Use Device Firmware Configuration Interface profiles on Windows devices in Microsoft Intune (public preview)

When you use Intune to manage Autopilot devices, you can manage UEFI (BIOS) settings after they're enrolled, using the Device Firmware Configuration Interface (DFCI). For an overview of benefits, scenarios, and prerequisites, see Overview of DFCI.

DFCI enables Windows to pass management commands from Intune to UEFI (Unified Extensible Firmware Interface).

In Intune, use this feature to control BIOS settings. Typically, firmware is more resilient to malicious attacks. It limits end users control over the BIOS, which is good in a compromised situation.

For example, you use Windows 10 devices in a secure environment, and want to disable the camera. You can disable the camera at the firmware-layer, so it doesn't matter what the end user does. Reinstalling the OS or wiping the computer won't turn the camera back on. In another example, lock down the boot options to prevent users from booting up another OS, or an older version of Windows that doesn't have the same security features.

When you reinstall an older Windows version, install a separate OS, or format the hard drive, you can't override DFCI management. This feature can prevent malware from communicating with OS processes, including elevated OS processes. DFCI’s trust chain uses public key cryptography, and doesn't depend on local UEFI (BIOS) password security. This layer of security blocks local users from accessing managed settings from the device’s UEFI (BIOS) menus.

This feature applies to:

  • Windows 10 RS5 (1809) and later on supported UEFI

Before you begin

  • The device manufacturer must have DFCI added to their UEFI firmware in the manufacturing process, or as a firmware update you install. Work with your device vendors to determine the manufacturers that support DFCI, or the firmware version needed to use DFCI.

  • The device must be registered for Windows Autopilot by a Microsoft Cloud Solution Provider (CSP) partner, or registered directly by the OEM.

    Devices manually registered for Autopilot, such as imported from a csv file, aren't allowed to use DFCI. By design, DFCI management requires external attestation of the device’s commercial acquisition through an OEM or a Microsoft CSP partner registration to Windows Autopilot.

    Once your device is registered, its serial number is shown in the list of Windows Autopilot devices.

    For more information on Autopilot, including any requirements, see Enroll Windows devices in Intune by using the Windows Autopilot.

Create your Azure AD security groups

Autopilot deployment profiles are assigned to Azure AD security groups. Be sure to create groups that include your DFCI-supported devices. For DFCI devices, most organization may create device groups, instead of user groups. Consider the following scenarios:

  • Human Resources (HR) has different Windows devices. For security reasons, you don't want anyone in this group to use the camera on the devices. In this scenario, you can create an HR security users group so the policy applies to users in the HR group, whatever the device type.
  • On the manufacturing floor, you have 10 devices. On all devices, you want to prevent booting the devices from a USB device. In this scenario, you can create a security devices group, and add these 10 devices to the group.

For more information on creating groups in Intune, see Add groups to organize users and devices.

Create the profiles

To use DFCI, create the following profiles, and assign them to your group.

Create an Autopilot deployment profile

This profile sets up and pre-configures new devices. Autopilot deployment profile lists the steps to create the profile.

Create an Enrollment State Page profile

This profile makes sure that devices are verified and enabled for DFCI during the Windows setup. It's highly recommended to use this profile to block device use until all apps and profiles are installed. Enrollment State Page profile lists the steps to create the profile.

Create the DFCI profile

This profile includes the DFCI settings you configure.

  1. Sign in to the Microsoft Endpoint Manager Admin Center.

  2. Select Devices > Configuration profiles > Create profile.

  3. Enter the following properties:

    • Name: Enter a descriptive name for the profile. Name your policies so you can easily identify them later. For example, a good profile name is Windows: Configure DFCI settings on Windows devices.
    • Description: Enter a description for the profile. This setting is optional, but recommended.
    • Platform: Choose Windows 10 and later.
    • Profile type: Select Device Firmware Configuration Interface.
  4. Configure the settings:

    • Allow local user to change UEFI (BIOS) settings: Your options:

      • Only not configured settings: The local user may change any setting except those settings explicitly set to Enable or Disable by Intune.
      • None: The local user may not change any UEFI (BIOS) settings, including settings not shown in the DFCI profile.
    • CPU and IO virtualization: Your options:

      • Not configured: Intune doesn't touch this feature, and leaves any settings as-is.
      • Enabled: The BIOS enables the platform’s CPU and IO virtualization capabilities for use by the OS. It turns on Windows Virtualization Based Security and Device Guard technologies.
      • Disable: The BIOS disables the platform CPU & IO virtualization capabilities, and prevents them from being used.
    • Cameras: Your options:

      • Not configured: Intune doesn't touch this feature, and leaves any settings as-is.
      • Enabled: All built-in cameras directly managed by UEFI (BIOS) are enabled. Peripherals, like USB cameras, aren't affected.
      • Disabled: All built-in camera directly managed by UEFI (BIOS) are disabled. Peripherals, like USB cameras, aren't affected.
    • Microphones and speakers: Your options:

      • Not configured: Intune doesn't touch this feature, and leaves any settings as-is.
      • Enabled: All built-in microphones and speakers directly managed by UEFI (BIOS) are enabled. Peripherals, like USB devices, aren't affected.
      • Disabled: All built-in microphones and speakers directly managed by UEFI (BIOS) are disabled. Peripherals, like USB devices, aren't affected.
    • Radios (Bluetooth, Wi-Fi, NFC, etc.): Your options:

      • Not configured: Intune doesn't touch this feature, and leaves any settings as-is.
      • Enabled: All built-in radios directly managed by UEFI (BIOS) are enabled. Peripherals, like USB devices, aren't affected.
      • Disabled: All built-in radios directly managed by UEFI (BIOS) are disabled. Peripherals, like USB devices, aren't affected.

      Warning

      If you disable the Radios setting, the device requires a wired network connection. Otherwise, the device may be unmanageable.

    • Boot from external media (USB, SD): Your options:

      • Not configured: Intune doesn't touch this feature, and leaves any settings as-is.
      • Enabled: UEFI (BIOS) allows booting from non-hard drive storage.
      • Disabled: UEFI (BIOS) doesn't allow booting from non-hard drive storage.
    • Boot from network adapters: Your options:

      • Not configured: Intune doesn't touch this feature, and leaves any settings as-is.
      • Enabled: UEFI (BIOS) allows booting from built-in network interfaces.
      • Disabled: UEFI (BIOS) doesn't allow booting built-in network interfaces.
  5. When you're done, select OK > Create to save your changes. The profile is created, and shown in the list.

Assign the profiles, and reboot

After the profiles are created, they're ready to be assigned. Be sure to assign the profiles to your Azure AD security groups that include your DFCI devices.

When the device runs the Windows Autopilot, during the Enrollment Status page, DFCI may force a reboot. This first reboot enrolls UEFI to Intune.

If you want to confirm the device is enrolled, you can reboot the device again, but it's not required. Use the device manufacturer’s instructions to open the UEFI menu, and confirm UEFI is now managed.

The next time the device syncs with Intune, Windows receives the DFCI settings. Reboot the device. This third reboot is required for UEFI to receive the DFCI settings from Windows.

Update existing DFCI settings

If you want to change existing DFCI settings on devices that are in use, you can. In your existing DFCI profile, change the settings, and save your changes. Since the profile is already assigned, the new DFCI settings take effect when:

  1. The device checks in with the Intune service to review profile updates. Check-ins happen at various times. For more information, see when devices get a policy, profile, or app updates.

  2. To enforce the new settings, reboot the device remotely or locally.

You can also signal devices to check in. After a successful sync, signal to reboot.

Note

Deleting the DFCI profile, or removing a device from the group assigned to the profile doesn't remove DFCI settings or re-enable the UEFI (BIOS) menus. If you want to stop using DFCI, then update your existing DFCI profile. For more information on the steps, see retire the device in this article.

Reuse, retire, or recover the device

Reuse

If you plan to reset Windows to repurpose the device, then wipe the device. Do not remove the Autopilot device record.

After wiping the device, move the device to the group assigned the new DFCI and Autopilot profiles. Be sure to reboot the device to rerun Windows setup.

Retire

When you're ready to retire the device and release it from management, update the DFCI profile to the UEFI (BIOS) settings you want at the exit state. Typically, you want all settings enabled. For example:

  1. Open your DFCI profile (Devices > Configuration profiles).
  2. Change the Allow local user to change UEFI (BIOS) settings to Only not configured settings.
  3. Set all other settings to Not configured.
  4. Save your settings.

These steps unlock the device’s UEFI (BIOS) menus. The values remain the same as the profile (Enabled or Disabled), and aren't set back to any default OS values.

You're now ready to wipe the device. Once the device is wiped, delete the Autopilot record. Deleting the record prevents the device from automatically re-enrolling when it reboots.

Recover

If you wipe a device, and delete the Autopilot record before unlocking the UEFI (BIOS) menus, then the menus remain locked. Intune can't send profile updates to unlock it.

To unlock the device, open the UEFI (BIOS) menu, and refresh management from network. Recovery unlocks the menus, but leaves all UEFI (BIOS) settings set to the values in the previous Intune DFCI profile.

End user impact

When the DFCI policy is applied, local users can't change settings configured by DFCI, even if the UEFI (BIOS) menu is password protected. Depending on the settings you configure, end users may receive errors that hardware components aren't found, or can't be diagnosed. Be sure to provide documentation to end users explaining the options you've disabled.

Next steps

After the profile is assigned, monitor its status.