Unified Extensible Firmware Interface (UEFI)

Unified Extensible Firmware Interface

For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it is time to replace it with something better. UEFI is the replacement for BIOS, so it is important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment.

Introduction to UEFI

BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including:

  • 16-bit code
  • 1 MB address space
  • Poor performance on ROM initialization
  • MBR maximum bootable disk size of 2.2 TB

As the replacement to BIOS, UEFI has many features that Windows can and will use.

With UEFI, you can benefit from:

  • Support for large disks. UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks.
  • Faster boot time. UEFI does not use INT 13, and that improves boot time, especially when it comes to resuming from hibernate.
  • Multicast deployment. UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start.
  • Compatibility with earlier BIOS. Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS.
  • CPU-independent architecture. Even if BIOS can run both 32- and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS.
  • CPU-independent drivers. On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That is not needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment.
  • Flexible pre-operating system environment. UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
  • Secure boot. Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware cannot switch the boot loader.


UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a small number of machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later.

Hardware support for UEFI

In regard to UEFI, hardware is divided into four device classes:

  • Class 0 devices. This is the UEFI definition for a BIOS, or non-UEFI, device.
  • Class 1 devices. These devices behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
  • Class 2 devices. These devices have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
  • Class 3 devices. These are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 is not supported on these class 3 devices. Class 3 devices do not have a CSM to emulate BIOS.

Windows support for UEFI

Microsoft started with support for EFI 1.10 on servers and then added support for UEFI on both clients and servers.

With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI does not support cross-platform boot. This means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system.

How UEFI is changing operating system deployment

There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices:

  • Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS.
  • When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It is common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa.
  • When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4GB.
  • UEFI does not support cross-platform booting; therefore, you need to have the correct boot media (32- or 64-bit).

Remove dependency for msvcr120.dll/msvcp120.dll in release versions

I know that there are some questions about, how to include msvcr120.dll/msvcp120.dll into your project.

If you want to drop that dependency. If you compile the program in release version, in Visual Studio 2013/2015 and do not depend on any VS-specific commands (#pragma etc.) or precompiled headers etc.

If you want to compile it to one single release .exe and provide it to user WITHOUT demanding enduser to install VC++ Redistributes for VS

You can statically link the runtime to your project by setting the /MT flag. You can find this option in Visual Studio 2013/2015 under Project > [ProjectName] Properties… > Configuration Properties > C/C++ > Code Generation > Runtime Library. Make sure to only set it for the Release configuration.


SUSDB Maintenance

So, you might be stuck with SUSDB maintenace issues – properly the maintence jobs won’t finish without getting timeouts? Something like this maybe?

Msg 1205, Level 13, State 54, Procedure spUpdateChangeTrackingNumber, Line 11

Transaction (Process ID 110) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.
here is a script that will help you – you might have to run it multiple times

  1. Execute the next Query over then SUSDB database: exec spGetObsoleteUpdatesToCleanup
  2. Write down the number of Rows given by the output. 
  3. You can find the SQL script that executes the same StoredProcedures as the WSUS GUI, but directly over the database. We just need to change the parameter in SELECT TOP (XXXX) for the number of rows detected on the previous step, or higher.  Script download (the script can also be found at http://www.thomasmarcussen.com in the archive folder SUSDBClean.zip)      (Note: The process should be quite faster than the regular CleanUp on the GUI, but is possible that it can enter a DeadLock condition due to other operation from the WSUS Server. In this case, just re-run the Script)
  4. Once the Script finished successfully, try again the CleanUp from the WSUS GUI. Now it should finish very fast.
  5. For last, in order to keep the SUSDB healthy it is recommended to run the Maintenance script again in order to leave the database reindexed.

WSUS clients may fail during synchronization and log the following errors: 0x8024400D

Issue: WSUS clients may fail during synchronization and log the following errors: 0x8024400D

Cause: Too much rubbish in WSUS database eg. Lots and lots of expired and superseeded updates. No cleanup or maintenance has been done for a loong time.


Execute a maintenance CleanUp on the WSUS Server. Most of the 0x8024400D are due to a high quantity of updates on the server, even declined, expired, or superseded. This causes that the client WU Engine cannot finish processing all the information, and cannot pass to the Evalutation phase of the update process.


-Run Decline-SupersededUpdates.ps1 (Can also be found at www.thomasmarcussen.com – in the Archive folder). If the base Operating System is Windows 2008 R2 of further there should not be any problem to run it on Powershell 2.0


Open a Powershell windows as Administrator

Execute the next cmdlet in order to be able to execute non-signed scripts: Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

Execute the script using the next syntax: .\Decline-SupersededUpdates.ps1 -UpdateServer FQDNoftheWSUSserver -Port xx -SkipDecline

Example: .\Decline-SupersededUpdates.ps1 -UpdateServer wsus.domain.local -Port 8530 -SkipDecline


After the process finishes we need to run the WSUS Cleanup:

From WSUS Console, go to Options, and open WSUS Cleanup Wizard

– Select only the 4th and 5th option: Expired Updates and Superseded Updates

– After the process finishes, run the Wizard again, just selecting the 1st Option: Unused updates and update revisions.

You might have to run this multiple times, untill it stops giving timeout errors – in case you got A LOT of expired and superseded updates – I’ve put up a script to perform this task instead. – see this post: http://blog.thomasmarcussen.com/susdb-maintenance/

  • Check if the affected clients are running Windows 7 – 32 bit version.

In this case, we will need to ensure that they have at least the WU Agent revision from June 2015:                               (You can download it from Here: https://support.microsoft.com/en-us/kb/3050265 )

  • – Clean the bloated update cache on the affected clients:

From a CMD as Administrator execute:

Net stop AppIDSvc

net stop wuauserv

net stop cryptsvc

ren %windir%\SoftwareDistribution %windir%\SoftwareDistribution.old

ren %systemroot%\system32\catroot2 oldcatroot2

Delete, in the registry: the PingID, SUSClientID and the AccountDomainSID values from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate

Then execute:

net start AppIDSvc

net start wuauserv

net start cryptsvc

wuauclt /resetauthorization /detectnow

Looking for funny (and creative) fake names?

Getting tired of the John and Jane doe testing account names?
Here some funny and creative ones — let me know if you got some to add 🙂

General Lectric
Private Keepout
Nosmo King
Patty O’furniture
Owa Tegyu Siam
Minny Tonka
Tennis “E”
Ida Ho
Itza Bird
Itzu Perman
Chick Innees
Chuck U Farley
Robin Steele
Yuda Mann
Solomon I. Lands
Burr Palishus
Loo King Good
Florida Keyes
Hey Zeus
Hung Low
Sum Dum Chum
So Soo Mee
Bill Payre
Kisme U. Fool
E Bonnicks
Woz Upp
Auntie Upp
Wazzapp Nindood
Jail Enno
Tillit Hertz
Harry Palms
L Bowgrees
Lee Deway
Shirley Ujest
Phil D Basket
Memm Brzonly
Wysso Glumm
Ock Kewpannt
Rezzi Dent

Office365 Recipient address rejected: Access denied

Funny thing happend……

For some reason new email accounts (older then 24 hours) and email aliases was not working properly within Office365.

External contacts was reporting:

tried to deliver your message, but it was rejected by the server for the recipient domain mydomain by mydomain.mail.protection.outlook.com

550 5.4.1 [<username>@<mydomain>]: Recipient address rejected: Access denied


  • Accounts was is getting propagated in an accepted time frame (24 hours)


  •  The affected accounts is unable to receive email from external contacts – emails are not getting delivered.


  • We changed the accepted domain to Internal relay to resolve the issue.
  • As a precaution we enabled Conditional Sender ID and NDR backscatter to avoid spam attacks.

Articles on Mail Flow for reference:

Exchange Online Protection Limits


How Office 365 does SPF checks for customer-to-customer mail


Manage Transport Rules


Transport rules


Configure your spam filter policies


Submitting spam and non-spam messages to Microsoft for analysis


Advanced spam filtering options


Spam email and Office 365 environment


Should you install Office 2016 32-bit or 64-bit?

There seems to be some doubt about Office 2016 when to install 64-bit version of office vs 32-bit

Limitations of the 64-bit version of Office

The 64-bit version of Office may perform better in some cases, but there are limitations:

  • Solutions using ActiveX controls library, ComCtl controls won’t work.
  • Third-party ActiveX controls and add-ins won’t work.
  • Visual Basic for Applications (VBA) that contain Declare statements won’t work in the 64-bit version of Office without being updated.
  • Compiled Access databases, like .MDE and .ACCDE files, won’t work unless they’re specifically written for the 64-bit version of Office.
  • In SharePoint, the list view won’t be available.

If you have specific add-ins that you use in the 32-bit version of Office, they may not work in 64-bit Office, and vice versa. If you’re concerned, check your current version of Office before installing the new one. Considering testing the add-in with 64-bit Office, or finding out if a 64-bit version of the add-in is available from the developer.

The 64-bit version of Office has some limitations, but is the right choice when:

  • You work with extremely large data sets, like enterprise-scale Excel workbooks with complex calculations, many PivotTables, connections to external databases, PowerPivot, PowerMap, or PowerView. The 64-bit version of Office may perform better for you.
  • You work with extremely large pictures, videos, or animations in PowerPoint. The 64-bit version of Office may be better suited to handle these complex slide decks.
  • You work with extremely large Word documents. The 64-bit version of Office may be better suited to handle Word documents with large tables, graphics, or other objects.
  • You’re working with files over 2GB in Project, especially if the project has many subprojects.
  • You want to keep the 64-bit version of Office that you’re already using. The 32-bit and 64-bit versions of Office programs aren’t compatible, so you can’t install both on the same computer.
  • You’re developing in-house Office solutions, like add-ins or document-level customizations.
  • Your organization requires Hardware Data Execution Prevention (DEP) be enforced for Office applications. DEP is a set of hardware and software technologies that some organizations use to enhance security.


Synology NAS Recovery password (telnet)

Synology’s “secret” telnet password….

If you ever had to recover a Synology nas box in recovery-mode, pre DiskStation installation or after a failed DiskStation install….. Then you would need the “secret” telnet password for admin (or in some cases root)

In case you don’t want to contact Synology here is how it’s generated

  • 1st character = month in hexadecimal, lower case (1=Jan, … , a=Oct, b=Nov, c=Dec)
  • 2-3 = month in decimal, zero padded and starting in 1 (01, 02, 03, …, 11, 12)
  • 4 = dash
  • 5-6 = day of the month in hex (01, 02 .., 0A, .., 1F)
  • 7-8 = greatest common divisor between month and day, zero padded. This is always a number between 01 and 12.

So, let’s say today is October 15, the password would be: a10-0f05 (a = month in hex, 10 = month in dec, 0f = day in hex, 05 = greatest divisor between 10 and 15).

In some cases the clock is also set to factory default… then try the password: 101-0101

Based on the original correct_password.c source,here is a short snippet to generate the daily password.


#include <stdlib.h> 
#include <time.h> 
#include <stdio.h> 

void main()
    struct timeval tvTime;
    struct tm tmOutput;

    gettimeofday(&tvTime, 0);
    localtime_r(&(tvTime.tv_sec), &tmOutput);

    tmOutput.tm_mon += 1;
    printf("password for today is: %x%02d-%02x%02d\n\n",
        tmOutput.tm_mon, tmOutput.tm_mon, tmOutput.tm_mday,
        gcd(tmOutput.tm_mon, tmOutput.tm_mday));

int gcd(int a, int b)
    return (b?gcd(b,a%b):a);


Using a 3.Party IM Client with Office 365 or Lync?

Of course!

I’ve been using Pidgin for ages…

In Pidgin I’m able to run the following protocols

  • -XMPP (facebook)
  • Office Communicator (for Lync and O365)
  • Skype
  • Skype for Business
  • ICQ
  • ….. and lots more.. see the full list at Pidgin Thirdparty plugins

You should try it, if you like me prefer to keep your conversation history’s together and sorted.

One thing i’ve noticed, for some reason Office 365 (Lync or now Skype for Business) requires me to use a specific user agent(!) so….having problems getting it to work? Maybe you see:

Connection refused with error message
“You are currently not using the recommended version of the client”
“You have been rejected by the server: https://portal.microsoftonline.com/download/lync.aspx”

Cry no more!

Here is a list of user agents and versions you can emulate, and it works great! Just modify your connection profile, under advanced, type one of the following user agent values..

Version / Product User Agent values (as seen in the wild)
Lync 2013 and Office 365 UCCAPI/15.0.4481.1000 OC/15.0.4481.1000 (Microsoft Lync)
UCCAPI/15.0.4420.1017 OC/15.0.4420.1017 (Microsoft Lync)
Lync 2010 and Office 365 UCCAPI/4.0.7577.314 OC/4.0.7577.314 (Microsoft Lync 2010)
UCCAPI/4.0.7577.256 OC/4.0.7577.280 (Microsoft Lync 2010)
Office Communicator 2007 R2 UCCAPI/3.5.6907.206 OC/3.5.6907.206 (Microsoft Office Communicator 2007 R2)
UCCAPI/3.5.6907.0 OC/3.5.6907.0 (Microsoft Office Communicator 2007 R2)
Office Communicator 2007 UCCP/2.0.6362.111 OC/2.0.6362.111 (Microsoft Office Communicator)
UCCP/2.0.6362.97 OC/2.0.6362.97 (Microsoft Office Communicator)
Office Communicator 2005 LCC/1.3.5371 (Microsoft Office Communicator 2005 1.0.559.0)
LCC/1.3.5371 (Microsoft Office Communicator 2005 1.0.559.232)

Join Mac OS X to Active Directory

Simple script to join a Mac to domain






# Enable SSH

echo “Enabling SSH”

systemsetup -setremotelogin on

launchctl load -w /System/Library/LaunchDaemons/ssh.plist

# Add computer to Active Directory

echo “Adding computer to Active Directory”

dsconfigad -preferred $HOST -domain $DOMAIN -u $ADUSERNAME -p $ADPASS