question

ChristianKruesi-1173 avatar image
0 Votes"
ChristianKruesi-1173 asked ChristianKruesi-1173 commented

UEFI Settings with DFCI don't process, deployment status staying on Pending

We have some Surface Pro 7 and I want to try to secure the UEFI Settings with DFCI as described in this [Microsoft Docs article][1]. The devices are registered by our CSP, autopilot works, the profiles for autopilot deployment, Enrollment State Page and DFCI are assigned. But the Deployment Status of my test devices is hanging on Pending. Are there any logfiles for DFCI available? Any Idea to my problem? Any help highly appreciated, thanks. [1]: https://docs.microsoft.com/en-us/mem/intune/configuration/device-firmware-configuration-interface-windows

mem-intune-device-configurationsmem-intune-enrollment
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

8 Answers

ChristianKruesi-1173 avatar image
0 Votes"
ChristianKruesi-1173 answered ChristianKruesi-1173 commented

It was the mistake of the CSP as suspected on this tweet: https://twitter.com/ncbrady/status/1324269514259943424. So the CSP did something wrong (although autopilot deployment still worked). I hope he can fix it for the already delivered devices.

On the one hand I'm happy that it finally works and that I didn't make a mistake and on the other hand I'm frustrated because I lost dozens of hours.

Thanks to everyone who answered and helped here...

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

OliverKieselbach-MVP avatar image OliverKieselbach-MVP ·

Hey anonymous user,

have a look at the documentation, your devices must be registered in Autopilot by a Cloud Solution Provider (CSP). The CSP here is not referencing the Configuration Service Provider (CSP) which is mostly used in regards to Intune topics especially for configuration profiles.

https://docs.microsoft.com/en-us/mem/autopilot/dfci-management > section Requirements

best,

Oliver Kieselbach | Twitter | Blog
Mark useful answers by clicking "Accept Answer", many thanks!


0 Votes 0 ·
ChristianKruesi-1173 avatar image ChristianKruesi-1173 OliverKieselbach-MVP ·

Thanks for your answer, @OliverKieselbach-MVP .

Looks like every partner with access to the partner portal can register the devices. In my case I ordered some Surfaces from our partner and said that I'd like to have them registered for DFCI like required in the documentation you mentioned. Our partner ordered the devices from his distributor (I thought that would be the CSP). The devices were registered and autopilot worked. Only DFCI didn't work (and doesn't work until now, btw).

But then I had to order a new Surface (for a broken one) and our partner tried to register this one on his own over the partner portal. This time DFCI worked without a problem.

So it looks like:

  • every partner with access to the partner portal can import devices for DFCI

  • a partner can import a device wrong - so that autopilot works but DFCI not

I gave a feedback to Microsoft that it would be helpful, when the enduser IT could see, if the registration doesn't include DFCI.

0 Votes 0 ·
ChristianKruesi-1173 avatar image ChristianKruesi-1173 OliverKieselbach-MVP ·

Thanks, @OliverKieselbach-MVP. I wasn't sure if it is appropriate to mark my own answer as the correct answer.

0 Votes 0 ·
RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered

Have you verified on the device itself whether the policy is applying or not? In my experience the status on Intune can take a while to update sometimes.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT edited

anonymous user, Agree with RahulJindal, we can wait some more time to let the status update to Intune. Meanwhile, to check if the policy is applied, we can also check the Advanced Diagnostic report under Accounts->Access Work or school->Azure AD account->info->Advanced Diagnostic Report to see if the setting is there..
https://docs.microsoft.com/en-us/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10#download-the-mdm-diagnostic-information-log-from-windows-10-pcs

In addition, we can also verify UEFI settings on DFCI-managed devices
https://docs.microsoft.com/en-us/surface/surface-manage-dfci-guide#verifying-uefi-settings-on-dfci-managed-devices

Hope it can help.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChristianKruesi-1173 avatar image
0 Votes"
ChristianKruesi-1173 answered Crystal-MSFT commented

Thanks for your answers, @RahulJindal-2267 and @Crystal-MSFT.

I tried to verify the UEFI settings directly in the UEFI but the settings in the devices menu aren't greyed out and in the management menu is still written: "Zero-touch UEFI Management: Ready".

Didn't looked at the Advanced Diagnostic Report, thanks for this advice. But I can't find there something that looks like beeing in relation to DFCI.

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image Crystal-MSFT ·

ChristianKrsi-1053 After some time waiting, was the status changed? Would you mind to restart the device and check it again. Thanks!

0 Votes 0 ·
ChristianKruesi-1173 avatar image ChristianKruesi-1173 Crystal-MSFT ·

Thanks, @Crystal-MSFT . Status didn't change. I restarted the device several times.

0 Votes 0 ·
Crystal-MSFT avatar image Crystal-MSFT ChristianKruesi-1173 ·

anonymous user, How about the event log under Applications and services logs\Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider? Is there any error related. However, if there's still no finding, we suggest to submit a case to work on this issue.

0 Votes 0 ·
ChristianKruesi-1173 avatar image
0 Votes"
ChristianKruesi-1173 answered

Is there a way to check if my Cloud Solution Provider CSP partner did a mistake when registering the devices? Are there any logfiles to get a hint where to look further? Thanks in advance.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChristianKruesi-1173 avatar image
0 Votes"
ChristianKruesi-1173 answered OliverKieselbach-MVP edited

Thanks @Crystal-MSFT for your help. One error under DeviceManagement-EnterpriseDiagnostics-Provider is something about a fake policy: ![33240-error01.png][1] [1]: /answers/storage/attachments/33240-error01.png No idea, if this is important. I opened a case and hope to get some more help there. Thank you anyway.

· 4
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image Crystal-MSFT ·

anonymous user, For the CSP URI:./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version, based on my research, it is ADMX-backed policies. This is not related with Device Firmware Configuration Interface.profile. So I think we can skip this error.
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider

The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes are as below:
https://docs.microsoft.com/en-us/windows/client-management/mdm/uefi-csp

I noticed a case is already opened. If we get any resolution, I appreciate your sharing here.

Thanks and have a nice day!

0 Votes 0 ·
ChristianKruesi-1173 avatar image ChristianKruesi-1173 Crystal-MSFT ·

Thank your for your answer, @Crystal-MSFT

Hopefully I can solve my problem with Microsoft Support. I will share it here.

Nice day too.

0 Votes 0 ·
Crystal-MSFT avatar image Crystal-MSFT ChristianKruesi-1173 ·

anonymous user, Thanks for the understanding. We will wait here for the update.

Also thanks for your time and have a nice day!

0 Votes 0 ·
OliverKieselbach-MVP avatar image OliverKieselbach-MVP ·

Hey,

The "FakePolicy" can be ignored safely, see this clarification post from the Intune Support team:

39776-fakepolicy-intune.jpg

best,

Oliver Kieselbach | Twitter | Blog
Mark useful answers by clicking "Accept Answer", many thanks!

0 Votes 0 ·
fakepolicy-intune.jpg (98.3 KiB)
ChristianKruesi-1173 avatar image
0 Votes"
ChristianKruesi-1173 answered Crystal-MSFT commented

Some news for the moment.

According to this answer on twitter (https://twitter.com/IntuneSuppTeam/status/1320843122058928129) the reporting of DFCI settings back to Intune is broken and will be fixed soon.

But that is only one part of my problem. More serious is that the settings aren’t applied and the UEFI isn’t secured by the moment.
So still hoping for new insights and any help still highly appreciated.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image Crystal-MSFT ·

anonymous user Thanks for the update and sharing.

For the setting not applied issue, could you let us know if we get any finding after reviewing the logs in the case we open? If yes, feel free to let us know. We will try our best to help.

0 Votes 0 ·
ChristianKruesi-1173 avatar image
0 Votes"
ChristianKruesi-1173 answered

Today DFCI is general available: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-endpoint-manager-support-for-dfci-firmware-management/ba-p/1829869. But still it doesn’t work here. So every help is still highly appreciated.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.