Use DFCI to control devices inside your Surface via Intune!

by | Jun 27, 2023 | Intune, Surface | 2 comments

On today’s post I want to show you how to control your devices – like camera, Bluetooth on your organization Surface devices via Microsoft Intune. It will be not difficult to configure it, but it has one important requirement which should be passed first: Check it on my previous post – how to import Surface devices via Partner Center.

But.. What is DFCI?

With Windows Autopilot Deployment and Intune, you can manage Unified Extensible Firmware Interface (UEFI) settings after they’re enrolled by using the Device Firmware Configuration Interface (DFCI). DFCI enables Windows to pass management commands from Intune to UEFI for Autopilot deployed devices. This capability allows you to limit end user’s control over BIOS settings. For example, you can lock down the boot options to prevent users from booting up another OS, such as one that doesn’t have the same security features.

If a user reinstalls a previous Windows version, installs a separate OS, or formats the hard drive, they can’t override DFCI management. This feature can also prevent malware from communicating with OS processes, including elevated OS processes. DFCI’s trust chain uses public key cryptography, and doesn’t depend on local UEFI password security. This layer of security blocks local users from accessing managed settings from the device’s UEFI menus.

https://learn.microsoft.com/en-us/mem/autopilot/dfci-management

That is a quick information from Official Microsoft documentation.

How it is looks from the architecture?

Source: https://learn.microsoft.com/en-us/mem/autopilot/dfci-management

So how to start?

First – you need to have fulfilled the most important prerequisite – devices need to be imported via Partner Center.

Second – you need to have supported devices. For now the list of supported vendors looks like on below list:

  • Acer
  • Asus
  • Dynabook
  • Fujitsu
  • Microsoft Surface
  • Panasonic

Other vendors are pending.

Third – YOU NEED TO REMEMBER how to properly remove DFCI configuration from device when it will be retired.

Fourth – you can now start the deployment of DFCI profile. To do that….

How to deploy the DFCI profile?

If device is imported to the Autopilot database you can go to the Devices > Windows > Configuration profiles > Create profile.

Select Windows 10 and later as a platform

Select Templates as profile type.

Select Device firmware configuration interface as template name.

In first step provide a name and description.

Second step is… Configuring everything what you want to configure. List of available sections (settings) are long and divided to the categories:

  • UEFI access
  • Security Settings
  • Cameras
  • Microphones and speakers
  • Radios
  • Boot options
  • Ports
  • Wake settings

For example, you can configure that only only IR and Front Camera is enabled – by changing those options:

Important information!

On the first section named UEFI access is one setting which you should configure named Allow local user to alter UEFI setting.

Now you need to understand those two options.

  • If you select “Only not configured settings” user will be able to change all settings, except the settings which are configured by the Administrator via “Enabled” or “Disabled”
  • If you select “None” – user will be not able to configure anything on the UEFI.

To understand this more, check below screenshot.

On this case:

  • Managing of Radios will be enabled
  • User will be able to configure: Bluetooth, WWAN and NFC
  • Wi-Fi will be enabled permanently

This case will be working if you select “Only not configured settings” on the UEFI access. If you select “None” – user will be not change anything.

Second important information:

If you’re configuring something, like WWAN or NFC or any other setting for the device which is not exist on the Surface device – configuration profile will be reported as failed, but the rest settings will be applied.

You need to remember to create different configuration profiles for specific type of devices. For example, for devices which have built-in WWAN – create one profile and configure as enabled / disabled, for devices without that WWAN module – create second profile and set WWAN as not configured.

What next?

When you select proper settings, assign profile to the proper group with or without filters and create the profile. When the sync will be done and device will be restarted – you will see your changes on the UEFI.

How it is looks like from end-user perspective?

When user will logon to the UEFI will see something similar to my screen:

On this picture, you can see that I left almost all settings as “Enabled”, only two settings are possible to configure by the end-user: Docking USB Port and Type Cover port.

Removing DFCI profile from existing device.

Yep, it is not something easy to do. If you do some mistakes – like me, you need to again import devices via Partner Center and do all steps from beginning.

  1. Go to your DFCI profile and configure EVERYTHING to “Not configured” and DO NOT REMOVE existing assignments from this configuration profile.
  2. Wait for the propagation.
  3. Go to the devices list, find your Surface device and click RETIRE
  4. Remove assignments from existing configuration profile.

That is three, very important steps how to remove DFCI configuration from the Surface devices.

What next?

Nothing – you can now manage the Surface devices via DFCI. Good luck!

Jakub Piesik

Jakub Piesik

Microsoft 365 Consultant

I’m writing not only about Intune and Windows 365. I’m writing about everything what I leared previously and want to share with you!

#security #microsoft365 #intune #windows365 #powershell #automation 🙂