Embed Size (px)
Citation preview
Replacing BIOS with a UEFI DeploymentAlfred Ojukwu, MCSFrank Pinto, MCS
WCA-B337
Session Agenda• What is UEFI• Understand UEFI and what it brings• Demo
• UEFI Refresh Scenario• Windows XP, Windows 7 or Windows 8• Demo
• MDT 2012 Update 1• Demo
• 2012 Configuration Manager SP1• Demo
• Additional UEFI Information• Boot times, Secure Boot and ELAM
What is UEFI?
Designed to address BIOS Limitations• Needed for the larger server platforms (Intel-HP
Itanium)• First called Intel Boot Initiative then renamed to EFI• Specification and Source Code encouraged the UEFI
forum
Unified Extensible Firmware Interface (UEFI)
Provides support for newer hardware• Addresses the need to support x64 bit system• Streamlines the boot process into the OS• Simplifies the integration with 3rd party components
The UEFI Forum
Divided by working groups
• USWFG• UTWG• PIWG• ICWG
UEFI encourages industry participation• 11 Promoters• 20+ Contributors• 70+ Adopters
UEFI Advantages
Enables Innovation
Support for Large Disks
CPU-Independent Architect
Flexible pre-OS Environment
Modular Design
Why UEFI?
Current Support for UEFIScenario Min Server
versionMin WinPE version
Min Boot program version
Notes
X64 UEFI 2008 2008 2008 X64 feature UEFI support introduced in 2008
X64 UEFI 2.3.1
2008 2012 2012 2.3.1 support added in 2012
X86 UEFI 2012 2012 2012 Support for x86 UEFI added in 2012
UEFI PXE IPv6
2012 2012 2012 Support for IPv6 added in 2012
The version of the Windows PE boot files must match the computer architecture. An x64-based UEFI computer can boot by using only Windows PE x64 boot files. An x86-based computer can boot by using only Windows PE x86 boot files.
*
Classes of UEFI
Class 0 Class 1
Class 2 Class 3
UEFI Version 2.3.1 or newer
UEFI firmware evolution
Firmware
Platform Specific UEFI Firmware
Windows OS
System hardware
UEFI Runtime Services
UEFI OS Loader
ACPI BIOSACPI
registersACPI
tables
ACPI driverUEFI Win32/NT APIs
Compatibility Support Module (CSM)
BIOS OS loader
BIOS mode
Legacy BIOS
UEFI mode
Pre-19981998 ~Today
UEFI: Making the Connection
Application Software
Operating System Software
Hard Disk
PC
Firmware
Hardware
DriversROM
Performs CPU and Chipset Init and Set up DXE
Load UEFI Drivers, loads boot application
Read BCD from ESP to find OS Loader, Load Selected
OS Loader
Builds page tables for all runtime memory, load the
Windows OS, calls UEFI ExitBootServices()
1
2
3
4
The UEFI Boot Process
Power on Platform initialization Operating system (OS) boot Shutdown
Run Time
(RT)
OS-PresentApplication
Final OS Environment
Final OS Boot Loader
Driver Execution Environment (DXE)
Boot Dev
Select(BDS)
Transient System Load
(TSL)
OS-AbsentApp
UEFI Shell
Transient OS Boot Loader
Boot Manager
Device, Bus, or Service Driver
UEFI
Interfaces
EFI Driver Dispatcher
Architectural Protocols
Pre-EFI Initialization (PEI)
CPUInit
Chipset Init
Board Init
verify
Security (SEC)
PEICore
Pre Verifier
Source: Intel Corporation
The GUID Partition Table Layout
Protective MBR
Primary GPT
GPT Protective Partition
UEFI System Partition
Partition
Partition Backup GPTPartition
Fat32
LBA 0 LBA z
UEFI Refresh Scenarios
UEFI with CSM Implementation (Sample)If a computer is in “Legacy” or “Mixed” mode it is NOT in
native UEFI mode
Configuring UEFI partitionsWhen deploying Windows to a UEFI-based computer:• Partitions must be formatted as GPT
disks• Best Practice Configuration:
Default UEFI/GPT drive partitionsDisk 0
System MSR WindowsWindows RE tools
Configuring UEFI partitionsWhen deploying Windows to a UEFI-based computer:• Partitions must be formatted as GPT
disks• Configuration with Recover Image:
Recommended UEFI/GPT drive partitionsDisk 0
Windows RE tools
System MSR WindowsRecovery
Image
Creating a Bootable USB Drive Option #1: Utilize Split Images to create a *.swim fileOption #2: Create Multiple Partition on a WTG USB Drive
Option #3: Create your image using two USB sticks
Option #4: Boot straight from the Windows OS USB
Sample DiskPart Script Recommended Configuration
rem == CreatePartitions-UEFI.txt ==rem == These commands are used with DiskPart torem create five partitionsrem for a UEFI/GPT-based computer.rem Adjust the partition sizes to fill the driverem as necessary. ==convert gptrem == 1. Windows RE tools partition ===============create partition primary size=300format quick fs=ntfs label="Windows RE tools"assign letter="T"set id="de94bba4-06d1-4d40-a16a-bfd50179d6ac"gpt attributes=0x8000000000000001rem == 2. System partition =========================create partition efi size=100rem ** NOTE: For Advanced Format 4Kn drives,rem change this value to size = 260 ** format quick fs=fat32 label="System"assign letter="S"rem == 3. Microsoft Reserved (MSR) partition =======create partition msr size=128
rem == 4. Windows partition ========================rem == a. Create the Windows partition ==========create partition primary rem == b. Create space for the recovery image ===shrink minimum=15000rem ** NOTE: Update this size to match the sizerem of the recovery image **rem == c. Prepare the Windows partition ========= format quick fs=ntfs label="Windows"assign letter="W"rem === 5. Recovery image partition ================create partition primaryformat quick fs=ntfs label="Recovery image"assign letter="R"set id="de94bba4-06d1-4d40-a16a-bfd50179d6ac"gpt attributes=0x8000000000000001list volumeexit
What you will see….
MDT 2012 Update 1
MDT 2012 Update 1 with UEFI
• MDT Media and ISOs • Detect UEFI Native • GPT Boot Disk• Partition Creation• Computer Refresh
Demo
Configuring the MDT 2012 Update 1 for UEFI Deployments
2012 Configuration Manager SP1
System Center 2012 Configuration Manager SP1 with UEFI
• MDT Media and ISOs • Detect UEFI Native • GPT Boot Disk• Partition Creation• Computer Refresh
Now we’re talking…
Demo: Deploying Windows 8 using System Center 2012 Configuration Manager SP1
Additional UEFI Information
UEFI and Windows 8: A faster way to on
• Looks and feels like a regular shutdown / boot• Leverages Hibernate technology to cache the core system• Enabled by default• Delivers considerable improvements:
• Boots more than twice as fast on SSD-based netbooks, including POST• Need partners to continue work to reduce POST times
POST
POST
OS initializationService & app initialization
Service & app init
Hiberfile readDevice initialization
Explorer ready
Explorer ready
Windows 7
Windows 8
Can you really tell the difference?From USB to MDT Wizard• Legacy boot: 50 seconds (to initial MDT wizard)• Native boot: 40 seconds (to initial MDT wizard)From OS Install to Summary Wizard Completion• Legacy boot: 50 seconds (to initial MDT wizard) • Native boot: 40 seconds (to initial MDT wizard)Cold Boot• Legacy boot: 30 seconds• Native Boot: 27 secondsFrom Hibernate:• Legacy boot: 30 seconds• Native Boot: 27 seconds
Secure Boot Process
• Only executes signed UEFI binary images
• Includes Option ROMs, pre-boot utilities and OS loaders.
• Benefit: Helps prevent malicious code before the OS loads
• Benefit: Provides Time-authenticated variables
• Benefit: Allows stronger keys for encryption
Secure boot is a UEFI specification, not a Microsoft product!
Secure Boot Commandlets
Confirm-SecureBootUEFIFormat-SecureBootUEFIGet-SecureBootPolicyGet-SecureBootUEFISet-SecureBootUEFI
Sample: Get-SecureBootUEFI –Name PK | Format-List
Secure Boot• UEFI with Secure Boot enabled will launch
a verified OS loader such as Windows 8
Measured BootFirmwar
e
Boot Loader
Kernel
Early Drivers
TPM
[PCR Data][AIK pub]
[Signature]
Boot Log
Hash of next item(s)
Windows 7 BIOS OS Loader (Malware)
3rd Party Drivers (Malware)
Anti-Malware Software Start
Windows 8
Native UEFIWindows 8OS Loader
Anti-Malware Software Start
3rd Party Drivers
• Malware is able to start before Windows and Anti-malware
• Trusted Boot starts Anti-Malware early in the boot process
Early Launch Anti-Malware (ELAM)
Windows Support for UEFICurrent Windows-Specific UEFI Highlights• Multicast Deployment• Fast boot and resume from
hibernationFuture UEFI Capabilities• Rootkit prevention• Network Authentication
Deployment Server
Key Objectives Covered• Introduced and discussed changes in the
Firmware Platform• Demonstrated the use of UEFI during a
Windows 8 Deployment• Reviewed Enhanced Features introduced
with UEFI
• QUESTIONS?
Windows Track ResourcesWindows Enterprise: windows.com/enterprise
Windows Springboard: windows.com/ITpro
Microsoft Desktop Optimization Package (MDOP): microsoft.com/mdop
Desktop Virtualization (DV): microsoft.com/dv
Windows To Go: microsoft.com/windows/wtg
Outlook.com: tryoutlook.com
msdn
Resources for Developers
http://microsoft.com/msdn
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Resources for IT Professionals
http://microsoft.com/technet
System Center 2012 Configuration Managerhttp://technet.microsoft.com/en-us/evalcenter/hh667640.aspx?wt.mc_id=TEC_105_1_33
Windows Intunehttp://www.microsoft.com/en-us/windows/windowsintune/try-and-buy
Windows Server 2012 http://www.microsoft.com/en-us/server-cloud/windows-server
Windows Server 2012 VDI and Remote Desktop Serviceshttp://technet.microsoft.com/en-us/evalcenter/hh670538.aspx?ocid=&wt.mc_id=TEC_108_1_33
http://www.microsoft.com/en-us/server-cloud/windows-server/virtual-desktop-infrastructure.aspx
More Resources:microsoft.com/workstylemicrosoft.com/server-cloud/user-device-management
For More Information
Evaluate this session
Scan this QR code to evaluate this session.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
