Device Firmware Configuration Interface (DFCI) is a new UEFI feature available that gives the ability to easily and effectively automate the configuration of UEFI devices. This UEFI configuration would traditionally be performed as part of the device configuration or as a manual activity. DEFI allows UEFI settings to be managed remotely via Microsoft Intune.
DFCI overrides the on-device UEFI settings. Even in a scenario where a user has the device UEFI firmware password they would be unable to change the DFCI managed settings. The following settings are available via DFSI granting to configure or secure the following UEFI settings.
- UEFI setting changes
- External boot media
- on-board network and WiFi devices
- CPU virtualization
- audio and cameras
The current DFCI version is 1.0 and it is logical to assume that with this framework that additional UEFI firmware security settings could be enabled with future version releases. There are a number of requirements to make use of this feature.
- The device UEFI firmware must include the DFCI feature.
- The device must be managed via Intune.
- The device must be registered for Windows Autopilot by the OEM or the Microsoft Cloud Solution Provider partner.
- Windows 10 1809 or later
The Autopilot deployment profile should include the Enrollment Status Page to ensure that all the settings are applied before the device is unlocked. This feature is currently limited to some Microsoft Surface Windows 10 devices however other OEMs should quickly follow suit.
One important consideration with DFCI is around the device recovery process. If a device needs to be re-imaged or a fresh OS installation needs to be applied and where the device removable or network media boot is disabled via DFCI; the user may not be able to enable boot media. It is necessary to ensure that the UEFI password does not block local access and the device is unenrolled from Intune and thus freeing up the managed UEFI settings.