Merging changes synced from https://github.com/MicrosoftDocs/windows-docs-pr (branch live)

devices/surface/surface-manage-dfci-guide.md

@@ -105,7 +105,7 @@ DFCI includes a streamlined set of UEFI configuration policies that provide an e
 
 You configure DFCI policy settings by editing the DFCI profile from Endpoint Manager, as shown in the figure below. 
 
-- Select **Devices > Windows > Configuration Profiles > “DFCI profile name” > Properties > Settings**.
+- In Endpoint Manager at  devicemanagement.microsoft.com, select **Devices > Windows > Configuration Profiles > “DFCI profile name” > Properties > Settings**.
 
     ![Configure DFCI settings](images/dfciconfig.png)
 
@@ -140,7 +140,7 @@ As stated above, DFCI can only be applied on devices registered in Windows Autop
 
 Although Intune policy settings typically get applied almost immediately, there may be a delay of 10 minutes before the settings take effect on targeted devices. In rare circumstances, delays of up to 8 hours are possible. To ensure settings apply as soon as possible, (such as in test scenarios), you can manually sync the target devices.
 
-- In Endpoint Manager, go to **Devices > Device enrollment > Windows enrollment > Windows Autopilot Devices** and select **Sync**.
+- In Endpoint Manager at  devicemanagement.microsoft.com, go to **Devices > Device enrollment > Windows enrollment > Windows Autopilot Devices** and select **Sync**.
 
  For more information, refer to [Sync your Windows device manually](https://docs.microsoft.com/intune-user-help/sync-your-device-manually-windows).
 
@@ -167,14 +167,19 @@ When you create a DFCI profile, all configured settings will remain in effect ac
 
 If the original DFCI profile has been deleted, you can remove policy settings by creating a new profile and then editing the settings, as appropriate.
 
-## Unregistering devices from DFCI to prepare for resale or recycle
+## Removing DFCI management
 
-1. Contact your partner, OEM, or reseller to unregister the device from Autopilot.
-2. Remove the device from Intune.
-3. Connect a Surface-branded network adapter.
-4. Open Surface UEFI, which involves pressing the **Volume +** and **Power** buttons at the same time.
-5. Select **Management > Configure > Refresh from Network**.
-6. Validate DFCI is removed from the device in the UEFI.
+**To remove DFCI management and return device to factory new state:**
+
+1. Retire the device from Intune:
+    1. In Endpoint Manager at  devicemanagement.microsoft.com, choose **Groups > All Devices**. Select the devices you want to retire, and then choose **Retire/Wipe.** To learn more refer to [Remove devices by using wipe, retire, or manually unenrolling the device](https://docs.microsoft.com/intune/remote-actions/devices-wipe). 
+2. Delete the Autopilot registration from Intune:
+    1.  Choose **Device enrollment > Windows enrollment > Devices**.
+    2. Under Windows Autopilot devices, choose the devices you want to delete, and then choose **Delete**.
+3. Connect device to wired internet with Surface-branded ethernet adapter. Restart device and open the UEFI menu (press and hold the volume-up button while also pressing and releasing the power button).
+4. Select **Management > Configure > Refresh from Network** and then choose **Opt-out.**
+
+To keep managing the device with Intune, but without DFCI management, self-register the device to Autopilot and enroll it to Intune. DFCI will not be applied to self-registered devices.
 
 ## Learn more
 - [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333)

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -21,7 +21,7 @@ ms.date: 07/01/2019
 
 This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
 
-For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). 
+For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). 
 
 - **What’s new in MDM for Windows 10 versions**
   - [What’s new in MDM for Windows 10, version 1909](#whats-new-in-mdm-for-windows-10-version-1909)
@@ -58,6 +58,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
   - [What is dmwappushsvc?](#what-is-dmwappushsvc)
 
 - **Change history in MDM documentation**
+    - [November 2019](#november-2019)
     - [October 2019](#october-2019)
     - [September 2019](#september-2019)
     - [August 2019](#august-2019)
@@ -1934,6 +1935,12 @@ How do I turn if off? | The service can be stopped from the "Services" console o
 
 ## Change history in MDM documentation
 
+### November 2019
+
+|New or updated topic | Description|
+|--- | ---|
+|[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added option 5 in the supported values list for DeliveryOptimization/DOGroupIdSource.|
+
 ### October 2019
 
 |New or updated topic | Description|

windows/client-management/mdm/policy-csp-deliveryoptimization.md

@@ -780,7 +780,7 @@ ADMX Info:
 
 <!--/Scope-->
 <!--Description-->
-Added in Windows 10, version 1803. Set this policy to restrict peer selection to a specific source. Options available are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix
+Added in Windows 10, version 1803. Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD.
 
 When set, the Group ID will be assigned automatically from the selected source.
 
@@ -790,6 +790,8 @@ The options set in this policy only apply to Group (2) download mode. If Group (
 
 For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.
 
+Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
+
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
@@ -807,6 +809,7 @@ The following list shows the supported values:
 -   2 - Authenticated domain SID
 -   3 - DHCP user option
 -   4 - DNS suffix
+-   5 - AAD
 
 <!--/SupportedValues-->
 <!--/Policy-->

windows/client-management/mdm/uefi-csp.md

@@ -20,7 +20,7 @@ The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmwa
 > The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809).
 
 > [!NOTE]
-> The production UEFI CSP is present in 1809, but it depends upon the Device Firmware Configuration Interface (DFCI) and UEFI firmware to comply with this interface.  The specification for this interface and compatible firmware is not yet available.
+> The production UEFI CSP is present in 1809, but it depends upon the [Device Firmware Configuration Interface (DFCI) and UEFI firmware](https://microsoft.github.io/mu/dyn/mu_plus/DfciPkg/Docs/Dfci_Feature/) to comply with this interface.
 
 The following diagram shows the UEFI CSP in tree format.
 
@@ -119,7 +119,7 @@ Retrieves the binary result package from the previous Permissions2/Apply operati
 Supported operation is Get.
 
 <a href="" id="settings2"></a>**Settings2**  
-Nodefor device settings operations. Alternate endpoint for sending a second settings package without an OS restart.
+Node for device settings operations. Alternate endpoint for sending a second settings package without an OS restart.
 
 <a href="" id="settings2-apply"></a>**Settings2/Apply**  
 Apply a settings information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two settings information packages in the same session.

windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md

@@ -0,0 +1,40 @@
+---
+title: Breaking out of a Bitlocker recovery loop
+description: This topic  for IT professionals describes how to break out of a Bitlocker recovery loop.
+ms.assetid: #c40f87ac-17d3-47b2-afc6-6c641f72ecee
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: #medium
+ms.author: v-maave
+author: martyav
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 10/28/2019
+---
+
+# Breaking out of a Bitlocker recovery loop
+
+Sometimes, following a crash, you might be unable to successfully boot into your operating system, due to the recovery screen repeatedly prompting you to enter your recovery key. This can be very frustrating.
+
+If you've entered the correct Bitlocker recovery key multiple times, and are still unable to continue past the initial recovery screen, follow these steps to break out of the loop.
+
+> [!NOTE]
+> Only try these steps after you have restarted your device at least once.
+
+1. On the initial recovery screen, don't enter your recovery key. Instead, select **Skip this drive**.
+
+1. On the next screen, select **Troubleshoot**.
+
+1. On the Troubleshoot screen, select **Advanced options**.
+
+1. On the Advanced options screen, select **Command prompt**.
+
+1. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp <recovery password>`
+
+1. Suspend operating system drive protection: `manage-bde.exe -protectors -disable C:`
+
+1. Once the last command is run, you can safely exit the command prompt and continue to boot into your operating system