UEFI and Secure Boot

UEFI and Secure Boot

Windows 8 introduces a new requirement for PC manufacturers (OEMs) that may require modifications to your OS deployment infrastructure. That requirement ensures that all Windows 8 systems are shipped with their BIOS in UEFI Mode and Secure Boot enabled.

Note: For a background on UEFI read this whitepaper.
Note: For specific information on deploying UEFI systems with Configuration Manager 2012 SP1, read the "Imaging the Latitude 10 with Windows 8 using Configuration Manager 2012" whitepaper by Chris Minaugh from Dell IT.

This is a good thing, as UEFI mode removes hardware limitations that were present with Legacy Mode and adds greater functionality, while Secure Boot ensures that the boot loader is verified and has not been impacted by malware or rootkits. Please read the Building Windows 8 Blog post that gives the full background for Secure Boot and specifies the OEM requirement.

Most customers are using Legacy mode on their client systems even if UEFI mode is available so here are some steps to prepare for UEFI and Secure Boot enabled Windows 8 systems.

1. Evaluate- The following areas of your infrastructure could be impacted by UEFI/Secure boot enabled Windows 8 systems. Review your current environment and evaluate whether UEFI/Secure boot enabled systems will require a change to your:

  • BIOS configuration
    • CCTK and OMCI can configure both UEFI and Legacy modes, but you should test against a UEFI/Secure Boot enabled system to validate your current BIOS configuration.
  • HDD configuration
    • UEFI Mode requires GPT partitions which are different from Legacy Mode/MBR partitions.
  • Security tools
    • Review your HDD encryption and other security tools for compatibility
  • OS Deployment Tools
    • KACE, MDT, and ConfigMgr will support Windows 8 but may require you to install the latest version (ConfigMgr 2012 SP1 for example) to be able to deploy Windows 8 on a UEFI/Secure Boot enabled system.
  • Boot methods
    • WinPE 4.0 (available in the ADK) is required to deploy to UEFI enabled systems. The latest Mass Storage controller drivers may be required.
    • UEFI PXE is also required and is different from Legacy PXE.

2. Plan - After identifying areas of your infrastructure that require changes to support UEFI/Secure Boot enabled systems, create a plan to make those modification and identify steps to continue with your current environment until those modifications are made.

3. Test and Implement - Test the required modifications in your lab environment to ensure that they meet your requirements before deploying into production. Once your infrastructure is ready to deploy Windows 8 on UEFI/Secure Boot enabled systems, then you will be ready to take delivery of OEM delivered Windows 8 systems.

NOTE: Please bookmark this page as we will be adding additional information as it becomes available.

Article ID: SLN310069

Last Date Modified: 08/10/2018 04:17 PM

Rate this article

Easy to understand
Was this article helpful?
Yes No
Send us feedback
Comments cannot contain these special characters: <>()\
Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.