Welcome to the Surface DFCI interactive guide

Select Start to continue.

Hybrid and remote workforces have created new challenges for access management across devices. Your users need to securely access and connect to critical resources from anywhere. And you want to support them from wherever they work. But you still need to help protect your organization’s data and securely manage access from chip to cloud.

With Microsoft Intune, you can manage user access and simplify endpoint management. Intune helps protect access and data across your organization-owned and personal mobile devices, desktop computers, and virtual endpoints. Intune also helps you adhere to the Zero Trust security model with its compliance and reporting features.

Microsoft Surface devices have a unique Unified Extensible Firmware Interface (UEFI) to help you manage access down to the hardware level. In addition to important information about your Surface such as model, serial numbers and firmware details – the UEFI allows you to configure device hardware, security and boot settings, as well as date/time.

In this interactive guide, we will start by reviewing the Surface UEFI capabilities in more detail, then proceed to review how Device Firmware Configuration Interface (DFCI) profiles in Microsoft Intune can be used to manage UEFI settings for your Surface devices. Last, you will transition back to the Surface device to verify UEFI settings after the DFCI profile has been applied.

When you are ready, select Continue to get started.

Select Exercise 1 to continue.

You can use the UEFI experience on your Microsoft Surface device to enable or disable built-in devices and components, protect settings from being changed, and adjust the boot settings. In this interactive demo we'll begin on the PC Information screen of the Surface UEFI and focus on how to disable camera functionality.

Note: To access the Surface UEFI on a real device, follow these steps:

• First, shut down your Surface device completely (wait about 10 seconds to ensure it’s completely shut down).
• Press and hold the Volume-up button and the Power button at the same time. Keep doing this until you see either a Microsoft or Surface logo onscreen.
• Hold down the Volume-up button to get the UEFI screen to load. The first screen you’ll see will be the PC Information screen, containing important information about your Surface, including the serial number and firmware version. If you look to the left, you’ll see all the other available settings.

Now it’s time to turn off the cameras. Select Devices, which calls up this list of devices you can toggle on or off.

To disable the cameras, set the toggle to off for Front camera, Rear camera, and IR camera (in that order).

When we exit and save the changes – the cameras will now be disabled on this device. Before doing so – let’s review some of the other capabilities in the Surface UEFI.

Select Security in the left navigation.

Note the ability to specify a password for access to UEFI settings, change secure boot configuration, and enable/disable Simultaneous Multithreading (SMT).

When ready, select Boot configuration in the left navigation to continue.

On the Boot configuration page, you can view and edit the boot order, allowed boot options (such as the ability to boot from a USB device), and a variety of other settings.

When you are done reviewing these settings – select Exit.

On the Exit settings and restart your Surface page, select Restart now to apply your changes.

Congratulations on completing exercise 1 – click anywhere on the screen to continue to the next exercise.

Congratulations on completing exercise 1.

Select exercise 2 to continue.

Device Firmware Configuration Interface (DFCI) profiles built into Microsoft Intune can help you extend your modern management stack down to the UEFI level. DFCI brings a bunch of great features to the table, particularly zero-touch provisioning – no more BIOS passwords needed. You’ll get control over security settings for boot options and built-in peripherals. Plus, DFCI provides a foundation you can build on to address future advanced security scenarios.

With DFCI, you can remotely disable specific hardware components and prevent end users from accessing them. Need to protect sensitive information in highly secure areas? Disable the camera. Want to prevent users from booting from USB drives? You can switch that off too.

You’ll use DFCI with software-level mobile device management (MDM). In order to use DFCI, you’ll also need to register the device for Windows Autopilot by a Microsoft Cloud Solution provider. By design, DFCI management requires external attestation of the device's commercial acquisition through an OEM or a Microsoft CSP partner registration to Windows Autopilot.

In this exercise, we will review how to configure and assign a DFCI profile in Microsoft Intune. This demo assumes that you’ve already created an Autopilot deployment profile and an enrollment state page profile.

Begin by signing into your tenant at endpoint.microsoft.com. Click in the address bar to type https://endpoint.microsoft.com and then press Enter.

Sign in using your admin credentials:

• Username: select the field to type admin@contoso.com and then select Next or press Enter.
• Password: select the field to type the password and then select Sign in or press Enter.

In the Intune admin center, select Devices in the left navigation.

On the Devices | Overview page, select Configuration profiles in the left navigation.

On the Devices | Configuration profiles page, select Create profile.

On the Create a profile panel, click to expand the platform menu and then select Windows 10 and later.

Click to expand the Profile type menu, then select Templates.

From the list of templates, select Device firmware configuration interface and then select Create.

In this scenario, we’ll be creating a profile and assigning it to the Engineering group at Contoso. Select the name field to type DFCI Profile for Contoso Engineering.

Select the Description field to type DFCI Profile for UEFI setting management.

Select Next to continue to the Configuration settings tab.

On the Configuration settings tab, select the UEFI access node to expand it.

Most customers don’t want local users to be able to change UEFI settings. This is the case for Contoso - so you’ll want to block local user access.

Under UEFI access select Allow local user to change UEFI and toggle it to None.

We will now review some other ways you can manage the device. Start by selecting the Security node.

In Security settings, you can toggle options like simultaneous multithreading (SMT).

Next click to expand the Camera settings.

We want to disable all of the cameras on assigned devices – so click to expand the Cameras menu (set to Not configured by default) and select Disabled.

Next, select Microphones and speakers – here you can switch on-board audio off for eligible devices.

After reviewing the settings, expand the Radios settings node. These let you manage built-in Bluetooth, Wi-Fi, or 5G wireless functionality for eligible devices.

When done reviewing the Radio settings – select Boot options. The Boot options settings allow you to control whether eligible devices can be booted from external media in boot options, which is popular for high-security environments.

Expand the Ports settings - these settings enable you to manage access to ports like USB-A and the SD card, if equipped.

Select Wake settings when you are ready to continue.

Wake settings enable you to disable Wake on LAN or Wake on power.

When you are done reviewing the settings – select Next to continue.

Once you’ve configured your settings, you can choose which groups to assign this profile to, as well as specific OS editions or versions, if applicable.

We will be assigning this profile to the Contoso Engineering groups – so select Add groups.

On the Select groups to include panel – select the Search field to type Engineering.

Choose the Contoso Engineering group and then click Select.

Select Next at the bottom of the assignments panel to continue.

We will not be specifying any applicability rules in this scenario, so click Next to continue.

Review the settings and then select Create.

Your DFCI profile has been created – select Refresh to verify that it shows up in the list of profiles.

Congratulations on completing the exercise.

Next we will switch back to the Surface device of a Contoso Engineering user to verify the UEFI settings and hardware experience after your new DFCI profile is applied.

Click anywhere on the screen to continue.

Congratulations on completing exercise 2.

Select exercise 3 to continue.

Now that you’ve created and assigned a DFCI profile, let’s jump into verifying the settings that the end user will see on a managed device (this device belongs to a user in the Contoso Engineering group).. For this interactive guide, we will assume that the user in question has already restarted the device and reconnected to the Internet.

We’ll start on the PC Information page in the Surface UEFI.

Remember: to access the Surface UEFI Press and hold the Volume-up button on your Surface and press and release the Power button at the same time. When you see the logo, release the Volume-up button.

To continue, select Devices in the left navigation.

On the Device page, you can see that the cameras are both disabled and greyed-out, indicating that the user is not able to change those settings. Select Security to continue.

On the Security page, as with Devices, you will see the text indicating that some settings are managed by your organization. All options on this page are disabled – as a result of you setting ‘Allow local user to change UEFI’ to none in the DFCI profile.

Select Exit and then click Restart Now to continue to the Windows desktop on the Surface, where we’ll review what the end user sees in Windows when they try to access a piece of hardware that’s been disabled - for example, the camera.

Once the device has restarted – select the PIN field to simulate typing in the PIN to log in to Windows.

You are now seeing the Windows desktop on the Surface device being managed with DFCI. Recall that we’ve disabled all of the cameras on the device – let’s review what the end user sees on their device.

To start – select the Windows button in the taskbar and then select Device manager from the list of recent programs to open it.

Review the list of devices and note that the cameras are not even listed (Devices are listed in alphabetical order – so Cameras would have been listed in between the Bluetooth and Computer nodes).

Now, let’s take a look at how the camera app experience changes – click to close Device manager and return to the desktop.

Select the Windows button in the taskbar and then select the Camera app from the list of recent programs to open it.

Once the Camera app loads – you’ll see that there is no camera detected here, either.

As you can see, disabled hardware components don’t appear as devices within Windows. That means they can’t be accessed by users or the OS. And because we disabled the local user’s ability to modify UEFI settings, they can’t override those policies locally.

Congratulations on completing this exercise – click anywhere on the screen to continue.

Congratulations on completing the interactive guide.

You can select the Home button to return to the beginning of the guide.