
For DFCI devices, most organization may create device groups, instead of user groups. Be sure to create groups that include your DFCI-supported devices. Once your device is registered, its serial number is shown in the list of Windows Autopilot devices.įor more information on Autopilot, including any requirements, see Windows Autopilot registration overview.Īutopilot deployment profiles are assigned to Azure AD security groups. By design, DFCI management requires external attestation of the device's commercial acquisition through an OEM or a Microsoft CSP partner registration to Windows Autopilot. The device must be registered for Windows Autopilot by a Microsoft Cloud Solution Provider (CSP) partner, or registered directly by the OEM.ĭevices manually registered for Autopilot, such as imported from a csv file, aren't allowed to use DFCI.

Work with your device vendors to determine the manufacturers that support DFCI, or the firmware version needed to use DFCI. The device manufacturer must have DFCI added to their UEFI firmware in the manufacturing process, or as a firmware update you install. This layer of security blocks local users from accessing managed settings from the device's UEFI (BIOS) menus. DFCI's trust chain uses public key cryptography, and doesn't depend on local UEFI (BIOS) password security. This feature can prevent malware from communicating with OS processes, including elevated OS processes. When you reinstall an older Windows version, install a separate OS, or format the hard drive, you can't override DFCI management.

In another example, lock down the boot options to prevent users from booting up another OS, or an older version of Windows that doesn't have the same security features. Reinstalling the OS or wiping the computer won't turn the camera back on. You can disable the camera at the firmware-layer, so it doesn't matter what the end user does.


