Device Firmware Configuration Interface (DFCI) Management
Applies to:
- Windows 11
- Windows 10
With Windows Autopilot Deployment and Intune, you can manage Unified Extensible Firmware Interface (UEFI) settings after they're enrolled by using the Device Firmware Configuration Interface (DFCI). DFCI enables Windows to pass management commands from Intune to UEFI for Autopilot deployed devices. This capability allows you to limit end user's control over BIOS settings. For example, you can lock down the boot options to prevent users from booting up another OS, such as one that doesn't have the same security features.
If a user reinstalls a previous Windows version, installs a separate OS, or formats the hard drive, they can't override DFCI management. This feature can also prevent malware from communicating with OS processes, including elevated OS processes. DFCI's trust chain uses public key cryptography, and doesn't depend on local UEFI password security. This layer of security blocks local users from accessing managed settings from the device's UEFI menus.
For an overview of DFCI benefits, scenarios, and prerequisites, see Device Firmware Configuration Interface (DFCI) Introduction.
Important
Devices enabled for DFCI by the OEM and registered for Autopilot via the OEM or a CSP in Partner Center automatically enroll in DFCI management during Autopilot provisioning. Enrollment in DFCI management triggers an additional reboot during OOBE.
DFCI management lifecycle
The DFCI management lifecycle includes the following processes:
- UEFI integration
- Device registration
- Profile creation
- Enrollment
- Management
- Retirement
- Recovery
See the following figure.
Requirements
- Windows 10, version 1809 or later and a supported UEFI is required.
- The device manufacturer must have DFCI added to their UEFI firmware in the manufacturing process, or as a firmware update that you install. Work with your device vendors to determine the manufacturers that support DFCI, or the firmware version needed to use DFCI.
- The device must be managed with Microsoft Intune. For more information, see Enroll Windows devices in Intune using Windows Autopilot.
- The device must be registered for Windows Autopilot by a Microsoft Cloud Solution Provider (CSP) partner, or registered directly by the OEM. For Surface devices, Microsoft registration support is available at Microsoft Devices Autopilot Support.
Important
Devices manually registered for Autopilot (such as by importing from a csv file) are not allowed to use DFCI. By design, DFCI management requires external attestation of the device's commercial acquisition through an OEM or a Microsoft CSP partner registration to Windows Autopilot. When your device is registered, its serial number is displayed in the list of Windows Autopilot devices.
Managing DFCI profile with Windows Autopilot
There are four basic steps in managing DFCI profile with Windows Autopilot:
- Create an Autopilot Profile
- Create an Enrollment status page profile
- Create a DFCI profile
- Assign the profiles
See Create the profiles and Assign the profiles, and reboot for details.
You can also change existing DFCI settings on devices that are in use. In your existing DFCI profile, change the settings and save your changes. Since the profile is already assigned, the new DFCI settings take effect when next time the device syncs or the device reboots.
To identify whether a device is DFCI ready, you can use the following Intune Graph API call:
managedDevice/deviceFirmwareConfigurationInterfaceManaged
For more information, see Intune devices and apps API overview and Working with Intune in Microsoft Graph .
OEMs that support DFCI
- Acer
- Asus
- Dynabook
- Fujitsu
- Microsoft Surface
- Panasonic
Other OEMs are pending.
See also
Microsoft DFCI Scenarios
Windows Autopilot and Surface devices
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for