Manage DFCI settings on Surface devices

The Device Firmware Configuration Interface (DFCI) management on Microsoft Learn outlines the capabilities of DFCI in enabling Windows to relay management commands from Intune to the UEFI for devices deployed using Autopilot. This feature allows IT administrators to restrict end-user control over BIOS settings, which is useful for securing boot options and preventing the booting of unauthorized operating systems that may lack necessary security features.

DFCI is part of the Windows Autopilot Deployment and Intune, allowing the management of UEFI settings post-enrollment. It's designed to be more resilient to malicious attacks by limiting end-user control over BIOS settings, enhancing security in compromised situations.

Additionally, DFCI supports zero-touch remote configuration of UEFI settings, which is a departure from traditional UEFI implementations that require physical configuration. This is facilitated through Microsoft Endpoint Manager and authorized by Windows Autopilot, streamlining the management process for IT administrators.

DFCI settings on surface devices

As a prerequisite to using DFCI policy settings you must be using a system with Windows 11 or Windows 10 version 1809 installed, and your device must be registered with Windows Autopilot either with Microsoft Cloud Solution Provider (CSP) partner or Directly from Surface.

For more information on these methods, see:

• Accelerate your growth as a Cloud Solution Provider.

• Support for business.

• For a full list of Surface devices eligible for DFCI policy settings, see this list.

Steps to configure DFCI settings

1. Sign in to your tenant at endpoint.microsoft.com.

2. In the Microsoft Intune admin center, select Devices > Configuration profiles > Create profile.

3. Under Platform, select Windows 10 and later.

4. Under Profile type, select Templates > Device Firmware Configuration Interface and then select Create.

5. See Use DFCI profiles on Windows devices in Microsoft Intune for complete instructions, including:

   • Create your Microsoft Entra security groups.

   • Create the profiles.

   • Assign the profiles and reboot.

   • Update existing DFCI settings.

   • Reuse, retire, or recover the device.

DFCI policy management

For many customers, the capability to prevent users from altering UEFI settings is of paramount importance and serves as a key incentive for utilizing DFCI. This control is exercised through the setting 'Allow local user to change UEFI settings'. If left unedited or unconfigured, local users retain the ability to modify any UEFI setting that isn't governed by Intune. So, it's advised to configure Allow local user to change UEFI settings to None to ensure that local users can't change UEFI settings independently.

You're also able to remove DFCI policy settings by editing the DFCI profile directly. When you create a DFCI profile, all configured settings remain in effect across all devices within the profile's scope of management. If the original DFCI profile has been deleted, create a new profile and edit the appropriate settings.

To remove DFCI management and return your device to a factory new state, perform the following steps:

1. Navigate to Endpoint Manager at endpoint.microsoft.com, select Devices > All Devices.

2. Choose the device you wish to retire and select Retire/Wipe. For detailed instructions, see the guide on how to remove devices by using wipe, retire, or manual unenrollment.

3. To delete the Autopilot registration from Intune, go to Device enrollment > Windows enrollment > Devices.

4. Under Windows Autopilot devices, select the devices you wish to remove, then choose Delete.

5. Connect the device to a wired internet connection using a Surface-branded ethernet adapter. Restart the device and access the UEFI menu by pressing and holding the volume-up button while also pressing and releasing the power button.

6. Go to Management > Configure > Refresh from Network and select Opt-out.

7. If you intend to manage the device with Intune but without DFCI management, self-register it to Autopilot and enroll it in Intune. Note that DFCI won't be applied to self-registered devices.

These steps ensure that the device is retired from Intune management with DFCI and is prepared for re-enrollment without DFCI application.