We're thrilled to announce at Ignite 2019 new features that extend modern management to the Surface UEFI hardware level, completing our promise to deliver full device management from the cloud. Built into Microsoft Intune and deployed through Windows Autopilot, Device Firmware Configuration Interface (DFCI) profiles supports zero-touch provisioning, eliminates the need for BIOS passwords, and provides control of security settings including boot options and built-in peripherals. Now, IT administrators can remotely manage all endpoints and applications across their environments — without the need to physically access each device. Surface is the first OEM to implement DFCI.
Now available via public preview within Intune, you can use DFCI today to manage firmware on our latest Surface devices including Surface Laptop 2, Surface Pro 7, and Surface Pro X.
Join us at Ignite 2019
If you’re attending Ignite 2019 or following via livestream, please join us Wednesday 2 p.m. EST for Managing Surface UEFI BIOS settings with Microsoft Intune.
The Unified Extensible Firmware Interface (UEFI) specification defines the software interface between the operating system and platform firmware. The ability to configure and manage firmware through a rich set of UEFI configuration settings provides a layer of hardware control on top of traditional software-based policy management. For example, organizations deploying devices in highly secure areas with sensitive information can prevent camera use by removing functionality at the hardware level. From a device standpoint, turning the camera off via a firmware setting is equivalent to physically removing the camera.
The DFCI capability is available via Intune public preview for the latest Surface portfolio (Surface Laptop 3, Surface Pro 7, and Surface Pro X).
The initial release of DFCI is being rolled out to the latest Surface portfolio with anticipated future availability across the Surface product line. No further information is available at this time.
DFCI is available to other OEMs via an open source initiative called Project Mu. For more information, refer to Project Mu’s OEM Enablement Summary.
Public preview means the DFCI profile is still under construction as Intune integrates additional functionality prior to final release. Specifically, reporting and monitoring data may be missing or incomplete during preview.
Intune customers can create and assign a DFCI profile to Azure AD security groups as part of the public preview. Begin by signing in and selecting Device configuration > Profiles. For more information, refer to Use DFCI profiles on Windows devices in Microsoft Intune.
Autopilot is an integral part of the modern management solution to enable remote configuration of UEFI configuration settings via DFCI profiles in Intune.
DFCI has specific requirements to ensure that customer devices can only be deployed by authorized persons. To use DFCI, devices must be registered with Windows Autopilot and added to your Intune tenant by a trusted third party; specifically, a Microsoft Cloud Solution Provider (CSP) partner or OEM distributor.
As long as devices are partner- or OEM-enrolled into Windows Autopilot, customers have the option of configuring DFCI.
DFCI provides a streamlined, cloud-based alternative to Surface Enterprise Management Mode (SEMM) used in on-premises environments in conjunction with System Center Configuration Manager (SCCM) or the Surface UEFI Configurator. Compared with SEMM, the UEFI settings in DFCI are simplified and easier to manage. For example, there's only one global setting that turns off all cameras on the device, not an individual setting for each camera.
DFCI leverages the device profiles capability in Intune and is deployed using Windows Autopilot, eliminating the need for manual interaction by IT admins or end users. A device profile allows you to add and configure settings which can then be deployed to devices enrolled in management within your organization. Once the device receives the device profile, the features and settings are applied automatically. Examples of common device profiles include Email, Device restrictions, VPN, Wi-Fi, and Administrative templates. DFCI is simply an additional device profile that enables you to manage UEFI configuration settings from the cloud.
Managing firmware by enrolling devices into SEMM continues to remain a supported solution for organizations that require an on-premises management environment. However, it is more complex and IT-intensive than DFCI. As an example, SEMM requires IT staff to physically access each PC to enter a two-digit pin as part of the certificate management process.
Version 1809 or later.
No. All DFCI settings remain in effect across all devices unless edited directly in the DFCI profile within Intune. If the original DFCI profile has been deleted, you can remove policy settings by creating a new profile and then editing the settings as appropriate.
No. In this scenario old devices are automatically unenrolled from Autopilot and replacement devices are then enrolled in Autopilot — just like any new device.
No. An IT admin needs to find the new device within Intune and then add it to the appropriate Azure AD security group — just like any new device.
No. All eligible Surface devices are automatically enabled for DFCI because the UEFI setting — Zero Touch UEFI Management — is set to Ready by default. If you discover that the Zero Touch UEFI Management setting on targeted Surface devices has been modified to Opt-out, you will need to revert the value back to Ready before DFCI settings can take effect on those devices.
You can try DFCI on eligible Surface devices in a test environment before rolling them out to users.
For more information, see:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.