Merge pull request #7508 from MicrosoftDocs/main

Publish 05/02/2022 3:30 PM PT

Author: Angela Fleischmann

memdocs/configmgr/core/servers/deploy/install/setup-wizard-central-primary.md

@@ -2,7 +2,7 @@
 title: Install a CAS or primary site
 titleSuffix: Configuration Manager
 description: Use the Configuration Manager setup wizard to install a new central administration site (CAS) or primary site.
-ms.date: 04/08/2022
+ms.date: 05/02/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-core
 ms.topic: how-to
@@ -241,6 +241,8 @@ To expand the site, use the [process to install a CAS or primary site](#process-
 
 - On the **Site Installation** page, select the option to expand the stand-alone primary site.
 
+- If you enable Endpoint Analytics for devices uploaded to Microsoft Endpoint Manager, in version 2107 or later, re-enable this option. <!--13772757,  10362047-->
+
 ## Next steps
 
 [Use the setup wizard to install a secondary site](setup-wizard-secondary.md)

memdocs/intune/apps/app-configuration-policies-use-android.md

@@ -76,7 +76,7 @@ Android Enterprise has several enrollment methods. The enrollment type depends o
     <img alt="Screenshot of configuration policy - Settings" src="./media/app-configuration-policies-use-ios/app-config-policy01a.png" width="700">
 
     > [!NOTE]
-    > This setting only works for corporate-owned work profile devices.
+    > This setting only works for personally-owned work profile and corporate-owned work profile devices.
     > 
     > Changing the **Connected apps** setting to **Not Configured** will not remove the configuration policy from the device. To remove the **Connected apps** functionality from a device, you must unassign the related configuration policy.
 

memdocs/intune/configuration/device-firmware-configuration-interface-windows-settings.md

@@ -0,0 +1,115 @@
+---
+# required metadata
+
+title: Device firmware configuration interface settings for Windows 10/11 in Microsoft Intune
+description: See a list of all the DFCI profile settings and their descriptions on Windows 10/11 client devices. Use these settings in a configuration profile to control UEFI firmware layer features using Microsoft Intune policy. You can manage the CPU, built-in hardware, and boot options on Windows 10/11 client devices using Microsoft Intune.
+keywords:
+author: MandiOhlinger
+ms.author: mandia
+manager: dougeby
+ms.date: 05/02/2022
+ms.topic: conceptual
+ms.service: microsoft-intune
+ms.subservice: configuration
+ms.localizationpriority: medium
+ms.technology:
+
+# optional metadata
+
+#ROBOTS:
+#audience:
+
+ms.reviewer: madakeva
+ms.suite: ems
+search.appverid: MET150
+#ms.tgt_pltfrm:
+ms.custom: intune-azure; 
+ms.collection:
+  - M365-identity-device-management
+  - highpri
+---
+
+# Device Firmware Configuration Interface (DFCI) profile settings in Microsoft Intune
+
+> [!NOTE]
+> [!INCLUDE [not-all-settings-are-documented](../includes/not-all-settings-are-documented.md)]
+
+This article lists and describes the DFCI profile settings you can control on Windows client devices. As part of your mobile device management (MDM) solution, use these settings to control security features, the built-in hardware, and the boot options in the UEFI layer on Windows.
+
+These settings apply to:
+
+- Windows 11 on supported UEFI
+- Windows 10 RS5 (1809) and later on supported UEFI
+
+These settings are added to a device configuration profile in Intune, and then assigned or deployed to your Windows client devices.
+
+## Before you begin
+
+- [Create the Windows 10/11 DFCI profile](device-firmware-configuration-interface-windows.md). There are more requirements to creating DFCI profiles. For more specific information, go to [Use DFCI profiles on Windows devices in Microsoft Intune](device-firmware-configuration-interface-windows.md).
+- These settings use the [UEFI CSP](/windows/client-management/mdm/uefi-csp).
+
+## Security features
+
+- **Allow local user to change UEFI settings**: Your options:
+  - **Only not configured settings**: The local user can change any setting *except* those settings explicitly set to **Enable** or **Disable** by Intune.
+  - **None**: The local user may not change any UEFI (BIOS) settings, including settings not shown in the DFCI profile.
+
+- **CPU and IO virtualization**: Your options:
+  - **Not configured**: Intune doesn't change or update this setting.
+  - **Enabled**: The BIOS enables the platform's CPU and IO virtualization capabilities for use by the OS. It turns on Windows Virtualization Based Security and Device Guard technologies.
+
+- **Windows Platform Binary Table** (WPBT): The WPBT allows vendors and OEMs to run an `.exe` program in the UEFI layer. Every time Windows boots, it looks at the UEFI, and runs the `.exe`. It's used to run programs that aren't included with the Windows media.
+
+  Your options:
+  - **Not configured**: Intune doesn't change or update this setting. By default, the OS might allow vendors and OEMs to run programs using the WPBT.
+  - **Enabled**: Enables the WPBT and allows `.exe` programs in the UEFI layer to run.
+  - **Disabled**: Disables the WPBT and prevents `.exe` programs in the UEFI layer from running.
+
+- **Simultaneous multithreading** (SMT): Also known as hyper-threading. Your options:
+  - **Not configured**: Intune doesn't change or update this setting.
+  - **Enabled**: Enables SMT in the UEFI layer.
+  - **Disabled**: Disables SMT in the UEFI layer.
+
+## Built-in Hardware
+
+These settings manage the hardware components built into the devices. They don't manage attached peripherals, such as USB webcams.
+
+- **Cameras**: Your options:
+  - **Not configured**: Intune doesn't change or update this setting.
+  - **Enabled**: All built-in cameras directly managed by UEFI (BIOS) are enabled. Peripherals, like USB cameras, aren't affected.
+  - **Disabled**: All built-in camera directly managed by UEFI (BIOS) are disabled. Peripherals, like USB cameras, aren't affected.
+
+- **Microphones and speakers**:  Your options:
+  - **Not configured**: Intune doesn't change or update this setting.
+  - **Enabled**: All built-in microphones and speakers directly managed by UEFI (BIOS) are enabled. Peripherals, like USB devices, aren't affected.
+  - **Disabled**: All built-in microphones and speakers directly managed by UEFI (BIOS) are disabled. Peripherals, like USB devices, aren't affected.
+
+- **Radios (Bluetooth, Wi-Fi, NFC, etc.)**: Your options:
+  - **Not configured**: Intune doesn't change or update this setting.
+  - **Enabled**: All built-in radios directly managed by UEFI (BIOS) are enabled. Peripherals, like USB devices, aren't affected.
+  - **Disabled**: All built-in radios directly managed by UEFI (BIOS) are disabled. Peripherals, like USB devices, aren't affected.
+
+    > [!WARNING]
+    > If you disable the **Radios** setting, the device requires a wired network connection. Otherwise, the device may be unmanageable.
+
+## Boot Options
+
+- **Boot from external media (USB, SD)**: Your options:
+- **Not configured**: Intune doesn't change or update this setting.
+- **Enabled**: UEFI (BIOS) allows booting from non-hard drive storage.
+- **Disabled**: UEFI (BIOS) doesn't allow booting from non-hard drive storage, which also disables booting from network adapters. 
+
+  When set to **Disabled**, don't set the **Boot from network adapters** setting to **Enabled**. It causes the **Boot from external media (USB, SD)** setting or **Boot from network adapters** setting to become not compliant.
+
+- **Boot from network adapters**: Your options:
+  - **Not configured**: Intune doesn't change or update this setting.
+  - **Enabled**: UEFI (BIOS) allows booting from built-in network interfaces.
+  - **Disabled**: UEFI (BIOS) doesn't allow booting built-in network interfaces.
+
+## Next steps
+
+For other technical details on each setting and what editions of Windows are supported, see [Windows 10/11 Policy CSP Reference](/windows/client-management/mdm/policy-configuration-service-provider).
+
+[Use DFCI profiles on Windows devices in Microsoft Intune](device-firmware-configuration-interface-windows.md).
+
+[Assign the profile](device-profile-assign.md), and [monitor its status](device-profile-monitor.md).

memdocs/intune/configuration/device-firmware-configuration-interface-windows.md

@@ -2,12 +2,12 @@
 # required metadata
 
 title: Update Windows BIOS features using MDM policies in Microsoft Intune
-description: Add a Device Firmware Configuration Interface (DFCI) profile to manage UEFI settings, such as the CPU, built-in hardware, and boot options on Windows 10/11 client devices in Microsoft Intune.
+description: Learn more about the Device Firmware Configuration Interface (DFCI) profile to manage UEFI settings in Microsoft Intune. To use DFCI profiles, create Azure AD security groups, the Windows Autopilot deployment profile, and the Enrollment State Page profile.
 keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 04/04/2022
+ms.date: 05/02/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -19,7 +19,7 @@ ms.technology:
 #ROBOTS:
 #audience:
 
-ms.reviewer: mikedano
+ms.reviewer: madakeva
 ms.suite: ems
 search.appverid: MET150
 #ms.tgt_pltfrm:
@@ -31,7 +31,7 @@ ms.collection: M365-identity-device-management
 
 When you use Intune to manage Autopilot devices, you can manage UEFI (BIOS) settings after they're enrolled, using the Device Firmware Configuration Interface (DFCI). For an overview of benefits, scenarios, and prerequisites, see [Overview of DFCI](https://microsoft.github.io/mu/dyn/mu_plus/DfciPkg/Docs/Dfci_Feature/).
 
-DFCI [enables Windows](/windows/client-management/mdm/uefi-csp) to pass management commands from Intune to UEFI (Unified Extensible Firmware Interface).
+DFCI enables Windows to pass management commands from Intune to UEFI (Unified Extensible Firmware Interface).
 
 In Intune, use this feature to control BIOS settings. Typically, firmware is more resilient to malicious attacks. It limits end users control over the BIOS, which is good in a compromised situation.
 
@@ -61,7 +61,8 @@ When you reinstall an older Windows version, install a separate OS, or format th
 Autopilot deployment profiles are assigned to Azure AD security groups. Be sure to create groups that include your DFCI-supported devices. For DFCI devices, most organization may create device groups, instead of user groups. Consider the following scenarios:
 
 - Human Resources (HR) has different Windows devices. For security reasons, you don't want anyone in this group to use the camera on the devices. In this scenario, you can create an HR security users group so the policy applies to users in the HR group, whatever the device type.
-- On the manufacturing floor, you have ten devices. On all devices, you want to prevent booting the devices from a USB device. In this scenario, you can create a security devices group, and add these ten devices to the group.
+
+- On the manufacturing floor, you have 10 devices. On all devices, you want to prevent booting the devices from a USB device. In this scenario, you can create a security devices group, and add these 10 devices to the group.
 
 For more information on creating groups in Intune, see [Add groups to organize users and devices](../fundamentals/groups-add.md).
 
@@ -85,64 +86,23 @@ This profile includes the DFCI settings you configure.
 2. Select **Devices** > **Configuration profiles** > **Create profile**.
 3. Enter the following properties:
 
-    - **Platform**: Choose **Windows 10 and later**.
-    - **Profile**: Select **Templates** > **Device Firmware Configuration Interface**.
+   - **Platform**: Choose **Windows 10 and later**.
+   - **Profile**: Select **Templates** > **Device Firmware Configuration Interface**.
 
 4. Select **Create**.
 5. In **Basics**, enter the following properties:
 
     - **Name**: Enter a descriptive name for the profile. Name your policies so you can easily identify them later. For example, a good profile name is **Windows: Configure DFCI settings on Windows devices**.
     - **Description**: Enter a description for the profile. This setting is optional, but recommended.
 
-6. Select **Next**.
-7. In **Configuration settings**, configure the following settings:
-
-    - **Allow local user to change UEFI (BIOS) settings**: Your options:
-      - **Only not configured settings**: The local user may change any setting *except* those settings explicitly set to **Enable** or **Disable** by Intune.
-      - **None**: The local user may not change any UEFI (BIOS) settings, including settings not shown in the DFCI profile.
-
-    - **CPU and IO virtualization**: Your options:
-        - **Not configured**: Intune doesn't change or update this setting.
-        - **Enabled**: The BIOS enables the platform's CPU and IO virtualization capabilities for use by the OS. It turns on Windows Virtualization Based Security and Device Guard technologies.
-    - **Cameras**: Your options:
-        - **Not configured**: Intune doesn't change or update this setting.
-        - **Enabled**: All built-in cameras directly managed by UEFI (BIOS) are enabled. Peripherals, like USB cameras, aren't affected.
-        - **Disabled**: All built-in camera directly managed by UEFI (BIOS) are disabled. Peripherals, like USB cameras, aren't affected.
-    - **Microphones and speakers**:  Your options:
-        - **Not configured**: Intune doesn't change or update this setting.
-        - **Enabled**: All built-in microphones and speakers directly managed by UEFI (BIOS) are enabled. Peripherals, like USB devices, aren't affected.
-        - **Disabled**: All built-in microphones and speakers directly managed by UEFI (BIOS) are disabled. Peripherals, like USB devices, aren't affected.
-    - **Radios (Bluetooth, Wi-Fi, NFC, etc.)**: Your options:
-        - **Not configured**: Intune doesn't change or update this setting.
-        - **Enabled**: All built-in radios directly managed by UEFI (BIOS) are enabled. Peripherals, like USB devices, aren't affected.
-        - **Disabled**: All built-in radios directly managed by UEFI (BIOS) are disabled. Peripherals, like USB devices, aren't affected.
-
-        > [!WARNING]
-        > If you disable the **Radios** setting, the device requires a wired network connection. Otherwise, the device may be unmanageable.
-
-    - **Boot from external media (USB, SD)**: Your options:
-        - **Not configured**: Intune doesn't change or update this setting.
-        - **Enabled**: UEFI (BIOS) allows booting from non-hard drive storage.
-        - **Disabled**: UEFI (BIOS) doesn't allow booting from non-hard drive storage, which also disables booting from network adapters. 
-
-          When set to **Disabled**, don't set the **Boot from network adapters** setting to **Enabled**. It causes the **Boot from external media (USB, SD)** setting or **Boot from network adapters** setting to become not compliant.
-
-    - **Boot from network adapters**: Your options:
-        - **Not configured**: Intune doesn't change or update this setting.
-        - **Enabled**: UEFI (BIOS) allows booting from built-in network interfaces.
-        - **Disabled**: UEFI (BIOS) doesn't allow booting built-in network interfaces.
-
-8. Select **Next**.
-
-9. In **Scope tags** (optional), assign a tag to filter the profile to specific IT groups, such as `US-NC IT Team` or `JohnGlenn_ITDepartment`. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](../fundamentals/scope-tags.md).
-
-    Select **Next**.
-
-10. In **Assignments**, select the users or user group that will receive your profile. For more information on assigning profiles, see [Assign user and device profiles](device-profile-assign.md).
-
-    Select **Next**.
-
-11. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
+   Select **Next**.
+6. In **Configuration settings**, configure the settings you want to control in the UEFI firmware layer. For a list of all the settings, and what they do, see [Windows](device-firmware-configuration-interface-windows-settings.md).
+   Select **Next**.
+7. In **Scope tags** (optional), assign a tag to filter the profile to specific IT groups, such as `US-NC IT Team` or `JohnGlenn_ITDepartment`. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](../fundamentals/scope-tags.md).
+   Select **Next**.
+8. In **Assignments**, select the users or user group that will receive your profile. For more information on assigning profiles, see [Assign user and device profiles](device-profile-assign.md).
+   Select **Next**.
+9. In **Review + create**, review your settings and select **Create**. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
 
 The next time each device checks in, the policy is applied.
 
@@ -161,7 +121,6 @@ The next time the device syncs with Intune, Windows receives the DFCI settings.
 If you want to change existing DFCI settings on devices that are in use, you can. In your existing DFCI profile, change the settings, and save your changes. Since the profile is already assigned, the new DFCI settings take effect when:
 
 1. The device checks in with the Intune service to review profile updates. Check-ins happen at various times. For more information, see [when devices get a policy, profile, or app updates](../configuration/device-profile-troubleshoot.md#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
-
 2. To enforce the new settings, reboot the device [remotely](../remote-actions/device-restart.md) or locally.
 
 You can also [signal devices to check in](../remote-actions/device-sync.md). After a successful sync, [signal to reboot](../remote-actions/device-restart.md).

memdocs/intune/configuration/toc.yml

@@ -71,7 +71,7 @@ items:
       href: administrative-templates-configure-edge.md
     - name: Restrict USB devices using ADMX
       href: administrative-templates-restrict-usb.md
-  - name: BIOS settings on Windows
+  - name: UEFI BIOS settings on Windows
     href: device-firmware-configuration-interface-windows.md
     displayName: dfci, firmware
   - name: Domain Join on Windows
@@ -223,6 +223,8 @@ items:
         href: custom-settings-windows-10.md
       - name: Delivery optimization
         href: delivery-optimization-settings.md
+      - name: Device Firmware Configuration Interface (DFCI)
+        href: device-firmware-configuration-interface-windows-settings.md
       - name: Device restrictions
         href: device-restrictions-windows-10.md
       - name: Device restrictions (Windows 10 Team)