From 9b533a657bb9c3967117e21ec3e396b0972999a6 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 7 May 2019 16:22:10 -0400 Subject: [PATCH 01/12] first draft of bitlocker-recovery-loop-break.md --- .../bitlocker-recovery-loop-break.md | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md new file mode 100644 index 0000000000..37f3081e63 --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md @@ -0,0 +1,43 @@ +--- +title: Breaking out of a Bitlocker recovery loop +description: This topic for IT professionals describes how to break out of a Bitlocker recovery loop. +ms.assetid: #c40f87ac-17d3-47b2-afc6-6c641f72ecee +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: #medium +ms.author: v-maave +author: martyav +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 05/07/2019 +--- + +# Breaking out of a Bitlocker recovery loop + +Sometimes, when you attempt to perform a Bitlocker recovery, you can get stuck in a loop where you are repeatedly prompted to enter your recovery key. The key may be correct, yet you are unable to boot into your operating system, no matter what. + +If you have entered your key several times and are unable to break out of the recovery loop by successfully booting into your operating system, you can break the loop with the following steps. + +## Alternate recovery steps + +Only try these steps after you have restarted your device at least once. + +1. On the initial recovery screen, do not enter your recovery key. Select '''Skip this drive'''. + +2. On the next screen, select '''Troubleshoot'''. + +3. On the Troubleshoot screen, select '''Advanced options'''. + +4. On the Advanced options screen, select '''Command prompt'''. + +5. At the WinRE command prompt, you need to manually run an unlock command with your recovery password: `manage-bde.exe -unlock C: -rp ` + +6. After running this command, suspend operating system drive protection: `manage-bde.exe -protectors -disable C:` + +7. Once this is run, you can safely exit and continue booting. + +After you exit the command prompt in step 7, you will be able to boot into your operating system. \ No newline at end of file From ea83ccbf448ff18cccf48053e4eda39d4f65d6d8 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 7 May 2019 16:40:39 -0400 Subject: [PATCH 02/12] corrected bold formatting --- .../bitlocker/bitlocker-recovery-loop-break.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md index 37f3081e63..c32392f01c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md @@ -20,24 +20,24 @@ ms.date: 05/07/2019 Sometimes, when you attempt to perform a Bitlocker recovery, you can get stuck in a loop where you are repeatedly prompted to enter your recovery key. The key may be correct, yet you are unable to boot into your operating system, no matter what. -If you have entered your key several times and are unable to break out of the recovery loop by successfully booting into your operating system, you can break the loop with the following steps. +If you have entered your key several times and are unable to break out of the recovery loop by successfully booting into your operating system, try the following steps. ## Alternate recovery steps Only try these steps after you have restarted your device at least once. -1. On the initial recovery screen, do not enter your recovery key. Select '''Skip this drive'''. +1. On the initial recovery screen, do not enter your recovery key. Select **Skip this drive**. -2. On the next screen, select '''Troubleshoot'''. +2. On the next screen, select **Troubleshoot**. -3. On the Troubleshoot screen, select '''Advanced options'''. +3. On the Troubleshoot screen, select **Advanced options**. -4. On the Advanced options screen, select '''Command prompt'''. +4. On the Advanced options screen, select **Command prompt**. 5. At the WinRE command prompt, you need to manually run an unlock command with your recovery password: `manage-bde.exe -unlock C: -rp ` 6. After running this command, suspend operating system drive protection: `manage-bde.exe -protectors -disable C:` -7. Once this is run, you can safely exit and continue booting. +7. Once this is run, you can safely exit the command prompt and continue booting. After you exit the command prompt in step 7, you will be able to boot into your operating system. \ No newline at end of file From cc91e5327f72fe5ec3adad1256d7fe979b4a386d Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 7 May 2019 17:14:45 -0400 Subject: [PATCH 03/12] refining text --- .../bitlocker-recovery-loop-break.md | 25 ++++++++++++------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md index c32392f01c..24346a5691 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md @@ -18,26 +18,33 @@ ms.date: 05/07/2019 # Breaking out of a Bitlocker recovery loop -Sometimes, when you attempt to perform a Bitlocker recovery, you can get stuck in a loop where you are repeatedly prompted to enter your recovery key. The key may be correct, yet you are unable to boot into your operating system, no matter what. +Sometimes, you can get stuck in a loop where you are repeatedly prompted to enter your Bitlocker recovery key. This can be very frustrating. -If you have entered your key several times and are unable to break out of the recovery loop by successfully booting into your operating system, try the following steps. +If you've entered the correct recovery key multiple times, follow these steps to break out of the loop. -## Alternate recovery steps +> [!NOTE] +> Only try these steps after you have restarted your device at least once. -Only try these steps after you have restarted your device at least once. +1. On the initial recovery screen, don't enter your recovery key. Instead, select **Skip this drive**. -1. On the initial recovery screen, do not enter your recovery key. Select **Skip this drive**. +![](placeholder-1.png) 2. On the next screen, select **Troubleshoot**. + +![](placeholder-2.png) 3. On the Troubleshoot screen, select **Advanced options**. +![](placeholder-3.png) + 4. On the Advanced options screen, select **Command prompt**. -5. At the WinRE command prompt, you need to manually run an unlock command with your recovery password: `manage-bde.exe -unlock C: -rp ` +![](placeholder-4.png) -6. After running this command, suspend operating system drive protection: `manage-bde.exe -protectors -disable C:` +5. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp ` -7. Once this is run, you can safely exit the command prompt and continue booting. +6. Next, suspend operating system drive protection: `manage-bde.exe -protectors -disable C:` -After you exit the command prompt in step 7, you will be able to boot into your operating system. \ No newline at end of file +7. Once the last command is run, you can safely exit the command prompt and continue booting. + +After you exit the command prompt in step 7, you will be able to successfully boot into your operating system. \ No newline at end of file From 5ababbcc684705f1e1f4f33eecd07f11ecef5752 Mon Sep 17 00:00:00 2001 From: Jeremiah Cox <17728431+out0xb2@users.noreply.github.com> Date: Tue, 22 Oct 2019 17:01:53 -0700 Subject: [PATCH 04/12] Adding link to the DFCI Spec & OEM onboarding doc --- windows/client-management/mdm/uefi-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index ff3e25edce..c7ba05c493 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -20,7 +20,7 @@ The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmwa > The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809). > [!NOTE] -> The production UEFI CSP is present in 1809, but it depends upon the Device Firmware Configuration Interface (DFCI) and UEFI firmware to comply with this interface. The specification for this interface and compatible firmware is not yet available. +> The production UEFI CSP is present in 1809, but it depends upon the [Device Firmware Configuration Interface (DFCI) and UEFI firmware](https://microsoft.github.io/mu/dyn/mu_plus/DfciPkg/Docs/Dfci_Feature/) to comply with this interface. The following diagram shows the UEFI CSP in tree format. From 603b0e7cc806fb03fb214ddda809ce6baa47ec23 Mon Sep 17 00:00:00 2001 From: Jeremiah Cox Date: Wed, 23 Oct 2019 07:17:43 -0700 Subject: [PATCH 05/12] Making Acrolynx happy(ier)... fix typo and spacing --- windows/client-management/mdm/uefi-csp.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index c7ba05c493..e620185a9d 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -70,7 +70,7 @@ Apply a permissions information package to UEFI. Input is the signed package in Value type is Base64. Supported operation is Replace. **Permissions/Result** -Retrieves the binary result package of the previous Permissions/Apply operation. This binary package contains XML describing the action taken for each individual permission. +Retrieves the binary result package of the previous Permissions/Apply operation. This binary package contains XML describing the action taken for each individual permission. Supported operation is Get. @@ -109,17 +109,17 @@ Supported operation is Get. Node for settings permission operations. Alternate endpoint for sending a second permission package without an OS restart. **Permissions2/Apply** -Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two permissions information packages in the same session. +Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two permissions information packages in the same session. Value type is Base64. Supported operation is Replace. **Permissions2/Result** -Retrieves the binary result package from the previous Permissions2/Apply operation. This binary package contains XML describing the action taken for each individual permission. +Retrieves the binary result package from the previous Permissions2/Apply operation. This binary package contains XML describing the action taken for each individual permission. Supported operation is Get. **Settings2** -Nodefor device settings operations. Alternate endpoint for sending a second settings package without an OS restart. +Node for device settings operations. Alternate endpoint for sending a second settings package without an OS restart. **Settings2/Apply** Apply a settings information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two settings information packages in the same session. From cbbd2b6f9a77bac24bacabfc6831b99cab33137a Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Tue, 29 Oct 2019 16:36:01 -0400 Subject: [PATCH 06/12] removed placeholders --- .../bitlocker/bitlocker-recovery-loop-break.md | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md index 24346a5691..4be9c4d282 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md @@ -27,24 +27,16 @@ If you've entered the correct recovery key multiple times, follow these steps to 1. On the initial recovery screen, don't enter your recovery key. Instead, select **Skip this drive**. -![](placeholder-1.png) - 2. On the next screen, select **Troubleshoot**. -![](placeholder-2.png) - 3. On the Troubleshoot screen, select **Advanced options**. -![](placeholder-3.png) - 4. On the Advanced options screen, select **Command prompt**. -![](placeholder-4.png) - 5. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp ` 6. Next, suspend operating system drive protection: `manage-bde.exe -protectors -disable C:` 7. Once the last command is run, you can safely exit the command prompt and continue booting. -After you exit the command prompt in step 7, you will be able to successfully boot into your operating system. \ No newline at end of file +After you exit the command prompt in step 7, you will be able to successfully boot into your operating system. From 296b6d8f029e07a5ccff4d769b27ff4d99fb3d60 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Tue, 29 Oct 2019 16:55:23 -0400 Subject: [PATCH 07/12] copy edit --- .../bitlocker-recovery-loop-break.md | 20 +++++++++---------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md index 4be9c4d282..0578f6a4ab 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md @@ -13,30 +13,28 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/07/2019 +ms.date: 10/28/2019 --- # Breaking out of a Bitlocker recovery loop -Sometimes, you can get stuck in a loop where you are repeatedly prompted to enter your Bitlocker recovery key. This can be very frustrating. +Sometimes, following a crash, you might be unable to successfully restart your device, due to the recovery screen repeatedly prompting you to enter your recovery key. This can be very frustrating. -If you've entered the correct recovery key multiple times, follow these steps to break out of the loop. +If you've entered the correct Bitlocker recovery key multiple times, and are still unable to continue past the first recovery screen, follow these steps to break out of the loop. > [!NOTE] > Only try these steps after you have restarted your device at least once. 1. On the initial recovery screen, don't enter your recovery key. Instead, select **Skip this drive**. -2. On the next screen, select **Troubleshoot**. - -3. On the Troubleshoot screen, select **Advanced options**. +1. On the next screen, select **Troubleshoot**. -4. On the Advanced options screen, select **Command prompt**. +1. On the Troubleshoot screen, select **Advanced options**. -5. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp ` +1. On the Advanced options screen, select **Command prompt**. -6. Next, suspend operating system drive protection: `manage-bde.exe -protectors -disable C:` +1. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp ` -7. Once the last command is run, you can safely exit the command prompt and continue booting. +1. Suspend operating system drive protection: `manage-bde.exe -protectors -disable C:` -After you exit the command prompt in step 7, you will be able to successfully boot into your operating system. +1. Once the last command is run, you can safely exit the command prompt and continue to boot into your operating system From 9854bc2c3f86f4a4cfea28299e625c75bf39a529 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Tue, 29 Oct 2019 17:25:23 -0400 Subject: [PATCH 08/12] slight tweaks to wording --- .../bitlocker/bitlocker-recovery-loop-break.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md index 0578f6a4ab..36decb2b2f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md @@ -18,9 +18,9 @@ ms.date: 10/28/2019 # Breaking out of a Bitlocker recovery loop -Sometimes, following a crash, you might be unable to successfully restart your device, due to the recovery screen repeatedly prompting you to enter your recovery key. This can be very frustrating. +Sometimes, following a crash, you might be unable to successfully boot into your operating system, due to the recovery screen repeatedly prompting you to enter your recovery key. This can be very frustrating. -If you've entered the correct Bitlocker recovery key multiple times, and are still unable to continue past the first recovery screen, follow these steps to break out of the loop. +If you've entered the correct Bitlocker recovery key multiple times, and are still unable to continue past the initial recovery screen, follow these steps to break out of the loop. > [!NOTE] > Only try these steps after you have restarted your device at least once. From 86d9877e19aa1b338c80d92983947a4131dde188 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 14 Nov 2019 13:17:10 -0800 Subject: [PATCH 09/12] Added option 5 in DOGroupIdSource --- .../mdm/new-in-windows-mdm-enrollment-management.md | 7 +++++++ .../mdm/policy-csp-deliveryoptimization.md | 5 ++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 0a50619021..bcd0ad6c0b 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -58,6 +58,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [What is dmwappushsvc?](#what-is-dmwappushsvc) - **Change history in MDM documentation** + - [November 2019](#november-2019) - [October 2019](#october-2019) - [September 2019](#september-2019) - [August 2019](#august-2019) @@ -1934,6 +1935,12 @@ How do I turn if off? | The service can be stopped from the "Services" console o ## Change history in MDM documentation +### November 2019 + +|New or updated topic | Description| +|--- | ---| +|[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added option 5 in the supported values list for DeliveryOptimization/DOGroupIdSource.| + ### October 2019 |New or updated topic | Description| diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 79c0298921..ad5b170144 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -780,7 +780,7 @@ ADMX Info: -Added in Windows 10, version 1803. Set this policy to restrict peer selection to a specific source. Options available are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix +Added in Windows 10, version 1803. Set this policy to restrict peer selection to a specific source. Options available are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD. When set, the Group ID will be assigned automatically from the selected source. @@ -790,6 +790,8 @@ The options set in this policy only apply to Group (2) download mode. If Group ( For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. +Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5. + ADMX Info: @@ -807,6 +809,7 @@ The following list shows the supported values: - 2 - Authenticated domain SID - 3 - DHCP user option - 4 - DNS suffix +- 5 - AAD From 1b029a1f52541532bd60493859ab466fc24c56fe Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 14 Nov 2019 15:47:16 -0800 Subject: [PATCH 10/12] Fixed suggestion --- .../mdm/new-in-windows-mdm-enrollment-management.md | 2 +- .../client-management/mdm/policy-csp-deliveryoptimization.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index bcd0ad6c0b..eacb043303 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -21,7 +21,7 @@ ms.date: 07/01/2019 This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. -For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). +For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). - **What’s new in MDM for Windows 10 versions** - [What’s new in MDM for Windows 10, version 1909](#whats-new-in-mdm-for-windows-10-version-1909) diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index ad5b170144..c58548efdc 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -780,7 +780,7 @@ ADMX Info: -Added in Windows 10, version 1803. Set this policy to restrict peer selection to a specific source. Options available are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD. +Added in Windows 10, version 1803. Set this policy to restrict peer selection to a specific source. When set, the Group ID will be assigned automatically from the selected source. From 068c603ce4ea0ec0742c2a59515adbbf14235a3c Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 14 Nov 2019 15:58:45 -0800 Subject: [PATCH 11/12] minor update --- .../client-management/mdm/policy-csp-deliveryoptimization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index c58548efdc..8a8184ba9a 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -780,7 +780,7 @@ ADMX Info: -Added in Windows 10, version 1803. Set this policy to restrict peer selection to a specific source. +Added in Windows 10, version 1803. Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD. When set, the Group ID will be assigned automatically from the selected source. From af6830f95b67854a2c8bbd052308249a2955ff5d Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Fri, 15 Nov 2019 13:26:50 -0800 Subject: [PATCH 12/12] Update surface-manage-dfci-guide.md --- devices/surface/surface-manage-dfci-guide.md | 23 ++++++++++++-------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/devices/surface/surface-manage-dfci-guide.md b/devices/surface/surface-manage-dfci-guide.md index ce65883155..efb5fa93b5 100644 --- a/devices/surface/surface-manage-dfci-guide.md +++ b/devices/surface/surface-manage-dfci-guide.md @@ -105,7 +105,7 @@ DFCI includes a streamlined set of UEFI configuration policies that provide an e You configure DFCI policy settings by editing the DFCI profile from Endpoint Manager, as shown in the figure below. -- Select **Devices > Windows > Configuration Profiles > “DFCI profile name” > Properties > Settings**. +- In Endpoint Manager at devicemanagement.microsoft.com, select **Devices > Windows > Configuration Profiles > “DFCI profile name” > Properties > Settings**. ![Configure DFCI settings](images/dfciconfig.png) @@ -140,7 +140,7 @@ As stated above, DFCI can only be applied on devices registered in Windows Autop Although Intune policy settings typically get applied almost immediately, there may be a delay of 10 minutes before the settings take effect on targeted devices. In rare circumstances, delays of up to 8 hours are possible. To ensure settings apply as soon as possible, (such as in test scenarios), you can manually sync the target devices. -- In Endpoint Manager, go to **Devices > Device enrollment > Windows enrollment > Windows Autopilot Devices** and select **Sync**. +- In Endpoint Manager at devicemanagement.microsoft.com, go to **Devices > Device enrollment > Windows enrollment > Windows Autopilot Devices** and select **Sync**. For more information, refer to [Sync your Windows device manually](https://docs.microsoft.com/intune-user-help/sync-your-device-manually-windows). @@ -167,14 +167,19 @@ When you create a DFCI profile, all configured settings will remain in effect ac If the original DFCI profile has been deleted, you can remove policy settings by creating a new profile and then editing the settings, as appropriate. -## Unregistering devices from DFCI to prepare for resale or recycle +## Removing DFCI management -1. Contact your partner, OEM, or reseller to unregister the device from Autopilot. -2. Remove the device from Intune. -3. Connect a Surface-branded network adapter. -4. Open Surface UEFI, which involves pressing the **Volume +** and **Power** buttons at the same time. -5. Select **Management > Configure > Refresh from Network**. -6. Validate DFCI is removed from the device in the UEFI. +**To remove DFCI management and return device to factory new state:** + +1. Retire the device from Intune: + 1. In Endpoint Manager at devicemanagement.microsoft.com, choose **Groups > All Devices**. Select the devices you want to retire, and then choose **Retire/Wipe.** To learn more refer to [Remove devices by using wipe, retire, or manually unenrolling the device](https://docs.microsoft.com/intune/remote-actions/devices-wipe). +2. Delete the Autopilot registration from Intune: + 1. Choose **Device enrollment > Windows enrollment > Devices**. + 2. Under Windows Autopilot devices, choose the devices you want to delete, and then choose **Delete**. +3. Connect device to wired internet with Surface-branded ethernet adapter. Restart device and open the UEFI menu (press and hold the volume-up button while also pressing and releasing the power button). +4. Select **Management > Configure > Refresh from Network** and then choose **Opt-out.** + +To keep managing the device with Intune, but without DFCI management, self-register the device to Autopilot and enroll it to Intune. DFCI will not be applied to self-registered devices. ## Learn more - [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333)