Tuesday, January 4, 2022

How to use Device Firmware Configuration Interface (DFCI) for Surface Devices with Intune

By Lothar Zeitler – Senior Program Manager | Microsoft Endpoint Manager – Intune

 

The pandemic rapidly evolved the way we work, and as more people work from home, IT administrators need to manage their devices remotely. According to the Microsoft Work Trend Index, in 2021, 46% of the workforce plan to work remotely (source: Work Trend Index: Microsoft's latest research on the ways we work).

 

A central method to increase security on your physical Windows devices is to configure Unified Extensible Firmware Interface (UEFI) settings. This article will guide you through the process of configuring Microsoft Intune to manage UEFI settings for Microsoft Surface Devices. We will use the Microsoft open-source project, Project Mu - Device Firmware Configuration Interface (DFCI).

 

About DFCI

Microsoft leverages DFCI to provide automated UEFI settings with Microsoft Endpoint Manager. While traditional UEFI implementations require physical configuration, DFCI securely enables zero-touch remote configuration of these settings and is built on Intune and authorized by Windows Autopilot. DFCI provides a straightforward way to easily configure hardware settings, such as disabling cameras and microphones, or disabling boot to USB on Surface devices. These settings cannot be bypassed by a physical attacker or from the Operating System-level because the checks happen even before the system boots an OS.

 

DFCI and Windows Autopilot

To use DFCI, the device needs to be registered with Windows Autopilot by an OEM or a Microsoft Cloud Service Provider (CSP) and managed by Intune. Self-registered devices are not trusted for the purpose of DFCI management. See Windows Autopilot registration overview and Configure Autopilot profiles for more information.

 

Supported OEM and devices

Currently, Microsoft Surface devices are the only devices that support DFCI configuration with Intune. Note that older Surface devices do not support DFCI either. For a list of the specific Surface devices that support DFCI, see Manage DFCI on Surface devices.

 

DFCI integration flow

Let's look at the process of DFCI integration.

 

DFCI integration, registration, enrollment, and management flow.DFCI integration, registration, enrollment, and management flow.

 

First, the PC UEFI (BIOS) integrates the DFCI code and includes the Device Management Trust certificate. The second step ensures that the device ownership is registered in Windows Autopilot by an OEM or CSP. Only trusted devices can be configured; this is essential to ensure that no one can take a device hash and perform setting changes. In the third step, the IT Admin creates a DFCI policy in addition to the enrollment profile and additional policies as needed. Fourth, we enroll the device with Autopilot in our corporate environment. The policies will get applied, and the UEFI-related settings will be written to the UEFI mailboxes. The device will reboot and process the packages and report the status back (for example, USB port disabled).

 

More details can be found on: Scenarios – Project Mu (microsoft.github.io).

 

DFCI Settings Removal and Recovery

There are several scenarios that we need to consider in planning when we are thinking about the device lifecycle. While enrollment sets the DFCI policies for the device, we also need to consider reuse, reinstall and retirement of the device.

 

Reuse

If you plan to reuse a device, do not remove the Autopilot record from Intune. After you wipe the device, make sure that the device is a member of the group that is assigned the new DFCI and Autopilot profiles.

 

Retire

When you're ready to retire the device and release it from management, update the DFCI profile to the UEFI (BIOS) settings you want at the exit state. Ensure that the DFCI configuration profiles settings for this specific device are set to Not configured and the policies will be applied before you retire the device. This will unlock the devices’ UEFI (BIOS) menus. Once you wipe the device, you can delete the Autopilot record.

 

Recover
If you wipe a device and delete the Autopilot record before unlocking the UEFI (BIOS) menus, all the device’s UEFI settings will remain locked and Intune can’t send profile updates to unlock it.

 

DFCI recovery when disconnected from Intune.DFCI recovery when disconnected from Intune.

 

To unlock these settings, you need to request the unenroll packages via the web. These packages will allow you to reset the UEFI configuration settings. Recovery unlocks the menus but leaves all UEFI (BIOS) settings set to the values in the previous Intune DFCI profile.

 

Start the machine into the UEFI (BIOS) setup and make sure that you have a supported ethernet adapter available (i.e., Surface Ethernet Adapter). You need to download the unenroll packages over wired internet; Wi-Fi will not work for the UEFI (BIOS) settings. In the Surface UEFI settings, choose Management > Configure > Refresh from network > Opt Out and then restart the device.

 

Screenshot of the Surface UEFI (BIOS) Management screen from a Surface Laptop 3 device.Screenshot of the Surface UEFI (BIOS) Management screen from a Surface Laptop 3 device.

 

For more information, see Update Windows BIOS features using MDM policies in Microsoft Intune and Removing DFCI management.

 

Configuring DFCI settings in Intune

This section explains how to configure DFCI settings for a Surface device in Intune. For this example, I'll use a Surface Laptop 3.

 

Note: Before you can deploy DFCI settings, the device must be registered with Windows Autopilot by a CSP or OEM and enrolled in Intune. Autopilot self-registration is not supported with DFCI configuration.

 

First, I will create a new static group that includes computers that will receive DFCI configurations. In the Microsoft Endpoint Manager admin center, I create a new group.

 

Microsoft Endpoint Manager admin center > All groups blade.Microsoft Endpoint Manager admin center > All groups blade.

 

In the New group dialog, leave the default group type Security and specify a group name. I name my example group "W_Surface_UEFI_Protected" and leave the membership type Assigned. Then I select No Members Selected to manually add devices.

 

Creating a new security group in the Microsoft Endpoint Manager admin center > All groups blade.Creating a new security group in the Microsoft Endpoint Manager admin center > All groups blade.

 

For this example, I select "LOZTECH-1483", which is my Surface Laptop 3 Test device, and then select Create to create the group.

 

Adding a member to the newly created security group in the Microsoft Endpoint Manager admin center.Adding a member to the newly created security group in the Microsoft Endpoint Manager admin center.

 

The group will show up after a minute with the device as a member. Now, we can create the DFCI policy.

 

To create the configuration profile, select Devices > Configuration profiles, and then select Create profile. In the Create a profile section, choose Windows 10 and later as the platform and Templates as the profile type, and select Device Firmware Configuration Interface.

 

Creating a new Windows 10 and later Device Firmware Configuration Interface profile in the Microsoft Endpoint Manager admin center.Creating a new Windows 10 and later Device Firmware Configuration Interface profile in the Microsoft Endpoint Manager admin center.

 

In Create profile, add a name and an optional description, and Select Next. I use "W_Surface_UEFI_Settings" for my example.

 

Creating a new Windows 10 and later Device Firmware Configuration Interface profile with an example name and description added in the Microsoft Endpoint Manager admin center.Creating a new Windows 10 and later Device Firmware Configuration Interface profile with an example name and description added in the Microsoft Endpoint Manager admin center.

 

In Configuration settings, you'll find all the settings that are available in the UEFI configuration.

 

Example Device Firmware Configuration Interface configuration in the Microsoft Endpoint Manager admin center.Example Device Firmware Configuration Interface configuration in the Microsoft Endpoint Manager admin center.

 

In our example configuration, we'll modify only one setting. For our example, we want to allow the user to change unconfigured settings when entering the UEFI settings on the machine. So, we leave Allow local user to change UEFI settings to its default value (Only not configured settings).

 

For our example, we want to disable all built-in cameras. To do this, we change the Cameras setting to Disabled.

 

Example configuration with the Cameras setting set to Disabled.Example configuration with the Cameras setting set to Disabled.

 

Select Next to continue.  In the Assignments section, we add the group we created earlier, "W_Surface_UEFI_Protected".

 

Assigning a group to a Device Firmware Configuration Interface profile within the Microsoft Endpoint Manager admin center.Assigning a group to a Device Firmware Configuration Interface profile within the Microsoft Endpoint Manager admin center.

 

Select Next to continue through Applicability Rules, and then review the group settings and select Create.

 

Let's take a quick look at the local UEFI setting before the policy is assigned.

 

Example of a Surface UEFI > Devices pane before a managed Intune policy is assigned.Example of a Surface UEFI > Devices pane before a managed Intune policy is assigned.

 

When the settings are applied to the device, the user will no longer be able to turn on the device cameras. The UEFI menu also shows the statement “Some settings are managed by your organization.” All other settings, as we specified, can still be configured by the user.

 

Example of a Surface UEFI > Devices pane after a managed Intune policy has been assigned.Example of a Surface UEFI > Devices pane after a managed Intune policy has been assigned.

 

To confirm whether the policy has been correctly applied, you can check on the device and also in Intune.

 

On the Intune side, in the Microsoft Endpoint Manager admin center, go to Devices, select the device, and then select Device Configuration and the DFCI profile we created (for our example, "W_Surface_UEFI_Settings"). If a setting was successfully applied, you will see it in the details.

 

Profile deployment example within the Microsoft Endpoint Manager admin center.Profile deployment example within the Microsoft Endpoint Manager admin center.

 

To remove a setting configuration (the organization will no longer manage that UEFI setting), reset it in the Intune device profile to Not configured. The setting will return to the last value from the profile (in this example, All Cameras returns to Off) and the user can now configure the setting.

 

Example of a Surface UEFI > Devices pane when a managed Intune policy has been set to "Not configured".Example of a Surface UEFI > Devices pane when a managed Intune policy has been set to "Not configured".

 

Now that you have a better understanding of enabling UEFI configuration with Microsoft Surface devices in Intune, you can help your company take advantage of this technology. If you have any questions, reply to this post or reach out to @IntuneSuppTeam on Twitter.

Posted at https://sl.advdat.com/3qHJx5Y