When it comes to preparation within Modern Workplace Management whether you are already fully in Intune or in the mist of moving other from an on-premise/co-management solution to Intune, one of the key things around this transition is the current process in which you use to prepare and build your actual endpoints.
As of most recent of times a lot of us in a real case scenario are utilising UEFI (Unified Extensible Firmware Interface) enablement when it comes to secure booting as well as controlling which internal devices are enabled and much more.
Now when it comes to these settings within the BIOS (though UEFI is on its way to replacing this) though we can automate some of this on an OS level, most of this has been incorporated within a manual process or task list whether this is a pre or post build methodology.
And this is exactly where the DCFI Configuration comes in.
So DCFI is the Device Configuration Firmware Interface
which can be used as a configuration profile to control the following settings;
Currently DCFI is only really made available for Surface Devices.
The current list is of reference to https://docs.microsoft.com/en-us/surface/surface-manage-dfci-guide
In order to use this profile effectively you will need to use an Auto Pilot configuration profile first and also have your enrolment status page.
You will find if try to create this profile as standalone it may not work, and as this can be applied immediately through the enrolment status page, as soon as your device is ready to go you can double check your device by restarting and booting into the BIOS
( Note:
This normally works by holding the volume up button whilst rebooting for surface devices)
So this particular setting I decided to create a section for it on its own. Reason being is because if we were using lets say a BIOS password to lock down a normal user from accessing the BIOS/UEFI Settings then this setting will simply override it as this will stop any user from changing any settings if set to None
for example.
You can however change the setting so that you can allow users to change any setting which is not configured by this profile but it will be your discretion if this is the correct way to proceed.
For those who are still using PXE for task sequence deployment via Co-Managed topology these settings would appeal as you can use this profile to set the secure boot settings for your endpoints.
To configure the configuration profile please perform the following;