:01 1B96:1B05' as the touchscreen device (Options > Pen and Touch).