This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 4%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECK%3C/text%3E%3C/svg%3E)
We have some Surface Pro 7 and I want to try to secure the UEFI Settings with DFCI as described in this [Microsoft Learn article][1]. The devices are registered by our CSP, autopilot works, the profiles for autopilot deployment, Enrollment State Page and DFCI are assigned. But the Deployment Status of my test devices is hanging on Pending. Are there any logfiles for DFCI available? Any Idea to my problem? Any help highly appreciated, thanks. [1]: https://learn.microsoft.com/en-us/mem/intune/configuration/device-firmware-configuration-interface-windows
It was the mistake of the CSP as suspected on this tweet: https://twitter.com/ncbrady/status/1324269514259943424. So the CSP did something wrong (although autopilot deployment still worked). I hope he can fix it for the already delivered devices.
On the one hand I'm happy that it finally works and that I didn't make a mistake and on the other hand I'm frustrated because I lost dozens of hours.
Thanks to everyone who answered and helped here...
Hey anonymous user,
have a look at the documentation, your devices must be registered in Autopilot by a Cloud Solution Provider (CSP). The CSP here is not referencing the Configuration Service Provider (CSP) which is mostly used in regards to Intune topics especially for configuration profiles.
https://learn.microsoft.com/en-us/mem/autopilot/dfci-management > section Requirements
best,
---
Oliver Kieselbach | Twitter | Blog
Mark useful answers by clicking "Accept Answer", many thanks!
Thanks for your answer, @Oliver Kieselbach .
Looks like every partner with access to the partner portal can register the devices. In my case I ordered some Surfaces from our partner and said that I'd like to have them registered for DFCI like required in the documentation you mentioned. Our partner ordered the devices from his distributor (I thought that would be the CSP). The devices were registered and autopilot worked. Only DFCI didn't work (and doesn't work until now, btw).
But then I had to order a new Surface (for a broken one) and our partner tried to register this one on his own over the partner portal. This time DFCI worked without a problem.
So it looks like:
I gave a feedback to Microsoft that it would be helpful, when the enduser IT could see, if the registration doesn't include DFCI.
Thanks, @Oliver Kieselbach . I wasn't sure if it is appropriate to mark my own answer as the correct answer.
Thanks @Crystal-MSFT for your help. One error under DeviceManagement-EnterpriseDiagnostics-Provider is something about a fake policy: ![33240-error01.png][1] [1]: /api/attachments/33240-error01.png?platform=QnA No idea, if this is important. I opened a case and hope to get some more help there. Thank you anyway.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
anonymous user, For the CSP URI:./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version, based on my research, it is ADMX-backed policies. This is not related with Device Firmware Configuration Interface.profile. So I think we can skip this error.
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider
The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes are as below:
https://learn.microsoft.com/en-us/windows/client-management/mdm/uefi-csp
I noticed a case is already opened. If we get any resolution, I appreciate your sharing here.
Thanks and have a nice day!
Thank your for your answer, @Crystal-MSFT
Hopefully I can solve my problem with Microsoft Support. I will share it here.
Nice day too.
anonymous user, Thanks for the understanding. We will wait here for the update.
Also thanks for your time and have a nice day!
Some news for the moment.
According to this answer on twitter (https://twitter.com/IntuneSuppTeam/status/1320843122058928129) the reporting of DFCI settings back to Intune is broken and will be fixed soon.
But that is only one part of my problem. More serious is that the settings aren’t applied and the UEFI isn’t secured by the moment.
So still hoping for new insights and any help still highly appreciated.
anonymous user Thanks for the update and sharing.
For the setting not applied issue, could you let us know if we get any finding after reviewing the logs in the case we open? If yes, feel free to let us know. We will try our best to help.
Today DFCI is general available: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-endpoint-manager-support-for-dfci-firmware-management/ba-p/1829869. But still it doesn’t work here. So every help is still highly appreciated.
