This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 4%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECK%3C/text%3E%3C/svg%3E)
We have some Surface Pro 7 and I want to try to secure the UEFI Settings with DFCI as described in this [Microsoft Learn article][1]. The devices are registered by our CSP, autopilot works, the profiles for autopilot deployment, Enrollment State Page and DFCI are assigned. But the Deployment Status of my test devices is hanging on Pending. Are there any logfiles for DFCI available? Any Idea to my problem? Any help highly appreciated, thanks. [1]: https://learn.microsoft.com/en-us/mem/intune/configuration/device-firmware-configuration-interface-windows
It was the mistake of the CSP as suspected on this tweet: https://twitter.com/ncbrady/status/1324269514259943424. So the CSP did something wrong (although autopilot deployment still worked). I hope he can fix it for the already delivered devices.
On the one hand I'm happy that it finally works and that I didn't make a mistake and on the other hand I'm frustrated because I lost dozens of hours.
Thanks to everyone who answered and helped here...
Hey anonymous user,
have a look at the documentation, your devices must be registered in Autopilot by a Cloud Solution Provider (CSP). The CSP here is not referencing the Configuration Service Provider (CSP) which is mostly used in regards to Intune topics especially for configuration profiles.
https://learn.microsoft.com/en-us/mem/autopilot/dfci-management > section Requirements
best,
---
Oliver Kieselbach | Twitter | Blog
Mark useful answers by clicking "Accept Answer", many thanks!
Thanks for your answer, @Oliver Kieselbach .
Looks like every partner with access to the partner portal can register the devices. In my case I ordered some Surfaces from our partner and said that I'd like to have them registered for DFCI like required in the documentation you mentioned. Our partner ordered the devices from his distributor (I thought that would be the CSP). The devices were registered and autopilot worked. Only DFCI didn't work (and doesn't work until now, btw).
But then I had to order a new Surface (for a broken one) and our partner tried to register this one on his own over the partner portal. This time DFCI worked without a problem.
So it looks like:
I gave a feedback to Microsoft that it would be helpful, when the enduser IT could see, if the registration doesn't include DFCI.
Thanks, @Oliver Kieselbach . I wasn't sure if it is appropriate to mark my own answer as the correct answer.
Have you verified on the device itself whether the policy is applying or not? In my experience the status on Intune can take a while to update sometimes.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
anonymous user, Agree with RahulJindal, we can wait some more time to let the status update to Intune. Meanwhile, to check if the policy is applied, we can also check the Advanced Diagnostic report under Accounts->Access Work or school->Azure AD account->info->Advanced Diagnostic Report to see if the setting is there..
https://learn.microsoft.com/en-us/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10#download-the-mdm-diagnostic-information-log-from-windows-10-pcs
In addition, we can also verify UEFI settings on DFCI-managed devices
https://learn.microsoft.com/en-us/surface/surface-manage-dfci-guide#verifying-uefi-settings-on-dfci-managed-devices
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks for your answers, @Rahul Jindal [MVP] and @Crystal-MSFT .
I tried to verify the UEFI settings directly in the UEFI but the settings in the devices menu aren't greyed out and in the management menu is still written: "Zero-touch UEFI Management: Ready".
Didn't looked at the Advanced Diagnostic Report, thanks for this advice. But I can't find there something that looks like beeing in relation to DFCI.
ChristianKrsi-1053 After some time waiting, was the status changed? Would you mind to restart the device and check it again. Thanks!
Thanks, @Crystal-MSFT . Status didn't change. I restarted the device several times.
anonymous user, How about the event log under Applications and services logs\Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider? Is there any error related. However, if there's still no finding, we suggest to submit a case to work on this issue.
Is there a way to check if my Cloud Solution Provider CSP partner did a mistake when registering the devices? Are there any logfiles to get a hint where to look further? Thanks in advance.