Merge branch 'public' into patch-42

devices/surface/microsoft-surface-data-eraser.md

@@ -14,7 +14,7 @@ author: dansimp
 ms.author: dansimp
 ms.topic: article
 ms.audience: itpro
-ms.date: 10/21/2019
+ms.date: 11/13/2019
 ---
 
 # Microsoft Surface Data Eraser
@@ -160,11 +160,17 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
 
 Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following:
 
+### 3.28.137
+*Release Date: 11 Nov 2019*
+This version of Surface Data Eraser:
+
+- Includes bug fixes
+
 ### Version 3.21.137
 *Release Date: 21 Oct 2019*
 This version of Surface Data Eraser is compiled for x86 and adds support for the following devices:
 
-Supports Surface Pro 7, Surface Pro X, and Surface Laptop 3.
+- Supports Surface Pro 7, Surface Pro X, and Surface Laptop 3
 
 ### Version 3.2.78.0
 *Release Date: 4 Dec 2018*

devices/surface/surface-dock-firmware-update.md

@@ -89,15 +89,16 @@ Successful completion of Surface Dock Firmware Update results in new registry ke
 
 ## Event logging
 
-**Table 1. Event logging for Surface Dock Firmware Update**
+**Table 1. Log files for Surface Dock Firmware Update**
 
 | Log                              | Location                               | Notes                                                                                                                                                                                                         |
 | -------------------------------- | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | Surface Dock Firmware Update log | Path needs to be specified (see note) | Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater.                                                                                                  |
 | Windows Device Install log       | %windir%\inf\setupapi.dev.log           | For more information about using Device Install Log, refer to [SetupAPI Logging](https://docs.microsoft.com/windows-hardware/drivers/install/setupapi-logging--windows-vista-and-later-) documentation. |
 
- 
-**Table 2. Event log IDs for Surface Dock Firmware Update**
+
+**Table 2. Event log IDs for Surface Dock Firmware Update**<br>
+Events are logged in the Application Event Log.  Note:  Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater.
 
 | Event ID | Event type                                                           |
 | -------- | -------------------------------------------------------------------- |

devices/surface/surface-manage-dfci-guide.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 author: dansimp
 ms.author: dansimp
 ms.topic: article
-ms.date: 10/20/2019
+ms.date: 11/13/2019
 ms.reviewer: jesko
 manager: dansimp
 ms.audience: itpro
@@ -29,9 +29,11 @@ In contrast to other Windows 10 devices available in the market today, Surface p
 
 Until now, managing firmware required enrolling devices into Surface Enterprise Management Mode (SEMM) with the overhead of ongoing manual IT-intensive tasks. As an example, SEMM requires IT staff to physically access each PC to enter a two-digit pin as part of the certificate management process. Although SEMM remains a good solution for organizations in a strictly on-premises environment, its complexity and IT-intensive requirements make it costly to use.
 
-Now with newly integrated UEFI firmware management capabilities in Microsoft Intune, the ability to lock down hardware is simplified and easier to use with new features for provisioning, security, and streamlined updating all in a single console.
+Now with newly integrated UEFI firmware management capabilities in Microsoft Intune, the ability to lock down hardware is simplified and easier to use with new features for provisioning, security, and streamlined updating all in a single console, now unified as [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). The following figure shows UEFI settings viewed directly on the device (left) and viewed in the Endpoint Manager console (right).
 
-DFCI leverages the device profiles capability in Intune and is deployed using Windows Autopilot, eliminating the need for manual interaction by IT admins or end users. A device profile allows you to add and configure settings which can then be deployed to devices enrolled in management within your organization. Once the device receives the device profile, the features and settings are applied automatically. Examples of common device profiles include Email, Device restrictions, VPN, Wi-Fi, and Administrative templates. DFCI is simply an additional device profile that enables you to manage UEFI configuration settings from the cloud without having to maintain a costly on-premises infrastructure.  
+![UEFI settings shown on device (left) and in the Endpoint Manager console (right) ](images/uefidfci.png)
+
+Crucially, DFCI enables zero touch management, eliminating the need for manual interaction by IT admins. DFCI is deployed via Windows Autopilot using the device profiles capability in Intune. A device profile allows you to add and configure settings which can then be deployed to devices enrolled in management within your organization. Once the device receives the device profile, the features and settings are applied automatically. Examples of common device profiles include Email, Device restrictions, VPN, Wi-Fi, and Administrative templates. DFCI is simply an additional device profile that enables you to manage UEFI configuration settings from the cloud without having to maintain on-premises infrastructure.  
 
 ## Supported devices
 
@@ -41,6 +43,9 @@ At this time, DFCI is supported in the following devices:
 - Surface Pro X
 - Surface Laptop 3
 
+> [!NOTE]
+> Surface Pro X does not support DFCI settings management for built-in camera, audio, and Wi-Fi/Bluetooth.
+
 ## Prerequisites
 
 - Devices must be registered with Windows Autopilot by a [Microsoft Cloud Solution Provider (CSP) partner](https://partner.microsoft.com/membership/cloud-solution-provider) or OEM distributor.
@@ -59,30 +64,33 @@ A DFCI environment requires setting up a DFCI profile that contains  the setting
 
 Before configuring DFCI policy settings, first create a DFCI profile and assign it to the Azure AD security group that contains your target devices.
 
-1. Open Intune select **Device configuration > Profiles > Create profile** and enter a name; for example **My DFCI profile.**
-2. Select Windows 10 and later for platform type.
-3. In the Profile type drop down list, select **Device Firmware Configuration Interface** to open the DFCI blade containing all available policy settings. For information on DFCI settings, refer to Table 2 on this page below or the [Intune documentation](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows). You can configure DFCI settings during the initial setup process or later by editing the DFCI profile.
+1. Sign into your tenant at  devicemanagement.microsoft.com.
+2. In the Microsoft Endpoint Manager Admin Center, select **Devices > Configuration profiles > Create profile** and enter a name; for example, **DFCI Configuration Policy.**
+3. Select **Windows 10 and later** for platform type.
+4. In the Profile type drop down list, select **Device Firmware Configuration Interface** to open the DFCI blade containing all available policy settings. For information on DFCI settings, refer to Table 1 on this page or the [Intune documentation](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows). You can configure DFCI settings during the initial setup process or later by editing the DFCI profile.
 
-> ![Create DFCI profile](images/df1.png)
+    ![Create DFCI profile](images/df1.png)
 
-4. Click **OK** and then select **Create**.
-5. Select **Assignments** and under **Select groups to include** select the Azure AD security group that contains your target devices, as shown in the following figure. Click **Save**.
+5. Click **OK** and then select **Create**.
+6. Select **Assignments** and under **Select groups to include** select the Azure AD security group that contains your target devices, as shown in the following figure. Click **Save**.
 
-![Assign security group](images/df2a.png)
+    ![Assign security group](images/df2a.png)
 
 ## Create Autopilot profile
 
-1. Go to **Intune > Device enrollment > Windows enrollment** and scroll down to select **Deployment Profiles**.
-2. Select **Create profile**, enter a name; for example, My Autopilot profile, and select **Next**.
+1. In Endpoint Manager at  devicemanagement.microsoft.com, select **devices > Windows enrollment** and scroll down to **Deployment profiles**.
+2. Select **Create profile** and enter a name; for example, **My Autopilot profile**, and select **Next**.
 3. Select the following settings:
 
-- Deployment mode: **User-Driven**.
-- Join type: Azure **AD joined**.
+    - Deployment mode: **User-Driven**.
+    - Join type: Azure **AD joined**.
 
-4. Leave the remaining default settings unchanged and select **Next**
-5. On the Scope tags page, select **Next**.
-6. On the Assignments page, choose **Select groups to include** and click your Azure AD security group. Select **Next**.
-7. Accept the summary and then select **Create**. The Autopilot profile is now created and assigned to the group.
+4. Leave the remaining default settings unchanged and select **Next**, as shown in the following figure.
+
+    ![Create Autopilot profile](images/df3b.png)
+
+5. On the Assignments page, choose **Select groups to include** and click your Azure AD security group. Select **Next**.
+6. Accept the summary and then select **Create**. The Autopilot profile is now created and assigned to the group.
 
 ## Configure Enrollment Status Page
 
@@ -95,13 +103,15 @@ For more information, refer to [Set up an enrollment status page](https://docs.m
 
 DFCI includes a streamlined set of UEFI configuration policies that provide an extra level of security by locking down devices at the hardware level. DFCI is designed to be used in conjunction with mobile device management settings at the software level. Note that DFCI settings only affect hardware components built into Surface devices and do not extend to attached peripherals such as USB webcams. (However, you can use Device restriction policies in Intune to turn off access to attached peripherals at the software level).
 
-You configure DFCI policy settings by editing the DFCI profile:
+You configure DFCI policy settings by editing the DFCI profile from Endpoint Manager, as shown in the figure below. 
 
-- **Intune > Device configuration > Profiles > “DFCI profile name” > Properties > Settings**
+- Select **Devices > Windows > Configuration Profiles > “DFCI profile name” > Properties > Settings**.
+
+    ![Configure DFCI settings](images/dfciconfig.png)
 
 ### Block user access to UEFI settings
 
-For many customers, the ability to block users from changing UEFI settings is critically important and a primary reason to use DFCI. As listed in the followng table, this is managed via the setting **Allow local user to change UEFI settings**. If you do not edit or configure this setting, local users will be able to change any UEFI setting not managed by Intune. Therefore, it’s highly recommended to disable **Allow local user to change UEFI settings.**
+For many customers, the ability to block users from changing UEFI settings is critically important and a primary reason to use DFCI. As listed in Table 1, this is managed via the setting **Allow local user to change UEFI settings**. If you do not edit or configure this setting, local users will be able to change any UEFI setting not managed by Intune. Therefore, it’s highly recommended to disable **Allow local user to change UEFI settings.**
 The rest of the DFCI settings enable you to turn off functionality that would otherwise be available to users. For example, if you need to protect sensitive information in highly secure areas, you can disable the camera, and if you don’t want users booting from USB drives, you can disable that also.
 
 ### Table 1. DFCI scenarios
@@ -114,11 +124,11 @@ The rest of the DFCI settings enable you to turn off functionality that would ot
 | Disable radios (Bluetooth, Wi-Fi)             | Under **Built in Hardware > Radios (Bluetooth, Wi-Fi, etc…)**, select **Disabled**.                   |
 | Disable Boot from external media (USB, SD)    | Under **Built in Hardware > Boot Options > Boot from external media (USB, SD)**, select **Disabled**. |
 
+> [!CAUTION]
+> The **Disable radios (Bluetooth, Wi-Fi)** setting should only be used on devices that have a wired Ethernet connection.
  
 > [!NOTE]
->  DFCI in Intune includes two settings that do not currently apply to Surface devices:
-- CPU and IO virtualization
-- Disable Boot from network adapters
+>  DFCI in Intune includes two settings that do not currently apply to Surface devices: (1) CPU and IO virtualization and (2) Disable Boot from network adapters.
  
 Intune provides Scope tags to delegate administrative rights and Applicability Rules to manage device types. For more information about policy management support and full details on all DFCI settings, refer to [Microsoft Intune documentation](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows).
 
@@ -130,7 +140,7 @@ As stated above, DFCI can only be applied on devices registered in Windows Autop
 
 Although Intune policy settings typically get applied almost immediately, there may be a delay of 10 minutes before the settings take effect on targeted devices. In rare circumstances, delays of up to 8 hours are possible. To ensure settings apply as soon as possible, (such as in test scenarios), you can manually sync the target devices.
 
-- In Intune, go to **Device enrollment > Windows enrollment > Windows Autopilot Devices** and select **Sync**.
+- In Endpoint Manager, go to **Devices > Device enrollment > Windows enrollment > Windows Autopilot Devices** and select **Sync**.
 
  For more information, refer to [Sync your Windows device manually](https://docs.microsoft.com/intune-user-help/sync-your-device-manually-windows).
 
@@ -144,12 +154,12 @@ In a test environment, you can verify settings in the Surface UEFI interface.
 1. Open Surface UEFI, which involves pressing the **Volume +** and **Power** buttons at the same time.
 2. Select **Devices**. The UEFI menu will reflect configured settings, as shown in the following figure.
 
-![Surface UEFI](images/df3.png)
+    ![Surface UEFI](images/df3.png)
 
-Note how:
+    Note how:
 
-- The settings are greyed out because **Allow local user to change UEFI setting** is set to None.
-- Audio is set to off because **Microphones and speakers** are set to **Disabled**.
+      - The settings are greyed out because **Allow local user to change UEFI setting** is set to None.
+      - Audio is set to off because **Microphones and speakers** are set to **Disabled**.
 
 ## Removing DFCI policy settings