Редактиране

Споделяне чрез


Device Firmware Configuration Interface (DFCI) Management

With Windows Autopilot Deployment and Intune, Unified Extensible Firmware Interface (UEFI) settings can be managed after the device is enrolled. UEFI settings can be managed by using the Device Firmware Configuration Interface (DFCI). DFCI enables Windows to pass management commands from Intune to UEFI for Autopilot deployed devices. This capability allows limiting end user's control over BIOS settings. For example, the boot options can be locked down to prevent users from booting up another OS, such as one that doesn't have the same security features.

If a user reinstalls a previous Windows version, installs a separate OS, or formats the hard drive, they can't override DFCI management. This feature can also prevent malware from communicating with OS processes, including elevated OS processes. DFCI's trust chain uses public key cryptography, and doesn't depend on local UEFI password security. This layer of security blocks local users from accessing managed settings from the device's UEFI menus.

For an overview of DFCI benefits, scenarios, and requirements, see Device Firmware Configuration Interface (DFCI) Introduction.

Important

A device automatically enrolls in DFCI management during Autopilot provisioning when the following actions occur:

  • The OEM enables the device for DFCI.
  • The device is registered for Autopilot via the OEM or a Cloud Solution Partner (CSP) in Partner Center.

Enrollment in DFCI management triggers an additional reboot during the out-of-box experience (OOBE).

DFCI management lifecycle

The DFCI management lifecycle includes the following processes:

  • UEFI integration.
  • Device registration.
  • Profile creation.
  • Enrollment.
  • Management.
  • Retirement.
  • Recovery.

See the following figure:

Screenshot that shows Device Firmware Configuration Interface (DFCI) Management workflow

Requirements

Important

Devices manually registered for Autopilot (such as by importing from a CSV file) aren't allowed to use DFCI. By design, DFCI management requires external attestation of the device's commercial acquisition through an OEM or a Microsoft CSP partner registration to Windows Autopilot. When the device is registered, its serial number is displayed in the list of Windows Autopilot devices.

Managing DFCI profile with Windows Autopilot

There are four basic steps in managing DFCI profile with Windows Autopilot:

  1. Create an Autopilot Profile
  2. Create an Enrollment status page profile
  3. Create a DFCI profile
  4. Assign the profiles

See Create the profiles and Assign the profiles, and reboot for details.

The existing DFCI settings can also be changed on devices that are in use. In the existing DFCI profile, change the settings and save the changes. Since the profile is already assigned, the new DFCI settings take effect when next time the device syncs or the device reboots.

To identify whether a device is DFCI ready, the following Intune Graph API call can be used:

managedDevice/deviceFirmwareConfigurationInterfaceManaged

For more information, see Intune devices and apps API overview and Working with Intune in Microsoft Graph .

OEMs that support DFCI

Other OEMs are pending.

Known issues

DFCI enrollment fails for Professional editions of Windows 11, version 24H2

Date added: October 9, 2024

DFCI can't currently be used on devices with Professional editions of Windows 11, version 24H2. The issue is being investigated. As a workaround, ensure the device is upgraded to the Enterprise edition of Windows 11, version 24H2 during or after OOBE onboarding. After upgrading to the Enterprise edition of Windows 11, version 24H2, sync the device. Once the device is synced, reboot it to get it enrolled in DFCI.