Centrally controlling UEFI security - an alternative to DFCI

A little warning beforehand: I try not to make my posts too technical: I won't succeed this time! This post is related to my work @Dell, but it is my own opinion. #Iwork4Dell

In some market segments the topic "Device Firmware Configuration Interface" (DFCI) is becoming very popular at once. That's why I would like to pick up the topic here for all those who are interested.

Together with Windows 10 1809, Microsoft has introduced a UEFI-based interface for administration via Intune. I am often asked if our devices also support Device Firmware Configuration Interface (DFCI). And if not, when will they. But before I go into these points, I would like to explain DFCI first.

What is DFCI?

DFCI is an interface that allows Intune to change certain settings on a compatible UEFI. For this, all requirements must be met. Meeting this chain of requirements is not always easy. Here are the current requirements:

What are the requirements for DFCI?

• Windows 10 (1809 or later) Professional or Enterprise
• UEFI firmware must be DFCI enabled
• Device must be managed with Intune
• Device must have been registered by the OEM or a CSP.
• OEM must support DFCI and be supported by Microsoft in Intune for DFCI

Currently only Microsoft Surface devices are supported:

Figure 1 Screenshot, source: Scenarios - Project Mu (microsoft.github.io) As of: 01.03.2021

What can be controlled with DFCI?

The settings are manageable. Only the following settings can be set in Intune (version 2101):

• Allow local user to change UEFI settings: "None", "Only not configured".
• CPU and I/O virtualization: "Not configured", "Enabled".

Hardware control

• Cameras: "Not Configured", "Enabled", "Disabled".
• Microphones and loudspeakers: "Not configured", "Enabled", "Disabled
• Transmitters (Bluetooth, WLAN, NFC, etc.): "Not configured", "Activated", "Deactivated

Startup options

• Start from external media (USB, SD): "Not configured", "Enabled", "Disabled".
• Start from network adapters: "Not configured", "Enabled", "Disabled".

Figure 2 Screenshot. Source: https://endpoint.microsoft.com/ As of: 01.03.2021 Intune version 2101

What bothers me about DFCI?

Personally, I am not a fan of DFCI, the idea is good, but not yet thought through to the end. For one thing, the interface is not granular enough for me. What if I only want to turn off Bluetooth, for example, but not the Wi-Fi? Or just the microphone?

There is no way to provide for that. I'm not even talking about the lack of any OEM support, except Microsoft.

Another point is that a factory reset (including WIPE) is required to remove DFCI. This can be seen as a security function - but for testing it is rather a disadvantage. Another problem are the existing devices. If DFCI was not considered when ordering, it could be difficult to activate them later.

Don't get me wrong, I am a friend of UEFI security and central management: I would just do it differently!

What solutions for UEFI management does Dell Technologies offer?

At Dell Technologies, we have offered several solutions to control UEFI for quite some time. The oldest, the Dell Client Configuration Toolkit (CCTK) or Dell Command Configure as it is now called, has been around for more than 10 years. For those curious, here's the version 1.0 manual from December 2009.

But there are also more modern solutions like a PowerShell module or the possibility to use WMI. Of course, the exact feature set depends on the hardware model and bios revision.

Let's have a look at the tools and the possibilities in detail.

Dell Command Configure

Dell Command Configure is a command line program that is very good for scripting. It also supports UEFI passwords. So, we use it to map the same settings as DFCI:

• Allow local user to change UEFI settings: Unfortunately, we do not have a direct equivalent, but we can prevent all changes with an admin password. cctk.exe --setuppwd=%CCTKSetupPwd%
• CPU and I/O virtualization: "Not configured", "Enabled", "Disabled" - Like DFCI plus disable. cctk.exe --sriov=enabled/disabled

Hardware control

• Cameras: "Not configured", "Enabled", "Disabled" - Same as DFCI cctk.exe --camera=disabled/enabled
• Microphones and speakers: "Not configured", "Enabled", "Disabled" - Same as DFCI or Granular cctk.exe --IntegratedAudio=disabled/enabled | cctk.exe --InternalSpeaker=disabled/enabled | cctk.exe --Microphone=diabled/enabled
• Transmitters (Bluethooth, WLAN, NFC, etc.): "Not configured", "Enabled", "Disabled" - Not generally, only individually controllable cctk.exe --WirelessLan=disabled | cctk.exe --WirelessWwan=disabled | cctk.exe --BluetoothDevice=disabled

Boot option

• Start from external media (USB, SD): "Not configured", "Enabled", "Disabled" - More granular than DFCI cctk.exe BootOrder --DisableDevice=cdrom,floppy,usbdev
• #Start from network adapters: "Not configured", "Enabled", "Disabled" - Comparable to DFCI cctk.exe --UefiNwStack= (UEFI PXE boot)

You can check the individual switches and options on a corresponding device. Here you can also see directly which options this device provides.

Figure 3 Screenshot Command: cctk.exe -h --InternalSpeaker

We have now made the comparison with DFCI. Except for the partial ability to change the UEFI, CCTK is more fine-tunable than DFCI. A note: I could not check disabling NFC, my test device did not support NFC.

What else can Dell Command Configure do?

Dell Command Configure can be used to configure almost anything on supported devices that I can set in the BIOS. Here are a few sample commands that are often used in projects:

• cctk.exe --LegacyOrom=Disabled (deactivated if possible when SecureBoot is set)
• cctk.exe --SecureBoot=Enabled
• cctk.exe --SmmSecurityMitigation=Enabled
• cctk.exe --Fastboot=Thorough - Detection of hardware changes during boot, e.g. docking station
• cctk.exe --BlockSleep=Disabled - For Connected Standby
• cctk.exe --ThermalManagement=Optimized
• cctk.exe --FanSpeed=Auto
• cctk.exe --CapsuleFirmwareUpdate=Disabled 
• cctk.exe --FnLock=Enabled
• cctk.exe --MacAddrPassThru=SystemUnique
• cctk.exe --ThunderboltBoot=Enabled

Download Dell Command Configure

Dell Command Configure is currently available free of charge in version 4.4 for Windows, Ubuntu and RedHat Enterprise Linux. Since it runs on the client, it can be included as a script in any deployment or client management solution without the requirements of DFCI.

You can download it from our Dell Command website: Dell.com/command Under "Simplify BIOS configuration". A note: It is best to use the English site for the download. Translations may cause delays in the update.

Figure 4 Screenshot website dell.com/command

Dell PowerShell Provider

I like to work with PowerShell and so I would also like to introduce you to the appropriate Dell PowerShell Provider. The download can be done like Dell Command Configure via the Dell Command page. The link can be found under "Simplify BIOS Configuration" and then "Explore options for PowerShell users". Alternatively, the module can also be installed via the Microsoft Gallery with the command "Install-Module DellBIOSProvider".

But now let's take a look at how we can map the same settings here as with DFCI:

• Allow local user to change UEFI settings: Unfortunately, we do not have a direct equivalent, but we can prevent all changes with an admin password. Set-Item -Path DellSmbios:\Security\AdminPassword "$AdminPwd“
• CPU and I/O virtualization: Since my test device lacks this hardware feature, I have to owe you the command.

Hardware control

• Cameras: "Not configured", "Enabled", "Disabled" - Same as DFCI Set-Item -Path DellSmbios:\MiscellaneousDevices\Camera Disabled
• Microphones and speakers: "Not configured", "Enabled", "Disabled" - Same as DFCI or Granular Set-Item -Path DellSmbios:\SystemConfiguration\IntegratedAudio Disabled | Set-Item -Path DellSmbios:\SystemConfiguration\InternalSpeaker Disabled | Set-Item -Path DellSmbios:\SystemConfiguration\Microphone Disabled
• Transmitters (Bluethooth, WLAN, NFC, etc.): "Not configured", "Enabled", "Disabled" - Not generally, only individually controllable Set-Item -Path DellSmbios:\Wireless\WirelessLan Disabled | Set-Item -Path DellSmbios:\Wireless\WirelessWwan Disabled | Set-Item -Path DellSmbios:\Wireless\BluetoothDevice Disabled

Boot options

• Start from external media (USB, SD): "Not configured", "Enabled", "Disabled" - More granular than DFCI Set-Item -Path DellSmbios:\MiscellaneousDevices\SdCardBoot Disabled
• Start from network adapters: "Not configured", "Enabled", "Disabled" - Comparable to DFCI Set-Item -Path DellSmbios:\BootSequence\BootSequence

What else can the PowerShell Provider do?

A good overview of the current UEFI settings and the possible options is provided by the command: "Get-DellBiosSettings":

Figure 5 Screenshot PowerShell: Get-DellBiosSettings on a Latitude7390 2-in-1

Other useful commands are:

• Perform a PXE boot at the next reboot: Set-Item -Path DellSmbios:\SystemConfiguration\ForcePxeNextBoot Enabled
• Disable ThunderboltBoot (Also disables network boot on TB Dock!): Set-Item -Path DellSmbios:\USBConfiguration\ThunderboltBoot Disable
• Set Intel SoftwareGuard to SoftControlled: Set-Item -Path DellSmbios:\IntelSoftwareGuardExtensions\SoftGuardEn SoftControlled
• Disable FN Lock Set-Item -Path DellSmbios:\POSTBehavior\FnLock Disable
• Set Fastboot to "Thorough Set-Item -Path DellSmbios:\POSTBehavior\Fastboot Thorough
• Don't want your employees using the Dell laptop as a power bank? Turn off USB Power Share. Set-Item -Path DellSmbios:\SystemConfiguration\UsbPowerShare Disable

Bios configuration via WMI

This method has a big advantage over the previous methods: First, nothing has to be installed. But: This method also has a downside - and if you know WMI, you probably already guess what I'm aiming at. The configuration with WMI is a bit more complex and can sometimes lead to despair, at least if you are not used to WMI.

If you still want to look into it, here is a corresponding Whitepaper: Dell Client Agentless Manageability

Dell Configuration Services

If you don't want to reconfigure your UEFI regularly, but actually only want to have it configured correctly just once. We have a solution for that too! Completely without scripts, PowerShell and WMI queries, we set up the UEFI as you want it. We offer this service as a Configuration Service with some other services. Just ask your Dell contact person.

Figure 6 Screenshot Dell Configuration Services

Conclusion

Even if DFCI is a hype topic in some segments, which we currently do not support. But we do have a good alternative available! Our solutions do not require Intune or any other cloud solution. So they are usable for all customer segments.

If you have any questions, talk to your sales contact.

They can also help you if you want to book a colleague or me for a workshop at your company on all deployment-related topics.

Reference

This article was first published on 4 March 2021 by Fabian Niesen on the German Dell Technologies Blog under the title: "UEFI Sicherheit zentral steuern - eine Alternative zu DFCI".