Configuring Surface firmware settings using DFCI in Microsoft Intune

Posted on November 4, 2019 by ncbrady

Introduction

I’m lucky enough to be attending Microsoft Ignite in Orlando Florida and this morning I had the opportunity to visit the Surface booths. I’d highly recommend you visit them too to see the lovely new hardware like Surface Pro X,  Surface Pro 7 and Surface Laptops. They even have demo’s of the Surface Earbuds so you can check them out for yourself.

One of the things they were demonstrating was the ability to change firmware settings on newer Surface devices using Microsoft Intune. These changes can be applied during Windows AutoPilot to take more control of your devices.

Create a Profile

So let’s see how it works. To start off with create a new Configuration Profile in Intune. Select Configuration Profiles and then create, for platform select Windows 10 and Later, for profile type select Device Firmware Configuration Interface (preview).

Take note of the DFCI settings and requirements, managing these settings requires the following:

  • The device manufacturer supports DFCI.
  • The device has been enrolled to Intune using Windows Autopilot.
  • The device rebooted after the policy is assigned.

And also note that the OS must be Windows 10 version 1809 or later.

A key requirement (apart from having to be DFCI capable) is that the device must be enrolled into AutoPilot via the OEM or via a CSP Partner, however enrolling it yourself via imported CSV’s is not  supported.

  • The device manufacturer must have DFCI added to their UEFI firmware in the manufacturing process, or as a firmware update you install. Work with your device vendors to determine the manufacturers that support DFCI, or the firmware version needed to use DFCI.
  • The device must be registered for Windows Autopilot by a Microsoft Cloud Solution Provider (CSP) partner, or registered directly by the OEM.Devices manually registered for Autopilot, such as imported from a csv file, aren’t allowed to use DFCI. By design, DFCI management requires external attestation of the device’s commercial acquisition through an OEM or a Microsoft CSP partner registration to Windows Autopilot.Once your device is registered, its serial number is shown in the list of Windows Autopilot devices.

Next select the features you want to configure, in this example, I will enable CPU and IO virtualization, disable the Camera, Enable Network Boot, disable booting from USB devices and deny the user from being able to change the UEFI firmware settings after this is applied.

Click OK when done  and optionally create Applicability rules to only apply if the version of Windows 10 is equal to Windows 10 1809 or later (10.0.17763.0)

and then assign this profile to a Group containing one or more DFCI compliant devices.

The next time the device syncs, or the device reboots, the DFCI profile settings are applied. After the policy applies, reboot the device.

Note: Rebooting the device is important otherwise the changes will not be applied, simply applying the DFCI profile to the device will NOT reboot the device, the device must be either manually rebooted by the user or by the Intune admin using a PowerShell script or action such as using Windows AutoPilot to apply the policy.

When the device runs the Windows device setup (in Windows AutoPilot), DFCI may force a reboot during the Enrollment Status Page. Once setup completes, you can confirm the DFCI settings are active by rebooting the device. Then, use the device manufacturer’s instructions to open the UEFI menu.

On a Surface device that would be to: Hold Volume UP and press the power button. That will get you into the UEFI menu. In the screenshot below the device is managed by Intune using DFCI and you can see some DFCI details in the details pane.

The screenshot below shows that it Intune is managing settings in the UEFI firmware and states “Some settings are managed by your organization”.

And in the screenshot below you can see a Surface device that is DFCI capable (Zero-Touch UEFI Management: Ready) and it is not yet managed by Intune for DFCI.

Now that Microsoft have lead the way and shown how this is possible with Surface devices, hopefully we’ll see the same ability coming to other hardware vendors soon. To assist with that adoption Microsoft has released code on Github here.

Related reading

This entry was posted in 1809, DFCI, Intune, Surface Pro X. Bookmark the permalink.

One Response to Configuring Surface firmware settings using DFCI in Microsoft Intune

  1. Pingback: Microsoft Ignite 2019 Day 2 Recap – Ami's Blog

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.