![]() This profile makes sure that devices are verified and enabled for DFCI during the Windows setup. Step 2: Create an Enrollment State Page profile The following article lists the steps to create the profile: This profile sets up and pre-configures new devices. Step 1: Create an Autopilot deployment profile To use DFCI, create the following profiles, and assign them to your group. In this scenario, you can create a security devices group, and add these 10 devices to the group.įor more information on creating groups in Intune, see Add groups to organize users and devices. On all devices, you want to prevent booting the devices from a USB device. On the manufacturing floor, you have 10 devices. In this scenario, you can create an HR security users group so the policy applies to users in the HR group, whatever the device type. For security reasons, you don't want anyone in this group to use the camera on the devices. Human Resources (HR) has different Windows devices. For DFCI devices, most organization may create device groups, instead of user groups. Be sure to create groups that include your DFCI-supported devices. Once your device is registered, its serial number is shown in the list of Windows Autopilot devices.įor more information on Autopilot, including any requirements, see Windows Autopilot registration overview.Īutopilot deployment profiles are assigned to Azure AD security groups. By design, DFCI management requires external attestation of the device's commercial acquisition through an OEM or a Microsoft CSP partner registration to Windows Autopilot. The device must be registered for Windows Autopilot by a Microsoft Cloud Solution Provider (CSP) partner, or registered directly by the OEM.ĭevices manually registered for Autopilot, such as imported from a csv file, aren't allowed to use DFCI. Work with your device vendors to determine the manufacturers that support DFCI, or the firmware version needed to use DFCI. The device manufacturer must have DFCI added to their UEFI firmware in the manufacturing process, or as a firmware update you install. This layer of security blocks local users from accessing managed settings from the device's UEFI (BIOS) menus. DFCI's trust chain uses public key cryptography, and doesn't depend on local UEFI (BIOS) password security. This feature can prevent malware from communicating with OS processes, including elevated OS processes. When you reinstall an older Windows version, install a separate OS, or format the hard drive, you can't override DFCI management. In another example, lock down the boot options to prevent users from booting up another OS, or an older version of Windows that doesn't have the same security features. Reinstalling the OS or wiping the computer won't turn the camera back on. You can disable the camera at the firmware-layer, so it doesn't matter what the end user does. Windows 10 RS5 (1809) and later on supported UEFIįor example, you use Windows client devices in a secure environment, and want to disable the camera.It limits end users control over the BIOS, which is good in a compromised situation. Typically, firmware is more resilient to malicious attacks. In Intune, use this feature to control BIOS settings. For an overview of benefits, scenarios, and prerequisites, see Overview of DFCI.ĭFCI enables Windows to pass management commands from Intune to UEFI (Unified Extensible Firmware Interface). Also, check out today’s blog post from the System Center Configuration Manager team where they shared their latest plans for managing Windows 10.Īnd if you are attending Ignite this week, don’t forget to check out some of the Intune sessions that we have planned.When you use Intune to manage Autopilot devices, you can manage UEFI (BIOS) settings after they're enrolled using the Device Firmware Configuration Interface (DFCI). Make sure to stay tuned to this blog over the coming months as we continue to share more details on how you can best manage Windows 10 with Intune. You can also view the complete list of Configuration Service Providers (CSPs) exposed in the Windows 10 Technical Preview builds here. This list of settings will continue to be expanded over time. You can find more information on custom OMA-URI settings for Windows 10 here. As part of our monthly cloud cadence, we also plan to incrementally add native UI support for new Windows 10 features to provide you with best-in-class management for Windows 10 with Intune. All existing Intune features for managing Windows 8.1 and Windows Phone 8.1 will work for Windows 10, including:Īdditionally, you can now create custom policies using OMA-URI to manage new Windows 10 features with Intune. At the Microsoft Ignite event, Microsoft announced that Microsoft Intune now supports the management of Windows 10. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |