Device Firmware Configuration Interface (DFCI) profile settings in Microsoft Intune

This article lists and describes the DFCI profile settings you can control on Windows client devices. As part of your mobile device management (MDM) solution, use these settings to control security features, the built-in hardware, and the boot options in the UEFI layer on Windows.

These settings apply to:

• Windows on supported UEFI

Add these settings to a device configuration profile in Intune, and then assign or deploy the profile to your Windows client devices.

Before you begin

• Create the Windows DFCI profile. There are more requirements for creating DFCI profiles. For more specific information, see Use DFCI profiles on Windows devices in Microsoft Intune.
• Some settings aren't available for all devices. To confirm if a setting is available on your device, contact your device manufacturer.
• These settings use the UEFI CSP.

Warning

Be careful. Configuring and assigning DFCI profiles can lock the device beyond repair. The DFCI profile settings change the device hardware, and can't be fixed by re-imaging the OS.

UEFI access

• Allow local user to change UEFI settings: Your options:
  • Only not configured settings: The local user can change any setting except those settings that Intune explicitly sets to Enable or Disable.
  • None: The local user can't change any UEFI (BIOS) settings, including settings that the DFCI profile doesn't show.

Security features

• CPU and IO virtualization: Your options:

  • Not configured: Intune doesn't change or update this setting.
  • Enabled: The BIOS enables the platform's CPU and IO virtualization capabilities for use by the OS. It turns on Windows Virtualization Based Security and Device Guard technologies.

• Windows Platform Binary Table (WPBT): The WPBT allows vendors and OEMs to run an .exe program in the UEFI layer. Every time Windows boots, it looks at the UEFI, and runs the .exe. Use this feature to run programs that aren't included with the Windows media.

  Your options:

  • Not configured: Intune doesn't change or update this setting. By default, the OS might allow vendors and OEMs to run programs using the WPBT.
  • Enabled: Enables the WPBT and allows .exe programs in the UEFI layer to run.
  • Disabled: Disables the WPBT and prevents .exe programs in the UEFI layer from running.

• Simultaneous multithreading (SMT): Also known as hyper-threading. Your options:

  • Not configured: Intune doesn't change or update this setting.
  • Enabled: Enables SMT in the UEFI layer.
  • Disabled: Disables SMT in the UEFI layer.

Cameras

• Cameras: This setting manages all the hardware cameras built into the device. It doesn't manage attached peripherals, such as USB webcams.

  Your options:

  • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in cameras.
  • Enabled: All built-in cameras directly managed by UEFI (BIOS) are enabled. Peripherals, like USB cameras, aren't affected.
  • Disabled: All built-in cameras directly managed by UEFI (BIOS) are disabled. Peripherals, like USB cameras, aren't affected.

• Front cameras: This setting manages the built-in front visible light cameras managed by UEFI (BIOS). It doesn't manage attached peripherals.

  Your options:

  • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in front visible light cameras.
  • Enabled: All built-in front visible light cameras directly managed by UEFI (BIOS) are enabled. Peripherals, like USB cameras, aren't affected.
  • Disabled: All built-in front visible light cameras directly managed by UEFI (BIOS) are disabled. Peripherals, like USB cameras, aren't affected.

• Rear cameras: This setting manages the built-in rear visible light cameras managed by UEFI (BIOS). It doesn't manage attached peripherals.

  Your options:

  • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in rear cameras.
  • Enabled: All built-in rear visible light cameras directly managed by UEFI (BIOS) are enabled. Peripherals, like USB cameras, aren't affected.
  • Disabled: All built-in rear visible light cameras directly managed by UEFI (BIOS) are disabled. Peripherals, like USB cameras, aren't affected.

• Infrared (IR) cameras: This setting manages the built-in infrared cameras managed by UEFI (BIOS). It doesn't manage attached peripherals.

  Your options:

  • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in infrared cameras.
  • Enabled: All built-in infrared cameras directly managed by UEFI (BIOS) are enabled. Peripherals, like USB cameras, aren't affected.
  • Disabled: All built-in infrared cameras directly managed by UEFI (BIOS) are disabled. Peripherals, like USB cameras, aren't affected.

Microphones and speakers

Configure the Microphones and speakers category settings or the Microphones granular settings. Don't configure both categories, because it can cause a conflict. For more information, see DFCI profile overview: Conflicts.

• Microphones and speakers: This setting manages all the microphones and speakers built into the device. It doesn't manage attached peripherals, such as USB devices.

  Your options:

  • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in microphones and speakers.
  • Enabled: All built-in microphones and speakers that UEFI (BIOS) directly manages are enabled. Peripherals, like USB devices, aren't affected.
  • Disabled: All built-in microphones and speakers that UEFI (BIOS) directly manages are disabled. Peripherals, like USB devices, aren't affected.

• Microphones: This setting manages the built-in microphones that UEFI (BIOS) directly manages. It doesn't manage attached peripherals.

  Your options:

  • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in microphones.
  • Enabled: All built-in microphones that UEFI (BIOS) directly manages are enabled. Peripherals, like USB devices, aren't affected.
  • Disabled: All built-in microphones that UEFI (BIOS) directly manages are disabled. Peripherals, like USB devices, aren't affected.

Radios

Configure the Radios (Bluetooth, Wi-Fi, NFC, etc.) category settings or the Bluetooth, Wi-Fi, and other granular settings. Don't configure both sets of settings, because they can cause a conflict. For more information, see DFCI profile overview: Conflicts.

• Radios (Bluetooth, Wi-Fi, NFC, etc.): This setting manages all the built-in radios that UEFI (BIOS) manages. It doesn't manage attached peripherals.

  Your options:

  • Not configured: Intune doesn't change or update this setting. By default, the OS might enable all built-in radios.

  • Enabled: All built-in radios that UEFI (BIOS) directly manages are enabled. Peripherals, like USB devices, aren't affected.

  • Disabled: All built-in radios that UEFI (BIOS) directly manages are disabled. Peripherals, like USB devices, aren't affected.

    When you set this option to Disabled, the device requires a wired network connection. Otherwise, the device can be unmanageable.

• Bluetooth: This setting manages the built-in Bluetooth radios that UEFI (BIOS) manages. It doesn't manage attached peripherals.

  Your options:

  • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in Bluetooth radios.
  • Enabled: All built-in Bluetooth radios that UEFI (BIOS) directly manages are enabled. Peripherals, like USB devices, aren't affected.
  • Disabled: All built-in Bluetooth radios that UEFI (BIOS) directly manages are disabled. Peripherals, like USB devices, aren't affected.

• WWAN: This setting manages the built-in WWAN radios that UEFI (BIOS) manages. It doesn't manage attached peripherals.

  Your options:

  • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in WWAN radios.
  • Enabled: All built-in WWAN radios that UEFI (BIOS) directly manages are enabled. Peripherals, like USB devices, aren't affected.
  • Disabled: All built-in WWAN radios that UEFI (BIOS) directly manages are disabled. Peripherals, like USB devices, aren't affected.

• NFC: This setting manages the built-in NFC radios that UEFI (BIOS) manages. It doesn't manage attached peripherals.

  Your options:

  • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in NFC radios.
  • Enabled: All built-in NFC radios that UEFI (BIOS) directly manages are enabled. Peripherals, like USB devices, aren't affected.
  • Disabled: All built-in NFC radios that UEFI (BIOS) directly manages are disabled. Peripherals, like USB devices, aren't affected.

• Wi-Fi: This setting manages the built-in Wi-Fi radios that UEFI (BIOS) manages. It doesn't manage attached peripherals.

  Your options:

  • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in Wi-Fi radios.
  • Enabled: All built-in Wi-Fi radios that UEFI (BIOS) directly manages are enabled. Peripherals, like USB devices, aren't affected.
  • Disabled: All built-in Wi-Fi radios that UEFI (BIOS) directly manages are disabled. Peripherals, like USB devices, aren't affected.

Boot Options

Warning

Disabling all external boot options or all external ports significantly complicates OS recovery. To recover a device that can no longer boot Windows, you might have to physically open the device and replace the hardware storage.

• Boot from external media (USB, SD): Your options:

  • Not configured: Intune doesn't change or update this setting. By default, the OS might allow booting from external media.

  • Enabled: UEFI (BIOS) allows booting from non-hard drive storage.

  • Disabled: UEFI (BIOS) prevents booting from non-hard drive storage, which also disables booting from network adapters.

    When set to Disabled, don't set the Boot from network adapters setting to Enabled. It causes the Boot from external media (USB, SD) setting or Boot from network adapters setting to become noncompliant.

• Boot from network adapters: Your options:

  • Not configured: Intune doesn't change or update this setting. By default, the OS might allow booting from built-in network adapters.
  • Enabled: UEFI (BIOS) allows booting from built-in network interfaces.
  • Disabled: UEFI (BIOS) prevents booting from built-in network interfaces.

Ports

Warning

Disabling all external boot options or all external ports significantly complicates OS recovery. To recover a device that can no longer boot Windows, you might have to physically open the device and replace the hardware storage.

• USB type A: This setting manages the built-in USB type A ports that UEFI (BIOS) manages. It doesn't manage attached peripherals.

  Your options:

  • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in USB type A ports.
  • Enabled: All built-in USB type A ports that UEFI (BIOS) directly manages are enabled. Peripherals, like USB devices, aren't affected.
  • Disabled: All built-in USB type A ports that UEFI (BIOS) directly manages are disabled. Peripherals, like USB devices, aren't affected.

• SD card: This setting manages the built-in SD card ports that UEFI (BIOS) manages. It doesn't manage attached peripherals.

  Your options:

  • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in SD card ports.
  • Enabled: All built-in SD card ports that UEFI (BIOS) directly manages are enabled. Peripherals, like USB devices, aren't affected.
  • Disabled: All built-in SD card ports that UEFI (BIOS) directly manages are disabled. Peripherals, like USB devices, aren't affected.

Wake settings

• Wake on LAN: Wake on LAN allows a network administrator to remotely wake a device in sleep mode using the LAN.

  Your options:

  • Not configured: Intune doesn't change or update this setting. By default, the OS might prevent waking a device by using the LAN.
  • Enabled: UEFI (BIOS) allows waking a device by using the LAN.
  • Disabled: UEFI (BIOS) prevents waking a device by using the LAN.

• Wake on power: When you connect the device to a power source, this setting manages if eligible devices can automatically start from hibernation or powered-off states. Your options:

  • Not configured: Intune doesn't change or update this setting. By default, the OS might prevent waking a device when it's connected to a power source.
  • Enabled: UEFI (BIOS) allows waking a device when it's connected to a power source.
  • Disabled: UEFI (BIOS) prevents waking a device when it's connected to a power source.

Related articles

• For other technical details on each setting and what editions of Windows are supported, see Windows Policy CSP Reference.

• Use DFCI profiles on Windows devices in Microsoft Intune.

• Assign the profile, and monitor its status.