One recurring topic I am met with when I’m presenting at user groups or conferences is that of UEFI vs BIOS. Or “why should I update my BIOS?” and even “why should I convert from BIOS to UEFI, can’t I worry about that later?”.
This is always a tough topic of discussion, because often IT’s policies around updating BIOS or converting from BIOS to UEFI are driven by decision-makers outside of the department, or worse: decision makers within the department who are oblivious to the security implications of staying on an outdated version of an outdated technology.
Unified Extensible Firmware Interface (UEFI) isn’t a new technology, it has been around for many years. On the other hand, attacks at the BIOS level have not only happened this century, but this decade. Rootkits that try to alter boot process are still in the wild, and anybody on an outdated and legacy technology are at a huge risk.
UEFI (pronounced by saying each letter U-E-F-I) is actually so much more than legacy code stored on a chip on a PC’s motherboard. It is in fact a pseudo operating system. This means that you could technically interact with the filesystem and backup your hard drive. UEFI also has mouse and graphics support.
In a legacy world, a BIOS PC would boot and perform Power On Self Test (POST) or put another way, the PC powers on and the BIOS wakes up all the hardware and makes sure it is running ok. You could interrupt the boot (as you can with UEFI) and enter the settings menu to enable/disable/reconfigure settings. The problem is that in this legacy world, there is little protection available to make sure it’s not the bad guys who are altering settings such as booting from a rootkit, etc. Aside from being outdated and not secure, BIOS has many other limitations. Check out this table of limitations:
UEFI on the other hand, is extremely robust. Aside from the game-changing security features it unlocks in Windows 10, it can do more than legacy BIOS. It isn’t enough to list the limitations of legacy BIOS as an argument to champion the conversion to UEFI in your organization. It is better to understand how the limitations of legacy BIOS relate to the comparison UEFI. Here is a table of some of the many pros of UEFI:
Capabilities of UEFI
UEFI is compatible with modern versions of Windows and enables many robust security features. In fact, to use the following security features within Windows 10, UEFI is required.
- Secure Boot: Protects the Windows 10 pre-startup process against bootkit and rootkit attacks. It ensures no malicious operating system can start before Windows.
- Early Launch Anti-malware (ELAM) driver. Loaded by Secure boot, this driver starts before other non-Microsoft drivers to evaluate them. It is technically possible to use ELAM without UEFI however you will miss other benefits.
- Windows Trusted Boot: Protects the kernel and privileged drivers during early launch. Note: MS15-111 security update released on October 13, 2015 fixes a security issue with this feature.
- Measured Boot: Measures components all the way from firmware up through the boot start drivers, and then stores those measurements in the TPM chip on the machine. This info is stored in a log and can be tested remotely to verify the boot state of the client.
- Device Guard: Uses CPU virtualization and TPM support to support Device Guard with AppLocker, and Device Guard with Credential Guard.
- Credential Guard: Uses CPU virtualization and TPM support, but to protect security info like NTLM hashes etc.
- BitLocker Network Unlock: Automatically unlocks Windows 10 at reboot when connected to a wired corporate network. This bypasses the need to enter a PIN.
- GUID Partition Table (GPT) disk partitioning. Enables larger boot disks to allow Enterprises to use modern hardware.
If you are interested in learning more about the benefits of the GPT disk layout and what it means, you can read our post here. We also have a workflow that you can download to build your own ConfigMgr task sequence in order to automate your conversion from BIOS to UEFI to ensure your organization is staying on the path to endpoint security. Sequences can be customized to meet your specific needs and even include support for converting your disk layout to GPT during an in-place upgrade.
The Secure 10 is a free community solution for automated BIOS->UEFI conversions using ConfigMgr, and requires no third-party software.