This article is contributed. See the original author and article here.
After receiving tremendous feedback from customers during the public preview, Microsoft Endpoint Manager is excited to announce that management of BIOS settings via Device Firmware Configuration Interface (DFCI) is now generally available.
DFCI is an open-source Unified Extensible Firmware Interface (UEFI) framework that allows you to securely manage the UEFI (BIOS) settings of your Windows Autopilot devices remotely via Microsoft Endpoint Manager—all while limiting the end user’s control over firmware configurations.
Unlike traditional UEFI management, DFCI removes the need for managing third-party solutions and provides zero-touch firmware management by leveraging Microsoft Endpoint Manager for cloud management. DFCI also accesses the existing Windows Autopilot device information for authorization.
How to configure DFCI settings in Microsoft Endpoint Manager admin center
Before you use DFCI, make sure your device meets the following requirements:
- The device manufacturer must have DFCI added to their UEFI firmware in the manufacturing process, or as a firmware update that you install. Work with your device vendor or manufacturer to determine if DFCI is supported, as well as the firmware version required.
- The device must be registered for Windows Autopilot by a Microsoft Cloud Solution Provider (CSP) partner, or registered directly by the OEM.
First, create and assign the following profiles:
- Autopilot deployment profile
- Enrollment status page profile
- Device Firmware Configuration Interface profile
Then, reboot the device to update the UEFI configuration.
Figure 1: Device Firmware Configuration Interface screenshot
After assignment, you can track the status of your policy in the report.
After the policy has been delivered to the device and the device has been rebooted, end users will not be able to modify the settings managed by DFCI, even if the UEFI (BIOS) menu is protected by password. The BIOS settings of the device are now securely managed by the organization through Microsoft Endpoint Manager.
- Device Firmware Configuration Interface (DFCI) Introduction
- Update Windows BIOS features using MDM policies in Microsoft Intune – Azure | Microsoft Docs
- DFCI Management | Microsoft Docs
- List of DFCI enabled Surface devices: Intune management of Surface UEFI settings – Surface | Microsoft Docs
(This blog post is co-authored with Maggie Dakeva, Program Manager, Microsoft Endpoint Manager)
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.