在 Microsoft Intune 中使用 Windows 设备上的设备固件配置接口配置文件(公共预览版)Use Device Firmware Configuration Interface profiles on Windows devices in Microsoft Intune (public preview)

使用 Intune 管理 Autopilot 设备时,可以在登录设备之后使用设备固件配置接口 (DFCI) 管理 UEFI (BIOS) 设置。When you use Intune to manage Autopilot devices, you can manage UEFI (BIOS) settings after they're enrolled, using the Device Firmware Configuration Interface (DFCI). 有关优势、方案和先决条件的概述,请参阅 DFCI 概述For an overview of benefits, scenarios, and prerequisites, see Overview of DFCI.

DFCI 支持 Windows 将管理命令从 Intune 传递到 UEFI(统一可扩展固件接口)。DFCI enables Windows to pass management commands from Intune to UEFI (Unified Extensible Firmware Interface).

在 Intune 中,使用此功能控制 BIOS 设置。In Intune, use this feature to control BIOS settings. 通常固件更能抵抗恶意攻击。Typically, firmware is more resilient to malicious attacks. 它限制最终用户对 BIOS 的控制权,这在受威胁时非常有效。It limits end users control over the BIOS, which is good in a compromised situation.

例如,在安全环境中使用 Windows 10 设备,最好禁用相机。For example, you use Windows 10 devices in a secure environment, and want to disable the camera. 可以在固件层禁用相机,这样最终用户的操作便无关紧要。You can disable the camera at the firmware-layer, so it doesn't matter what the end user does. 重新安装 OS 或擦除计算机不会重新打开相机。Reinstalling the OS or wiping the computer won't turn the camera back on. 在另一个示例中,锁定启动选项,以防止用户启动另一个 OS 或不具有相同安全功能的旧版本 Windows。In another example, lock down the boot options to prevent users from booting up another OS, or an older version of Windows that doesn't have the same security features.

重新安装旧版本 Windows 时,安装独立的 OS 或格式化硬盘不会使 DFCI 管理失效。When you reinstall an older Windows version, install a separate OS, or format the hard drive, you can't override DFCI management. 此功能可以防止恶意软件与 OS 进程(包括优化的 OS 进程)进行通信。This feature can prevent malware from communicating with OS processes, including elevated OS processes. DFCI 的信任链使用公钥加密,并且不依赖于本地 UEFI (BIOS) 密码安全。DFCI's trust chain uses public key cryptography, and doesn't depend on local UEFI (BIOS) password security. 此安全层阻止本地用户通过设备的 UEFI (BIOS) 菜单访问托管设置。This layer of security blocks local users from accessing managed settings from the device's UEFI (BIOS) menus.

此功能适用于:This feature applies to:

  • 支持 UEFI 上的 Windows 10 RS5 (1809) 及更高版本Windows 10 RS5 (1809) and later on supported UEFI

在开始之前Before you begin

  • 设备制造商必须在制造过程中将 DFCI 添加到 UEFI 固件,或将其作为安装的固件更新进行添加。The device manufacturer must have DFCI added to their UEFI firmware in the manufacturing process, or as a firmware update you install. 与设备供应商合作确定支持 DFCI 的制造商或使用 DFCI 所需的固件版本。Work with your device vendors to determine the manufacturers that support DFCI, or the firmware version needed to use DFCI.

  • 设备必须由 Microsoft 云解决方案提供商 (CSP) 合作伙伴注册为 Windows Autopilot,或由 OEM 直接注册。The device must be registered for Windows Autopilot by a Microsoft Cloud Solution Provider (CSP) partner, or registered directly by the OEM.

    手动注册 Autopilot 的设备(例如从 csv 文件导入)无法使用 DFCI。Devices manually registered for Autopilot, such as imported from a csv file, aren't allowed to use DFCI. DFCI 管理默认需要通过 OEM 或 Microsoft CSP 合作伙伴注册 Windows Autopilot 来对设备的商业采购进行外部认证。By design, DFCI management requires external attestation of the device's commercial acquisition through an OEM or a Microsoft CSP partner registration to Windows Autopilot.

    注册设备后,其序列号将显示在 Windows Autopilot 设备列表中。Once your device is registered, its serial number is shown in the list of Windows Autopilot devices.

    有关 Autopilot 的详细信息(包括任何要求),请参阅使用 Windows AutoPilot 在 Intune 中注册 Windows 设备For more information on Autopilot, including any requirements, see Enroll Windows devices in Intune by using the Windows Autopilot.

创建 Azure AD 安全组Create your Azure AD security groups

将 Autopilot 部署配置文件分配到 Azure AD 安全组。Autopilot deployment profiles are assigned to Azure AD security groups. 确保创建包含支持 DFCI 设备的组。Be sure to create groups that include your DFCI-supported devices. 对于 DFCI 设备,大多数组织可能会创建设备组,而不是用户组。For DFCI devices, most organization may create device groups, instead of user groups. 请考虑以下方案:Consider the following scenarios:

  • 人力资源 (HR) 组使用不同的 Windows 设备。Human Resources (HR) has different Windows devices. 出于安全原因,最好不让此组中的任何人使用设备上的相机。For security reasons, you don't want anyone in this group to use the camera on the devices. 这种情况下,可以创建 HR 安全用户组,以便策略无视设备类型而应用于 HR 组中的用户。In this scenario, you can create an HR security users group so the policy applies to users in the HR group, whatever the device type.
  • 生产车间有 10 台设备。On the manufacturing floor, you have 10 devices. 对于所有这些设备,最好阻止使用 USB 设备启动设备。On all devices, you want to prevent booting the devices from a USB device. 这种情况下,可以创建安全设备组,并将这 10 台设备添加到组中。In this scenario, you can create a security devices group, and add these 10 devices to the group.

有关在 Intune 中创建组的详细信息,请参阅添加组以组织用户和设备For more information on creating groups in Intune, see Add groups to organize users and devices.

创建配置文件Create the profiles

若要使用 DFCI,请创建以下配置文件,并将其分配到组中。To use DFCI, create the following profiles, and assign them to your group.

创建 Autopilot 部署配置文件Create an Autopilot deployment profile

此配置文件设置并预配新设备。This profile sets up and pre-configures new devices. Autopilot 部署配置文件列出了创建配置文件所需步骤。Autopilot deployment profile lists the steps to create the profile.

创建注册状态页配置文件Create an Enrollment State Page profile

此配置文件确保 Windows 安装过程中设备验证并启用 DFCI。This profile makes sure that devices are verified and enabled for DFCI during the Windows setup. 强烈建议使用此配置文件,在安装所有应用和配置文件之前阻止使用设备。It's highly recommended to use this profile to block device use until all apps and profiles are installed. 注册状态页配置文件列出了创建配置文件所需步骤。Enrollment State Page profile lists the steps to create the profile.

创建 DFCI 配置文件Create the DFCI profile

此配置文件包含所配置的 DFCI 设置。This profile includes the DFCI settings you configure.

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择“设备” > “配置文件” > “创建配置文件”。Select Devices > Configuration profiles > Create profile.

  3. 输入以下属性:Enter the following properties:

    • 平台:选择“Windows 10 及更高版本”。Platform: Choose Windows 10 and later.
    • 配置文件:选择“设备固件配置接口”。Profile: Select Device Firmware Configuration Interface.
  4. 选择“创建”。Select Create.

  5. 在“基本信息”中,输入以下属性:In Basics, enter the following properties:

    • 名称:输入配置文件的描述性名称。Name: Enter a descriptive name for the profile. 为策略命名,以便稍后可以轻松地识别它们。Name your policies so you can easily identify them later. 例如,“Windows:在 Windows 设备上配置 DFCI 设置”是个不错的配置文件名称。For example, a good profile name is Windows: Configure DFCI settings on Windows devices.
    • 描述:输入配置文件的说明。Description: Enter a description for the profile. 此设置是可选的,但建议进行。This setting is optional, but recommended.
  6. 选择“下一步”。Select Next.

  7. 在“配置设置”中,配置以下设置:In Configuration settings, configure the following settings:

    • 允许本地用户更改 UEFI (BIOS) 设置:选项包括:Allow local user to change UEFI (BIOS) settings: Your options:

      • 仅未配置的设置:本地用户可以更改任何设置,但 Intune 显式设置为“启用”或“禁用”的设置除外 。Only not configured settings: The local user may change any setting except those settings explicitly set to Enable or Disable by Intune.
      • :本地用户可能不会更改任何 UEFI (BIOS) 设置,包括 DFCI 配置文件中未显示的设置。None: The local user may not change any UEFI (BIOS) settings, including settings not shown in the DFCI profile.
    • CPU 和 IO 虚拟化:选项包括:CPU and IO virtualization: Your options:

      • 未配置:Intune 不会更改或更新此设置。Not configured: Intune doesn't change or update this setting.
      • 启用:BIOS 支持平台的 CPU 和 IO 虚拟化功能,供 OS 使用。Enabled: The BIOS enables the platform's CPU and IO virtualization capabilities for use by the OS. 它会启用基于 Windows 虚拟化的安全和设备防护技术。It turns on Windows Virtualization Based Security and Device Guard technologies.
    • 相机:选项包括:Cameras: Your options:

      • 未配置:Intune 不会更改或更新此设置。Not configured: Intune doesn't change or update this setting.
      • 启用:启用由 UEFI (BIOS) 直接管理的所有内置相机。Enabled: All built-in cameras directly managed by UEFI (BIOS) are enabled. USB 相机等外围设备不受影响。Peripherals, like USB cameras, aren't affected.
      • 已禁用:禁用由 UEFI (BIOS) 直接管理的所有内置相机。Disabled: All built-in camera directly managed by UEFI (BIOS) are disabled. USB 相机等外围设备不受影响。Peripherals, like USB cameras, aren't affected.
    • 麦克风和扬声器:选项包括:Microphones and speakers: Your options:

      • 未配置:Intune 不会更改或更新此设置。Not configured: Intune doesn't change or update this setting.
      • 启用:启用由 UEFI (BIOS) 直接管理的所有内置麦克风和扬声器。Enabled: All built-in microphones and speakers directly managed by UEFI (BIOS) are enabled. USB 设备等外围设备不受影响。Peripherals, like USB devices, aren't affected.
      • 已禁用:禁用由 UEFI (BIOS) 直接管理的所有内置麦克风和扬声器。Disabled: All built-in microphones and speakers directly managed by UEFI (BIOS) are disabled. USB 设备等外围设备不受影响。Peripherals, like USB devices, aren't affected.
    • 无线收发器(蓝牙、Wi-fi、NFC 等) :选项包括:Radios (Bluetooth, Wi-Fi, NFC, etc.): Your options:

      • 未配置:Intune 不会更改或更新此设置。Not configured: Intune doesn't change or update this setting.
      • 启用:启用由 UEFI (BIOS) 直接管理的所有内置无线收发器。Enabled: All built-in radios directly managed by UEFI (BIOS) are enabled. USB 设备等外围设备不受影响。Peripherals, like USB devices, aren't affected.
      • 已禁用:禁用由 UEFI (BIOS) 直接管理的所有内置无线收发器。Disabled: All built-in radios directly managed by UEFI (BIOS) are disabled. USB 设备等外围设备不受影响。Peripherals, like USB devices, aren't affected.

      警告

      如果禁用“无线收发器”设置,则设备需要有线网络连接。If you disable the Radios setting, the device requires a wired network connection. 否则,可能无法管理设备。Otherwise, the device may be unmanageable.

    • 通过外部媒体 (USB、SD) 启动:选项包括:Boot from external media (USB, SD): Your options:

      • 未配置:Intune 不会更改或更新此设置。Not configured: Intune doesn't change or update this setting.
      • 启用:UEFI (BIOS) 支持通过非硬盘存储启动。Enabled: UEFI (BIOS) allows booting from non-hard drive storage.
      • 已禁用:UEFI (BIOS) 不支持通过非硬盘存储启动。Disabled: UEFI (BIOS) doesn't allow booting from non-hard drive storage.
    • 通过网络适配器启动:选项包括:Boot from network adapters: Your options:

      • 未配置:Intune 不会更改或更新此设置。Not configured: Intune doesn't change or update this setting.
      • 启用:UEFI (BIOS) 支持通过内置网络接口启动。Enabled: UEFI (BIOS) allows booting from built-in network interfaces.
      • 已禁用:UEFI (BIOS) 不支持启动内置网络接口。Disabled: UEFI (BIOS) doesn't allow booting built-in network interfaces.
  8. 选择“下一步”。Select Next.

  9. 在“作用域标记”(可选)中,分配一个标记以将配置文件筛选到特定 IT 组(如 US-NC IT TeamJohnGlenn_ITDepartment)。In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment. 有关范围标记的详细信息,请参阅将 RBAC 和范围标记用于分布式 ITFor more information about scope tags, see Use RBAC and scope tags for distributed IT.

    选择“下一步”。Select Next.

  10. 在“分配”中,选择要接收配置文件的用户或用户组。In Assignments, select the users or user group that will receive your profile. 有关分配配置文件的详细信息,请参阅分配用户和设备配置文件For more information on assigning profiles, see Assign user and device profiles.

    选择“下一步”。Select Next.

  11. 在“查看并创建”中查看设置。In Review + create, review your settings. 选择“创建”时,将保存所做的更改并分配配置文件。When you select Create, your changes are saved, and the profile is assigned. 该策略也会显示在配置文件列表中。The policy is also shown in the profiles list.

每台设备在下次签入时,将应用该策略。The next time each device checks in, the policy is applied.

分配配置文件,并重启Assign the profiles, and reboot

确保将配置文件分配到包含 DFCI 设备的 Azure AD 安全组。Be sure to assign the profiles to your Azure AD security groups that include your DFCI devices. 可以在创建配置文件时或之后分配配置文件。The profile can be assigned when it's created, or after.

设备运行 Windows Autopilot 时,DFCI 可能会在“注册状态页”期间强制重启。When the device runs the Windows Autopilot, during the Enrollment Status page, DFCI may force a reboot. 第一次重新启动会将 UEFI 注册到 Intune。This first reboot enrolls UEFI to Intune.

如果要确认设备已注册,则可以再次重新启动该设备,但这不是必需的。If you want to confirm the device is enrolled, you can reboot the device again, but it's not required. 按设备制造商的说明打开 UEFI 菜单,确认 UEFI 现在已托管。Use the device manufacturer's instructions to open the UEFI menu, and confirm UEFI is now managed.

设备下一次与 Intune 同步时,Windows 将接收 DFCI 设置。The next time the device syncs with Intune, Windows receives the DFCI settings. 重新启动设备。Reboot the device. 需要第三次重新启动,UEFI 才能接收来自 Windows 的 DFCI 设置。This third reboot is required for UEFI to receive the DFCI settings from Windows.

更新现有 DFCI 设置Update existing DFCI settings

如果要更改所用设备上的现有 DFCI 设置,可执行以下操作。If you want to change existing DFCI settings on devices that are in use, you can. 在现有的 DFCI 配置文件中,更改设置,并保存更改。In your existing DFCI profile, change the settings, and save your changes. 由于已分配配置文件,因此新的 DFCI 设置在以下情况下生效:Since the profile is already assigned, the new DFCI settings take effect when:

  1. 设备签入 Intune 服务以查看配置文件更新。The device checks in with the Intune service to review profile updates. 可在任意时间点进行签入。Check-ins happen at various times. 有关详细信息,请参阅设备获取策略、配置文件或应用更新时For more information, see when devices get a policy, profile, or app updates.

  2. 若要强制执行新的设置,请远程或本地重启设备。To enforce the new settings, reboot the device remotely or locally.

还可以向设备发送信号进行签入You can also signal devices to check in. 成功同步之后,发信号示意重启After a successful sync, signal to reboot.

备注

删除 DFCI 配置文件或从分配到配置文件的组中删除设备不会删除 DFCI 设置或重新启用 UEFI (BIOS) 菜单。Deleting the DFCI profile, or removing a device from the group assigned to the profile doesn't remove DFCI settings or re-enable the UEFI (BIOS) menus. 如果要停止使用 DFCI,请更新现有的 DFCI 配置文件。If you want to stop using DFCI, then update your existing DFCI profile. 关于步骤的详细信息,请参阅本文中的停用设备For more information on the steps, see retire the device in this article.

重用、停用或恢复设备Reuse, retire, or recover the device

重用Reuse

如果计划重置 Windows 以更改设备用途,请擦除设备If you plan to reset Windows to repurpose the device, then wipe the device. 请勿删除 Autopilot 设备记录。Do not remove the Autopilot device record.

擦除设备之后,将设备移动到分配了新 DFCI 和 Autopilot 配置文件的组。After wiping the device, move the device to the group assigned the new DFCI and Autopilot profiles. 确保重启设备以重新运行 Windows 设置。Be sure to reboot the device to rerun Windows setup.

停用Retire

准备好停用设备并解除管理之后,在退出状态下将 DFCI 配置文件更新为所需的 UEFI (BIOS) 设置。When you're ready to retire the device and release it from management, update the DFCI profile to the UEFI (BIOS) settings you want at the exit state. 通常最好启用所有设置。Typically, you want all settings enabled. 例如:For example:

  1. 打开 DFCI 配置文件(“设备” > “配置文件”)。Open your DFCI profile (Devices > Configuration profiles).
  2. 将“允许本地用户更改 UEFI (BIOS) 设置”更改为“仅未配置的设置” 。Change the Allow local user to change UEFI (BIOS) settings to Only not configured settings.
  3. 将所有其他设置设置为“未配置”。Set all other settings to Not configured.
  4. 保存设置。Save your settings.

这些步骤会解锁设备的 UEFI (BIOS) 菜单。These steps unlock the device's UEFI (BIOS) menus. 这些值与配置文件(“已启用”或“已禁用”)相同,并未重置为任何默认的 OS 值 。The values remain the same as the profile (Enabled or Disabled), and aren't set back to any default OS values.

现在即可擦除设备。You're now ready to wipe the device. 擦除设备之后,删除 Autopilot 记录。Once the device is wiped, delete the Autopilot record. 删除记录会阻止设备在重启时自动重新注册。Deleting the record prevents the device from automatically re-enrolling when it reboots.

恢复Recover

如果擦除设备,并在解锁 UEFI (BIOS) 菜单之前删除 Autopilot 记录,则菜单保持锁定。If you wipe a device, and delete the Autopilot record before unlocking the UEFI (BIOS) menus, then the menus remain locked. Intune 无法发送配置文件更新以将其解锁。Intune can't send profile updates to unlock it.

若要解锁设备,请打开 UEFI (BIOS) 菜单,然后从网络刷新管理。To unlock the device, open the UEFI (BIOS) menu, and refresh management from network. 恢复会解锁菜单,但会将所有 UEFI (BIOS) 设置设为先前 Intune DFCI 配置文件中的值。Recovery unlocks the menus, but leaves all UEFI (BIOS) settings set to the values in the previous Intune DFCI profile.

最终用户影响End user impact

应用 DFCI 策略时,即便 UEFI (BIOS) 菜单受密码保护,本地用户也无法更改 DFCI 配置的设置。When the DFCI policy is applied, local users can't change settings configured by DFCI, even if the UEFI (BIOS) menu is password protected. 基于配置的设置,最终用户可能会收到“未找到或无法诊断硬件组件”错误。Depending on the settings you configure, end users may receive errors that hardware components aren't found, or can't be diagnosed. 请务必为最终用户提供阐明已禁用选项的文档。Be sure to provide documentation to end users explaining the options you've disabled.

后续步骤Next steps

分配配置文件之后,监视其状态After the profile is assigned, monitor its status.