Use Intune to Manage Device Firmware Configuration Interface Settings for Autopilot Devices

How handy it will be to manage the UEFI (Unified Extensible Firmware Interface) settings of the enrolled devices? That’s exactly what I’m going to explore in this article.

What I will be covering 👇🏾

  1. What is DFCI? (Device Firmware Configuration Interface)
  2. Use Cases
  3. DFCI Lifecycle
  4. Requirements and OEM Vendor Support
    1. OEM Vendor Support
  5. Intune to Manage DFCI?
  6. Intune Device Configueration Profile
  7. Wrapping Up

What is DFCI? (Device Firmware Configuration Interface)

This is a newly introduced feature of UEFI that enables secure programmatic configuration of hardware settings in BIOS that usually requires human interaction to complete.

Read this – Project Mu/ Dfci_Feature

Use Cases

  • Disabling cameras, microphones, and/or radios in manufacturing and other secure facilities
  • Disabling boot to USB and network for single purpose and KIOSK devices
  • Disabling local user access to all UEFI settings to maintain the out of box configuration

DFCI Lifecycle

The below activities hav been identified as the DFCI lifecycle statges

  • UEFI integration
  • Device registration
  • Profile creation
  • Enrollment
  • Management
  • Retirement
  • Recovery
Image from MS Learn

Requirements and OEM Vendor Support

  • Windows 10, version 1809 or later and a supported UEFI is required
  • The device manufacturer must have DFCI added to their UEFI firmware in the manufacturing process, or as a firmware update that you install or the firmware version needed to use DFCI.
  • The device must be registered for Windows Autopilot
  • The device has been rebooted since the last MDM sync

OEM Vendor Support

  • Surface
  • Acer

Intune to Manage DFCI?

Yes. This complements the zero-touch device enrollment process and the IT department can set up device configuration profiles to manage these settings allow/ block during the Autolpilot process.

Major benefits of managing this feature can be making the device resilient against malware, rootkits, and non-persistent physical tampering etc.

DFCI can only manage hardware components built into the device. These settings cannot manage attached peripherals (e.g. USB webcams). 

Intune Device Configueration Profile

To create a DFCI profile, go to the Intune portal > Devices > Configuration Profiles > Create Profile

Go through each section to set the controls. The main controls are Enabled or Disabled.

Wrapping Up

As I understand, this is a valuable profile to be set up if you are during Autopilot. Once the devices are with the user you basically have less control over them physically and planning to set these up manually can be a tedious process, and best of all you may have not thought about this control at all. So there you go, now you know how to control that integral part of the computer. I believe Microsoft will work with other OEM partners to expand this to their brands as well. I mean soon!

Advertisement

One thought on “Use Intune to Manage Device Firmware Configuration Interface Settings for Autopilot Devices

  1. Pingback: Intune Newsletter - 11th November 2022 - Andrew Taylor

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.