Archive

Archive for February, 2014

Understanding Windows 8x Secure Boot

February 16, 2014 Leave a comment

This past week at work, I installed Windows 8.1 Pro on my workstation. While a lot of people don’t like Windows 8, I’ve long since gotten used to it, and I rather like 8.1’s speed and features. Plus, I need to have it to effectively manage Internet Explorer 10 and 11 on our client machines, which is another story.

I wanted to do a full UEFI install of Windows 8.1, as well as enable Secure Boot for security purposes. However, when I enabled Secure Boot and restarted, I had no graphics output at all. I’d forgotten that my computer’s dedicated graphics card doesn’t support UEFI GOP, so I won’t be able to use Secure Boot while I have that graphics card installed.

I’ve had some experience with UEFI’s Secure Boot feature in the past, but the events of installing 8.1 onto my PC helped solidify a lot of concepts for me. In a nutshell, here’s what I’ve picked up:

  • You need an Intel 7 or 8 series chipset motherboard. The X79 series is also supported past a certain firmware range from what I’ve read. Not sure about AMD based motherboards, as I haven’t used an AMD board in years.
  • Intel 6 series chipset boards are not supported, despite having UEFI.
  • Your hard drive has to be formatted in GPT partition style.
  • Your graphics card needs to support UEFI GOP, or your system will not boot. From what little I can find out, Intel HD 2500, HD 4000 and up on board graphics are supported as well as the Nvidia Geforce 700 series. The Nvidia GTX 680 had a firmware update release that let it work as well, but I haven’t heard anything about the lower end 600 series cards. Again, not sure about AMD cards.

So just to recap the above list – Must be a modern Intel and presumably AMD motherboard of the last 18 months, and your graphics card needs to be compatible. If you don’t have the correct combination, your PC will not boot with Secure Boot enabled. You will have no graphics output on your monitors at all.

Now here’s the next part that makes things so complicated and confusing for people. If your hardware combination doesn’t support Secure Boot, you can turn it off and enable the Compatibility Support Module (CSM) of the motherboard. With the CSM enabled, you’ll be able to use your old graphics card just fine. This enables your newer office/school PC with low end Geforce 210/Geforce 610’s and so on to run.

If you do an UEFI install of Windows 8.1, but leave Secure Boot disabled, you’ll get the following watermark on the desktop:

windows-81-secure-boot-build-9600

Microsoft have released an update which will make this watermark go away. While Secure Boot isn’t working, at least you won’t have this reminder in the corner every time you log in.

As time goes on, more and more discrete graphics cards will properly support UEFI GOP out the box, enabling more computers to have Secure Boot enabled and working correctly. While there has been written a lot of things about Secure Boot, it brings a lot of modern security to a system that has been sorely lacking it in the past.

Intel network cards rock

February 5, 2014 Leave a comment

In the past on this blog, I’ve bitched about Realtek network cards and their sometimes incredibly buggy drivers that lead to many a head scratching problem. That being said, I ran into a case last week that was even more annoying.

We have been replacing the last of our Windows XP computers with new or reshuffled Windows 7 PC’s. One of the XP computers I took out was sufficient to run Windows 7 at a useable speed. Said computer consisted of 2GB RAM, 160GB SATA hard drive, Geforce 7100 graphics card, Intel Core 2 Duo E7300 and the Asus P5K SE/EPU motherboard. By no means modern, but enough to last a few more years as a light duty Windows 7 box.

It should be noted that the motherboard isn’t Windows 7 certified, but that’s usually not too much of a major issue. The board was certified to run up to Vista 64 bit, so installing 7 wouldn’t be a stretch. In fact, I have one of these exact same systems at home that runs 7 fine.

As is now the norm, I was preparing to boot over the network to let my custom MDT Deployment task run. Went into the BIOS, made sure the network card boot ROM was enabled. Next step is to boot off the network. This is where my plan came to an abrupt halt. After going through POST, the network card would sit waiting to detect the network for a short while, before failing to PXE boot and moving on to booting off the hard drive. No matter what I did, I was unable to boot off the network. Soon as the PC got into Windows, the card was fully functional and I could use the network. Inside Windows the card is labelled an Atheros L1 Gigabit adapter, but when you are waiting for it to PXE boot, it labels itself an Attansic L1 adapter. No big deal really, since Atheros bought Attansic.

I rebooted again to try some more tricks, when something caught my eye. Up until about halfway through the Windows XP boot screen, the network card has no link light, and the port on the switch also has no link light. It didn’t take long to figure out that the network card was not initialising until it was almost in Windows, after the drivers had been loaded. This meant that this computer would never be able to PXE boot, and no suggestions off the internet helped. Someone spoke of injecting the drivers into the boot image in MDT, but this would do no good since the card does not initialise until Windows is loaded. In short, network booting is broken on this motherboard, and there is no fix for it. There is no updated BIOS to help either.

Now that I think about it, I could have made a boot ISO with MDT and used it to boot the computer, but that would entail burning a DVD which in my mind was a waste. My idea instead was to slot in a replacement dedicated network card and network boot using that. We had an old Intel Pro 100 card laying around. Installed the card, went into the BIOS and immediately had the option of being able to boot using the Intel card’s boot ROM. To cut a long story short, the Intel card just worked, and I was able to finish my task.

This incident just highlighted again why I prefer Intel network cards on my network. They work reliably, have a good set of features, solid drivers, and their network booting has always worked for me without fail.