Intune - Microsoft Surface Device Configuration Firmware Interface Profiles
Control your Surface Device UEFI Settings for Modern Workplace Management
Introduction
When it comes to preparation within Modern Workplace Management whether you are already fully in Intune or in the mist of moving other from an on-premise/co-management solution to Intune, one of the key things around this transition is the current process in which you use to prepare and build your actual endpoints.
As of most recent of times a lot of us in a real case scenario are utilising UEFI (Unified Extensible Firmware Interface) enablement when it comes to secure booting as well as controlling which internal devices are enabled and much more.
Now when it comes to these settings within the BIOS (though UEFI is on its way to replacing this) though we can automate some of this on an OS level, most of this has been incorporated within a manual process or task list whether this is a pre or post build methodology.
And this is exactly where the DCFI Configuration comes in.
What is DCFI
So DCFI is the Device Configuration Firmware Interface
which can be used as a configuration profile to control the following settings;
- Whether the User can control UEFI Settings
- Enable CPU/IO Virtualization
- Set secure booting options
- Enable/Disable internal hardware
Compatibility of DCFI
Currently DCFI is only really made available for Surface Devices.
The current list is of reference to https://docs.microsoft.com/en-us/surface/surface-manage-dfci-guide
- Surface Pro 7+
- Surface Pro 7
- Surface Pro X
- Surface Laptop 3
- Surface Book 3
- Surface Laptop Go
- Surface Laptop 4
Prerequisites
Auto Pilot & Enrollment Status Page
In order to use this profile effectively you will need to use an Auto Pilot configuration profile first and also have your enrolment status page.
You will find if try to create this profile as standalone it may not work, and as this can be applied immediately through the enrolment status page, as soon as your device is ready to go you can double check your device by restarting and booting into the BIOS
( Note:
This normally works by holding the volume up button whilst rebooting for surface devices)
Settings Walk through
Allow local user to change UEFI Settings
So this particular setting I decided to create a section for it on its own. Reason being is because if we were using lets say a BIOS password to lock down a normal user from accessing the BIOS/UEFI Settings then this setting will simply override it as this will stop any user from changing any settings if set to None
for example.
You can however change the setting so that you can allow users to change any setting which is not configured by this profile but it will be your discretion if this is the correct way to proceed.
Boot Options
For those who are still using PXE for task sequence deployment via Co-Managed topology these settings would appeal as you can use this profile to set the secure boot settings for your endpoints.
How to Configure a DCFI ProfileHow to Configure a DCFI Profile
To configure the configuration profile please perform the following;
- Log into your Device Management Console
- Go to Devices
- Select Windows
- Select Configuration Profiles
- Click to Create Profile
- For the platform select " Windows 10 or Later " and select profile type as " Template "
- Find the setting which says "Device Configuration Firmware Interface" then click next.
- Create a name for your profile and relevant description then click next.
- Select the settings which you require then click next.
- Select the group which you will assign the profile to then click next.
- Set the Applicable rules which the profile will run against and finish the profile creation.
