Blog Post

Microsoft Intune Blog
2 MIN READ

Microsoft Endpoint Manager support for DFCI firmware management is now generally available

Mayunk_Jain's avatar
Mayunk_Jain
Icon for Microsoft rankMicrosoft
Nov 02, 2020

After receiving tremendous feedback from customers during the public preview, Microsoft Endpoint Manager is excited to announce that management of BIOS settings via Device Firmware Configuration Interface (DFCI) is now generally available.

 

DFCI is an open-source Unified Extensible Firmware Interface (UEFI) framework that allows you to securely manage the UEFI (BIOS) settings of your Windows Autopilot devices remotely via Microsoft Endpoint Manager—all while limiting the end user’s control over firmware configurations.

 

Unlike traditional UEFI management, DFCI removes the need for managing third-party solutions and provides zero-touch firmware management by leveraging Microsoft Endpoint Manager for cloud management. DFCI also accesses the existing Windows Autopilot device information for authorization.

 

How to configure DFCI settings in Microsoft Endpoint Manager admin center

Before you use DFCI, make sure your device meets the following requirements:

  • The device manufacturer must have DFCI added to their UEFI firmware in the manufacturing process, or as a firmware update that you install. Work with your device vendor or manufacturer to determine if DFCI is supported, as well as the firmware version required.
  • The device must be registered for Windows Autopilot by a Microsoft Cloud Solution Provider (CSP) partner, or registered directly by the OEM.

 

First, create and assign the following profiles:

 

Then, reboot the device to update the UEFI configuration.

 

 

Figure 1: Device Firmware Configuration Interface screenshot

 

After assignment, you can track the status of your policy in the report.

 

 

After the policy has been delivered to the device and the device has been rebooted, end users will not be able to modify the settings managed by DFCI, even if the UEFI (BIOS) menu is protected by password. The BIOS settings of the device are now securely managed by the organization through Microsoft Endpoint Manager.

 

Learn more:

 

 

(This blog post is co-authored with Maggie Dakeva, Program Manager, Microsoft Endpoint Manager)

Updated Oct 30, 2020
Version 1.0

2 Comments

  • mr_3pathi's avatar
    mr_3pathi
    Copper Contributor

    Does it support a capability to manage BIOS/UEFI password? 

  • The fact that devices, to be able to take advantage of DFCI, have to be registered by either a CSP or the OEM vendor is a large limiting factor for this feature.  Especially when an environment has alot of existing devices that were around before AutoPilot came out, the enterprise may have no way to work around this problem.

     

    And what happens if a hardware vendor uploads their hash -- then the enterprise needs to change the motherboard or fix something because the device fails?  Since that means the enterprise has to re-upload the new hash, that now prevents DFCI.  What's the reason for this limitation?