Sounds Great. Deployment options? what Mobile management system do you use?
Also when you receive a new device do you wipe it and reload only the needed OS and Software needed?
These are two of our biggest questions so far. We reload all new devices but that takes a lot of time.
If you are going to be deploying a large number of Surface Devices I would walk away from traditional IT deployments schemes...our IT department despite my Technology Strategy Teams recommendations went old school in created traditional "Fat" images and blew away the OS and put the corporate image on them, it was a disaster...
I would recommend doing provisioning vs. imaging. We use EMS with Config Manager integration now. The idea with provisioning is having the devices join Azure AD rather than on-prem AD and use Intune to push needed software. We can actually allow end-users set up their own devices OOB.
Also, one thing to be aware of is legacy GPO Policies tend to break Windows Hello.