Activate Device Firmware Configuration Interface Mode

Introduction. With Device Firmware Configuration Interface DFCI profiles built into Microsoft Intune, Surface UEFI management extends the modern management stack down to the Unified Extensible Firmware Interface UEFI hardware level.DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings, including boot options and built-in peripherals, and

See a list of all the DFCI profile settings and their descriptions on Windows 1011 client devices. Use these settings in a configuration profile to control UEFI firmware layer features using Microsoft Intune policy. You can manage the CPU, built-in hardware, and boot options on Windows 1011 client devices using Microsoft Intune.

So let's see how it works. To start off with create a new Configuration Profile in Intune. Select Configuration Profiles and then create, for platform select Windows 10 and Later, for profile type select Device Firmware Configuration Interface preview. Take note of the DFCI settings and requirements, managing these settings requires the

The Device Firmware Configuration Interface DFCI brings new levels of security and usability to PC configuration management. It is a new feature of UEFI that enables secure programmatic configuration of hardware settings that are typically configured within a BIOS menu by a human. High value configuration can be moved to UEFI BIOS where it is

Microsoft Surface Unified Extensible Firmware Interface UEFI replaces the legacy BIOS Basic InputOutput System. Surface UEFI settings can be managed in a modern way by Device Firmware Configuration Interface DFCI

If device is imported to the Autopilot database you can go to the Devices gt Windows gt Configuration profiles gt Create profile. Select Windows 10 and later as a platform. Select Templates as profile type. Select Device firmware configuration interface as template name. In first step provide a name and description. Second step is

The device manufacturer must have DFCI added to their UEFI firmware in the manufacturing process, or as a firmware update that you install or the firmware version needed to use DFCI. The device must be registered for Windows Autopilot The device has been rebooted since the last MDM sync OEM Vendor Support. Surface Acer

Since they only need to block access to UEFI I looked at DFCI Device Firmware Configuration but none of the big OEMs namely HP, Dell and Lenovo support it. The Lenovo rep told me that the DFCI is basically dead because the API is too limited. But they offered me to licenses for their ThinkShield RSVP service at 5 per device for three years.

To create the configuration profile, select Devices gt Configuration profiles, and then select Create profile. In the Create a profile section, choose Windows 10 and later as the platform and Templates as the profile type, and select Device Firmware Configuration Interface.

Example configuration with the Cameras setting set to Disabled. Select Next to continue. In the Assignments section, we add the group we created earlier, quotW_Surface_UEFI_Protectedquot. Assigning a group to a Device Firmware Configuration Interface profile within the Microsoft Endpoint Manager admin center.