Device Firmware Configuration Interface (DFCI) profile settings in Microsoft Intune

This article lists and describes the DFCI profile settings you can control on Windows client devices. As part of your mobile device management (MDM) solution, use these settings to control security features, the built-in hardware, and the boot options in the UEFI layer on Windows.

These settings apply to:

• Windows 11 on supported UEFI
• Windows 10 RS5 (1809) and later on supported UEFI

These settings are added to a device configuration profile in Intune, and then assigned or deployed to your Windows client devices.

Before you begin

• Create the Windows DFCI profile. There are more requirements to creating DFCI profiles. For more specific information, go to Use DFCI profiles on Windows devices in Microsoft Intune.
• Some settings aren't available for all devices. To confirm if a setting is or isn't available on your device, contact your device manufacturer.
• These settings use the UEFI CSP.

Be careful. Configuring and assigning DFCI profiles can lock the device beyond repair. The DFCI profile settings change the device hardware, and can't be fixed by re-imaging the OS.

UEFI access

• Allow local user to change UEFI settings: Your options:
  • Only not configured settings: The local user can change any setting except those settings explicitly set to Enable or Disable by Intune.
  • None: The local user can't change any UEFI (BIOS) settings, including settings not shown in the DFCI profile.

  Security features

  • CPU and IO virtualization: Your options:
    • Not configured: Intune doesn't change or update this setting.
    • Enabled: The BIOS enables the platform's CPU and IO virtualization capabilities for use by the OS. It turns on Windows Virtualization Based Security and Device Guard technologies.
    • Not configured: Intune doesn't change or update this setting. By default, the OS might allow vendors and OEMs to run programs using the WPBT.
    • Enabled: Enables the WPBT and allows .exe programs in the UEFI layer to run.
    • Disabled: Disables the WPBT and prevents .exe programs in the UEFI layer from running.
    • Not configured: Intune doesn't change or update this setting.
    • Enabled: Enables SMT in the UEFI layer.
    • Disabled: Disables SMT in the UEFI layer.

    Cameras

    • Cameras: This setting manages all the hardware cameras built into the device. It doesn't manage attached peripherals, such as USB webcams. Your options:
      • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in cameras.
      • Enabled: All built-in cameras directly managed by UEFI (BIOS) are enabled. Peripherals, like USB cameras, aren't affected.
      • Disabled: All built-in cameras directly managed by UEFI (BIOS) are disabled. Peripherals, like USB cameras, aren't affected.
      • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in front visible light cameras.
      • Enabled: All built-in front visible light cameras directly managed by UEFI (BIOS) are enabled. Peripherals, like USB cameras, aren't affected.
      • Disabled: All built-in front visible light cameras directly managed by UEFI (BIOS) are disabled. Peripherals, like USB cameras, aren't affected.
      • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in rear cameras.
      • Enabled: All built-in rear visible light cameras directly managed by UEFI (BIOS) are enabled. Peripherals, like USB cameras, aren't affected.
      • Disabled: All built-in rear visible light cameras directly managed by UEFI (BIOS) are disabled. Peripherals, like USB cameras, aren't affected.
      • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in infrared cameras.
      • Enabled: All built-in infrared cameras directly managed by UEFI (BIOS) are enabled. Peripherals, like USB cameras, aren't affected.
      • Disabled: All built-in infrared cameras directly managed by UEFI (BIOS) are disabled. Peripherals, like USB cameras, aren't affected.

      Microphones and speakers

      We recommend you configure the Microphones and speakers category settings or the Microphones granular settings. If you configure all the settings, then these settings can cause a conflict. For more information, go to DFCI profile overview: Conflicts.

      • Microphones and speakers: This setting manages all the microphones and speakers built into the device. It doesn't manage attached peripherals, such as USB devices. Your options:
        • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in microphones and speakers.
        • Enabled: All built-in microphones and speakers directly managed by UEFI (BIOS) are enabled. Peripherals, like USB devices, aren't affected.
        • Disabled: All built-in microphones and speakers directly managed by UEFI (BIOS) are disabled. Peripherals, like USB devices, aren't affected.
        • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in microphones.
        • Enabled: All built-in microphones directly managed by UEFI (BIOS) are enabled. Peripherals, like USB devices, aren't affected.
        • Disabled: All built-in microphones directly managed by UEFI (BIOS) are disabled. Peripherals, like USB devices, aren't affected.

        Radios

        We recommend you configure the Radios (Bluetooth, Wi-Fi, NFC, etc.) category settings or the Bluetooth, Wi-Fi, etc. granular settings. If you configure all the settings, these settings can cause a conflict. For more information, go to DFCI profile overview: Conflicts.

        • Radios (Bluetooth, Wi-Fi, NFC, etc.): This setting manages all the built-in radios managed by UEFI (BIOS). It doesn't manage attached peripherals. Your options:
          • Not configured: Intune doesn't change or update this setting. By default, the OS might enable all built-in radios.
          • Enabled: All built-in radios directly managed by UEFI (BIOS) are enabled. Peripherals, like USB devices, aren't affected.
          • Disabled: All built-in radios directly managed by UEFI (BIOS) are disabled. Peripherals, like USB devices, aren't affected. When set to Disabled, the device requires a wired network connection. Otherwise, the device can be unmanageable.
          • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in Bluetooth radios.
          • Enabled: All built-in Bluetooth radios directly managed by UEFI (BIOS) are enabled. Peripherals, like USB devices, aren't affected.
          • Disabled: All built-in Bluetooth radios directly managed by UEFI (BIOS) are disabled. Peripherals, like USB devices, aren't affected.
          • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in WWAN radios.
          • Enabled: All built-in WWAN radios directly managed by UEFI (BIOS) are enabled. Peripherals, like USB devices, aren't affected.
          • Disabled: All built-in WWAN radios directly managed by UEFI (BIOS) are disabled. Peripherals, like USB devices, aren't affected.
          • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in NFC radios.
          • Enabled: All built-in NFC radios directly managed by UEFI (BIOS) are enabled. Peripherals, like USB devices, aren't affected.
          • Disabled: All built-in NFC radios directly managed by UEFI (BIOS) are disabled. Peripherals, like USB devices, aren't affected.
          • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in Wi-Fi radios.
          • Enabled: All built-in Wi-Fi radios directly managed by UEFI (BIOS) are enabled. Peripherals, like USB devices, aren't affected.
          • Disabled: All built-in Wi-Fi radios directly managed by UEFI (BIOS) are disabled. Peripherals, like USB devices, aren't affected.

          Boot Options

          Disabling all external boot options or all external ports significantly complicates OS recovery. To recover a device that can no longer boot Windows, you might have to physically open the device and replace the hardware storage.

          • Boot from external media (USB, SD): Your options:
            • Not configured: Intune doesn't change or update this setting. By default, the OS might allow booting from external media.
            • Enabled: UEFI (BIOS) allows booting from non-hard drive storage.
            • Disabled: UEFI (BIOS) prevents booting from non-hard drive storage, which also disables booting from network adapters. When set to Disabled, don't set the Boot from network adapters setting to Enabled. It causes the Boot from external media (USB, SD) setting or Boot from network adapters setting to become not compliant.
            • Not configured: Intune doesn't change or update this setting. By default, the OS might allow booting from built-in network adapters.
            • Enabled: UEFI (BIOS) allows booting from built-in network interfaces.
            • Disabled: UEFI (BIOS) prevents booting built-in network interfaces.

            Ports

            Disabling all external boot options or all external ports significantly complicates OS recovery. To recover a device that can no longer boot Windows, you might have to physically open the device and replace the hardware storage.

            • USB type A: This setting manages the built-in USB type A ports managed by UEFI (BIOS). It doesn't manage attached peripherals. Your options:
              • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in USB type A ports.
              • Enabled: All built-in USB type A ports directly managed by UEFI (BIOS) are enabled. Peripherals, like USB devices, aren't affected.
              • Disabled: All built-in USB type A ports directly managed by UEFI (BIOS) are disabled. Peripherals, like USB devices, aren't affected.
              • Not configured: Intune doesn't change or update this setting. By default, the OS might enable the built-in SD card ports.
              • Enabled: All built-in SD card ports directly managed by UEFI (BIOS) are enabled. Peripherals, like USB devices, aren't affected.
              • Disabled: All built-in SD card ports directly managed by UEFI (BIOS) are disabled. Peripherals, like USB devices, aren't affected.

              Wake settings

              • Wake on LAN: Wake on LAN allows a network administrator to remotely wake a device in sleep mode using the LAN. Your options:
                • Not configured: Intune doesn't change or update this setting. By default, the OS might prevent waking a device using the LAN.
                • Enabled: UEFI (BIOS) allows waking a device using the LAN.
                • Disabled: UEFI (BIOS) prevents waking a device using the LAN.
                • Not configured: Intune doesn't change or update this setting. By default, the OS might prevent waking a device when it's connected to a power source.
                • Enabled: UEFI (BIOS) allows waking a device when it's connected to a power source.
                • Disabled: UEFI (BIOS) prevents waking a device when it's connected to a power source.

                Related articles

                • For other technical details on each setting and what editions of Windows are supported, go to Windows 10/11 Policy CSP Reference.
                • Use DFCI profiles on Windows devices in Microsoft Intune.
                • Assign the profile, and monitor its status.