管理 Surface UEFI 設定Manage Surface UEFI settings

Surface 電腦裝置的設計目的是要利用 Microsoft 專為這些裝置設計的獨特的整合可延伸韌體介面 (UEFI) 。Surface PC devices are designed to utilize a unique Unified Extensible Firmware Interface (UEFI) engineered by Microsoft specifically for these devices. Surface UEFI 設定能讓您啟用或停用內建的裝置和元件、保護 UEFI 設定不被變更,以及調整 Surface 裝置的啟動設定。Surface UEFI settings provide the ability to enable or disable built-in devices and components, protect UEFI settings from being changed, and adjust the Surface device boot settings.

支援的產品Supported products

以下是支援 UEFI 管理:UEFI management is supported on the following:

  • Surface Pro 4、Surface Pro (5 代) ,Surface Pro 6,Surface Pro 7,Surface Pro 7 +,surface Pro XSurface Pro 4, Surface Pro (5th Gen), Surface Pro 6, Surface Pro 7, Surface Pro 7+, Surface Pro X
  • Surface 膝上型電腦 (1 Gen) ,Surface 膝上型2,Surface 膝上型3,Surface 膝上型電腦移至Surface Laptop (1st Gen), Surface Laptop 2, Surface Laptop 3, Surface Laptop Go
  • Surface Studio (1 Gen) ,Surface Studio 2Surface Studio (1st Gen), Surface Studio 2
  • Surface Book、Surface Book 2、Surface Book 3Surface Book, Surface Book 2, Surface Book 3
  • 表面 Go,表面移 2 1 Surface Go, Surface Go 21

支援雲端管理Support for cloud-based management

使用裝置固件設定介面 (DFCI 內建于 Microsoft Intune 中的) 設定檔 (現已在公用預覽版) 中提供,Surface UEFI 管理會將現代管理堆疊延伸到 UEFI 硬體層級。With Device Firmware Configuration Interface (DFCI) profiles built into Microsoft Intune (now available in public preview), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI 支援零觸控配,消除 BIOS 密碼,提供安全性設定(包括啟動選項和內建週邊設備)的控制權,並針對未來的高級安全性案例奠定基礎。DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future. DFCI 目前可供 Surface Pro 7 +、Surface 膝上型電腦前往、Surface Book 3、Surface 膝上型電腦3、Surface Pro 7 及 Surface Pro X 使用。 如需詳細資訊,請參閱 SURFACE UEFI 設定的 Intune 管理DFCI is currently available for Surface Pro 7+, Surface Laptop Go, Surface Book 3, Surface Laptop 3, Surface Pro 7, and Surface Pro X. For more information, refer to Intune management of Surface UEFI settings.

開啟 Surface UEFI 功能表Open Surface UEFI menu

在系統啟動期間調整 UEFI 設定:To adjust UEFI settings during system startup:

  1. 關閉表面並等候大約10秒鐘,以確定它已關閉。Shut down your Surface and wait about 10 seconds to make sure it's off.
  2. 按住 音量調高 按鈕,同步選取電源按鈕,然後放開 [ 電源] 按鈕。Press and hold the Volume-up button and - at the same time - press and release the Power button.
  3. 當您的螢幕上出現 Microsoft 或 Surface 標誌時,請繼續按住 音量 按鈕,直到出現 [UEFI] 畫面。As the Microsoft or Surface logo appears on your screen, continue to hold the Volume-up button until the UEFI screen appears.

[UEFI 電腦資訊] 頁面UEFI PC information page

[電腦資訊] 頁面包含 Surface 裝置的詳細資訊:The PC information page includes detailed information about your Surface device:

  • 模型 -您的 surface 裝置模型將會顯示在這裡,例如 surface Book 2 或 surface Pro 7。Model – Your Surface device’s model will be displayed here, such as Surface Book 2 or Surface Pro 7. 裝置的確切組態並不會顯示 (例如處理器、磁碟大小或記憶體大小)。The exact configuration of your device is not shown, (such as processor, disk size, or memory size).

  • UUID – 這個通用唯一識別碼是裝置特定的號碼,用來在部署或管理期間識別裝置。UUID – This Universally Unique Identification number is specific to your device and is used to identify the device during deployment or management.

  • 序號 – 此號碼是用來識別這個特定的 Surface 裝置,以進行資產標記和支援案例。Serial Number – This number is used to identify this specific Surface device for asset tagging and support scenarios.

  • 資產標記– 資產標記是使用資產標記工具指派至 Surface 裝置。Asset Tag – The asset tag is assigned to the Surface device with the Asset Tag Tool.

您也能找到 Surface 裝置韌體的詳細資訊。You will also find detailed information about the firmware of your Surface device. Surface 裝置擁有數個內部元件,每個元件都會執行不同版本的韌體。Surface devices have several internal components that each run different versions of firmware. 下列裝置的個別韌體版本都會顯示於 [電腦資訊] 頁面上 (如圖 1 所示):****The firmware version of each of the following devices is displayed on the PC information page (as shown in Figure 1):

  • 系統 UEFISystem UEFI

  • SAM 控制器SAM Controller

  • Intel 管理引擎Intel Management Engine

  • 系統內嵌控制器System Embedded Controller

  • 觸控韌體Touch Firmware


圖 1.Figure 1. 系統資訊和韌體版本資訊System information and firmware version information

您可以在裝置的 Surface 更新記錄中找到 Surface 裝置最新韌體版本的最新資訊。You can find up-to-date information about the latest firmware version for your Surface device in the Surface Update History for your device.

UEFI 安全性頁面UEFI Security page

設定 Surface UEFI 安全性設定

圖 2.Figure 2. 設定 Surface UEFI 安全性設定Configure Surface UEFI security settings

[安全性] 頁面可讓您設定密碼來保護 UEFI 設定。The Security page allows you to set a password to protect UEFI settings. 此密碼必須在將 Surface 裝置開機至 UEFI 時輸入。This password must be entered when you boot the Surface device to UEFI. 密碼可以包含下列字元 (如圖 3) 所示:The password can contain the following characters (as shown in Figure 3):

  • 大寫字母:A-ZUppercase letters: A-Z

  • 小寫字母:a-zLowercase letters: a-z

  • 數字:1-0Numbers: 1-0

  • 特殊字元:! @ # $% ^& * ( # A1? <>{} []-_ = + |.,;: "" "Special characters: !@#$%^&*()?<>{}[]-_=+|.,;:’`”

密碼必須至少為 6 個字元,並會區分大小寫。The password must be at least 6 characters and is case sensitive.

新增密碼以保護 Surface UEFI 設定

圖 3.Figure 3. 新增密碼以保護 Surface UEFI 設定Add a password to protect Surface UEFI settings

您也可以在 [安全性] 頁面上變更 Surface 裝置的安全開機設定。On the Security page you can also change the configuration of Secure Boot on your Surface device. 安全開機技術能防止未經授權的啟動碼將您的 Surface 裝置開機,這將能針對 Bookit 和 Rootkit 類型的惡意程式碼感染提供保護。Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. 您可以停用安全開機以允許 Surface 裝置使用第三方作業系統或可開機媒體進行開機。You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. 您也可以設定 [安全啟動],與協力廠商憑證搭配使用,如圖4所示。You can also configure Secure Boot to work with third-party certificates, as shown in Figure 4. 於 TechNet Library 深入了解安全開機Read more about Secure Boot in the TechNet Library.


圖 4.Figure 4. 設定安全開機Configure Secure Boot

視您的裝置而定,您可能也可以查看您的 TPM 是已啟用或停用。Depending on your device, you may also be able to see if your TPM is enabled or disabled. 如果您沒有看到 [ 啟用 TPM ] 設定,請在 Windows 中開啟 [services.msc] 來檢查狀態,如圖5所示。If you do not see the Enable TPM setting, open tpm.msc in Windows to check the status, as shown in Figure 5. TPM 是用來以 BitLocker 為您裝置的資料驗證加密。The TPM is used to authenticate encryption for your device’s data with BitLocker. 若要深入瞭解,請參閱 BitLocker 簡介To learn more, see BitLocker overview.

TPM 主控台

圖 5.Figure 5. TPM 主控台TPM console

UEFI 功能表:裝置UEFI menu: Devices

[裝置] 頁面可讓您啟用或停用特定裝置和元件,包括:The Devices page allows you to enable or disable specific devices and components including:

  • 擴充座和 USB 連接埠Docking and USB Ports

  • MicroSD 或 SD 記憶卡插槽MicroSD or SD Card Slot

  • 後方攝影機Rear Camera

  • 前方攝影機Front Camera

  • 紅外線 (IR) 相機Infrared (IR) Camera

  • Wi-Fi 和藍牙Wi-Fi and Bluetooth

  • 內建音訊 (擴音器和麥克風)Onboard Audio (Speakers and Microphone)

列出的每個裝置都有一個滑杆按鈕,您可以 啟用 () 或 關閉 (停用) 位置,如圖6所示。Each device is listed with a slider button that you can move to On (enabled) or Off (disabled) position, as shown in Figure 6.


圖 6.Figure 6. 啟用或停用特定裝置Enable and disable specific devices

UEFI 功能表:啟動設定UEFI menu: Boot configuration

[啟動設定] 頁面可讓您變更啟動裝置的順序,以及啟用或停用啟動下列裝置:The Boot Configuration page allows you to change the order of your boot devices as well as enable or disable boot of the following devices:

  • Windows 開機管理程式Windows Boot Manager

  • USB 儲存裝置USB Storage

  • PXE 網路PXE Network

  • 內部儲存裝置Internal Storage

您可以立即從特定的裝置開機,或是使用觸控螢幕在該裝置於清單中的項目上向左撥動。You can boot from a specific device immediately, or you can swipe left on that device’s entry in the list using the touchscreen. 您也可以在 Surface 裝置電源關閉的情況下,立即開機至 USB 裝置或 USB 乙太網路介面卡,方法是同時按下 [降低音量] 按鈕和 [電源] 按鈕。********You can also boot immediately to a USB device or USB Ethernet adapter when the Surface device is powered off by pressing the Volume Down button and the Power button simultaneously.

若要讓指定的引導順序生效,您必須將 [ 啟用備用啟動順序 ] 選項設定為 [ 開啟],如圖7所示。For the specified boot order to take effect, you must set the Enable Alternate Boot Sequence option to On, as shown in Figure 7.

設定 Surface 裝置的開機順序

圖 7.Figure 7. 設定 Surface 裝置的開機順序Configure the boot order for your Surface device

您也可以透過 [針對 PXE 網路開機啟用 IPv6] 選項,針對 PXE 開啟或關閉 IPv6 支援,例如使用 PXE 執行 Windows 部署,而 PXE 伺服器僅針對 IPv4 進行設定的情況。****You can also turn on and off IPv6 support for PXE with the Enable IPv6 for PXE Network Boot option, for example when performing a Windows deployment using PXE where the PXE server is configured for IPv4 only.

UEFI 功能表:管理UEFI menu: Management

[管理] 頁面可讓您管理在合格的裝置上使用零觸控 UEFI 管理和其他功能,包括 Surface Pro 7、Surface Pro X 及 Surface 膝上型電腦3。The Management page allows you to manage use of Zero Touch UEFI Management and other features on eligible devices including Surface Pro 7, Surface Pro X, and Surface Laptop 3.

管理零觸控 UEFI 管理的存取權和其他功能 圖8。管理零觸控 UEFI 管理和其他功能的存取權Manage access to Zero Touch UEFI Management and other features](images/manage-surface-uefi-fig7a.png "Manage access to Zero Touch UEFI Management and other features") Figure 8. Manage access to Zero Touch UEFI Management and other features

零觸控 UEFI 管理可讓您使用在名為 [裝置固件設定介面] (DFCI) 中的裝置設定檔,在 Intune 中遠端系統管理 UEFI 設定。Zero Touch UEFI Management lets you remotely manage UEFI settings by using a device profile within Intune called Device Firmware Configuration Interface (DFCI). 如果您未設定此設定,管理具有 DFCI 的合格裝置的功能會設定為 [ 就緒]。If you do not configure this setting, the ability to manage eligible devices with DFCI is set to Ready. 若要防止 DFCI, 請選取 [退出宣告]To prevent DFCI, select Opt-Out.


[UEFI 管理設定] 頁面與 DFCI 目前可供 Surface Pro 7 +、Surface 膝上型電腦版、Surface mobile 3、Surface 膝上型電腦3、Surface Pro 7 及 Surface Pro X 使用。若要深入瞭解,請參閱 SURFACE UEFI 設定的 Intune 管理The UEFI Management settings page and use of DFCI is currently available for Surface Pro 7+, Surface Laptop Go, Surface Book 3, Surface Laptop 3, Surface Pro 7, and Surface Pro X. To learn more, see Intune management of Surface UEFI settings.

UEFI 功能表:結束UEFI menu: Exit

使用 [結束 ] 頁面上的 [ 立即重新開機] 按鈕,即可結束 UEFI 設定,如圖9所示。Use the Restart Now button on the Exit page to exit UEFI settings, as shown in Figure 9.

結束 Surface UEFI 並重新啟動裝置

圖 9.Figure 9. 按一下 [立即重新啟動] 以結束 Surface UEFI 並重新啟動裝置Click Restart Now to exit Surface UEFI and restart the device

Surface UEFI 開機畫面Surface UEFI boot screens

當您使用 Windows Update 或手動安裝更新 Surface 裝置韌體時,更新不會立即套用到裝置,而是在下一個重新開機循環期間套用。When you update Surface device firmware, by using either Windows Update or manual installation, the updates are not applied immediately to the device, but instead during the next reboot cycle. 您可以在管理 Surface 的驅動程式和韌體更新中深入了解 Surface 韌體更新過程。You can find out more about the Surface firmware update process in Manage Surface driver and firmware updates. 畫面上會顯示韌體更新進度,進度列會以不同的色彩來表示每個元件的韌體。The progress of the firmware update is displayed on a screen with progress bars of differing colors to indicate the firmware for each component. 每個元件的進度列都會顯示在 [圖 9] 到 [18] 中。Each component’s progress bar is shown in Figures 9 through 18.

Surface UEFI 韌體更新與藍色進度列

圖 10.Figure 10. Surface UEFI 韌體更新會顯示藍色進度列The Surface UEFI firmware update displays a blue progress bar


圖 11.Figure 11. 系統內嵌控制器韌體更新會顯示綠色進度列The System Embedded Controller firmware update displays a green progress bar

SAM 控制器韌體更新與橘色進度列

圖 12.Figure 12. SAM 控制器韌體更新會顯示橘色進度列The SAM Controller firmware update displays an orange progress bar

Intel Management Engine 韌體與紅色進度列

圖 13.Figure 13. Intel Management Engine 韌體更新會顯示紅色進度列The Intel Management Engine firmware update displays a red progress bar

Surface 觸控韌體與灰色進度列

圖 14.Figure 14. Surface 觸控韌體更新會顯示灰色進度列The Surface touch firmware update displays a gray progress bar

表面 KIP 固件為淺綠色的進度列

圖 15.Figure 15. Surface KIP 固件更新會顯示淺綠色的進度列The Surface KIP firmware update displays a light green progress bar

表面 ISH 固件與粉紅色的進度列

圖 16 Surface ISH 固件更新顯示淺粉紅色的進度列Figure 16 The Surface ISH firmware update displays a light pink progress bar

具有灰色進度列的 Surface 軌跡板固件

圖 17.Figure 17. Surface 軌跡板固件更新顯示粉紅色的進度列The Surface Trackpad firmware update displays a pink progress bar

含淺灰色進度列的 Surface TCON 固件

圖 18.Figure 18. Surface TCON 固件更新會顯示淺灰色進度列The Surface TCON firmware update displays a light gray progress bar

含淺紫色進度列的 Surface TPM 固件

圖 19.Figure 19. Surface TPM 固件更新顯示紫色進度列The Surface TPM firmware update displays a purple progress bar


隨即會顯示另一個指示安全啟動已停用的警告訊息,如圖19所示。An additional warning message that indicates Secure Boot is disabled is displayed, as shown in Figure 19.

表示安全開機已停用的 Surface 開機畫面

圖 20.Figure 20. 表示 Surface UEFI 設定中安全開機已停用的 Surface 開機畫面Surface boot screen that indicates Secure Boot has been disabled in Surface UEFI settings


  1. 表面圖和表面 Go 2 使用協力廠商 UEFI,且不支援 DFCI。Surface Go and Surface Go 2 use a third-party UEFI and do not support DFCI.

相關主題Related topics