We're thrilled to announce at Ignite 2019 new features that extend modern management to the Surface UEFI hardware level, completing our promise to deliver full device management from the cloud. Built into Microsoft Intune and deployed through Windows Autopilot, Device Firmware Configuration Interface (DFCI) profiles supports zero-touch provisioning, eliminates the need for BIOS passwords, and provides control of security settings including boot options and built-in peripherals. Now, IT administrators can remotely manage all endpoints and applications across their environments — without the need to physically access each device. Surface is the first OEM to implement DFCI.
Now available via public preview within Intune, you can use DFCI today to manage firmware on our latest Surface devices including Surface Laptop 2, Surface Pro 7, and Surface Pro X.
Join us at Ignite 2019
If you’re attending Ignite 2019 or following via livestream, please join us Wednesday 2 p.m. EST for Managing Surface UEFI BIOS settings with Microsoft Intune.
Q&A
What is the impact of managing a device at the firmware level?
The Unified Extensible Firmware Interface (UEFI) specification defines the software interface between the operating system and platform firmware. The ability to configure and manage firmware through a rich set of UEFI configuration settings provides a layer of hardware control on top of traditional software-based policy management. For example, organizations deploying devices in highly secure areas with sensitive information can prevent camera use by removing functionality at the hardware level. From a device standpoint, turning the camera off via a firmware setting is equivalent to physically removing the camera.
What devices can I manage with DFCI?
The DFCI capability is available via Intune public preview for the latest Surface portfolio (Surface Laptop 3, Surface Pro 7, and Surface Pro X).
Why is DFCI only available for newly released devices? Will it be extended to other Surface devices?
The initial release of DFCI is being rolled out to the latest Surface portfolio with anticipated future availability across the Surface product line. No further information is available at this time.
Will DFCI be released for other Windows 10 devices
DFCI is available to other OEMs via an open source initiative called Project Mu. For more information, refer to Project Mu’s OEM Enablement Summary.
What does public preview mean and how will DFCI be available from Intune?
Public preview means the DFCI profile is still under construction as Intune integrates additional functionality prior to final release. Specifically, reporting and monitoring data may be missing or incomplete during preview.
Intune customers can create and assign a DFCI profile to Azure AD security groups as part of the public preview. Begin by signing in and selecting Device configuration > Profiles. For more information, refer to Use DFCI profiles on Windows devices in Microsoft Intune.
Why do customers have to use Autopilot for DFCI?
Autopilot is an integral part of the modern management solution to enable remote configuration of UEFI configuration settings via DFCI profiles in Intune.
Why can’t customers self-register devices on Autopilot for DFCI?
DFCI has specific requirements to ensure that customer devices can only be deployed by authorized persons. To use DFCI, devices must be registered with Windows Autopilot and added to your Intune tenant by a trusted third party; specifically, a Microsoft Cloud Solution Provider (CSP) partner or OEM distributor.
Does enrollment in Windows Autopilot automatically provide DFCI benefits?
As long as devices are partner- or OEM-enrolled into Windows Autopilot, customers have the option of configuring DFCI.
What is the difference between DFCI and SEMM?
DFCI provides a streamlined, cloud-based alternative to Surface Enterprise Management Mode (SEMM) used in on-premises environments in conjunction with System Center Configuration Manager (SCCM) or the Surface UEFI Configurator. Compared with SEMM, the UEFI settings in DFCI are simplified and easier to manage. For example, there's only one global setting that turns off all cameras on the device, not an individual setting for each camera.
Why would a customer use DFCI instead of SEMM?
DFCI leverages the device profiles capability in Intune and is deployed using Windows Autopilot, eliminating the need for manual interaction by IT admins or end users. A device profile allows you to add and configure settings which can then be deployed to devices enrolled in management within your organization. Once the device receives the device profile, the features and settings are applied automatically. Examples of common device profiles include Email, Device restrictions, VPN, Wi-Fi, and Administrative templates. DFCI is simply an additional device profile that enables you to manage UEFI configuration settings from the cloud.
Managing firmware by enrolling devices into SEMM continues to remain a supported solution for organizations that require an on-premises management environment. However, it is more complex and IT-intensive than DFCI. As an example, SEMM requires IT staff to physically access each PC to enter a two-digit pin as part of the certificate management process.
What version of Windows 10 Pro is required for DFCI?
Version 1809 or later.
If I delete the DFCI profile in Intune, does that remove DFCI settings on targeted devices?
No. All DFCI settings remain in effect across all devices unless edited directly in the DFCI profile within Intune. If the original DFCI profile has been deleted, you can remove policy settings by creating a new profile and then editing the settings as appropriate.
If my device gets damaged and needs to be replaced, do I need to modify DFCI settings before returning it to Microsoft?
No. In this scenario old devices are automatically unenrolled from Autopilot and replacement devices are then enrolled in Autopilot — just like any new device.
Will my replacement device automatically get DFCI settings?
No. An IT admin needs to find the new device within Intune and then add it to the appropriate Azure AD security group — just like any new device.
Do I need to go into the UEFI menu on Surface devices and “opt-in” to use DFCI?
No. All eligible Surface devices are automatically enabled for DFCI because the UEFI setting — Zero Touch UEFI Management — is set to Ready by default. If you discover that the Zero Touch UEFI Management setting on targeted Surface devices has been modified to Opt-out, you will need to revert the value back to Ready before DFCI settings can take effect on those devices.
How can I try out DFCI?
You can try DFCI on eligible Surface devices in a test environment before rolling them out to users.
How can I learn more about DFCI?
For more information, see:
- Intune management of Surface UEFI settings
- Use DFCI profiles on Windows devices in Microsoft Intune
- Project Mu: DFCI introduction