Surface Pro and Surface Pro 2 systems currently do not include the Microsoft UEFI Certification Authority certificate in the system UEFI Secure Boot database. If present, this certificate would be in the Allowed Database, enabling the execution of 3rd party UEFI applications and drivers that have been signed by the Microsoft UEFI CA.

The Microsoft Surface Pro UEFI CA OEM PK Tool bundled with this release enables the addition of the Microsoft UEFI Certification Authority certificate to the db. This tool is intended for use by IT professionals and advanced users who require the execution of 3rd party UEFI applications and drivers on a Secure Boot enabled system. Users of the tool should be familiar with the concepts of UEFI, Secure Boot, and BitLocker.

Go here.