Edit

Share via


Firmware update

Windows supports a platform for delivering system and device firmware updates wrapped in driver packages that are delivered using Microsoft Windows Update (WU) and then handed off to and processed in the UEFI UpdateCapsule function. This platform provides a consistent, reliable firmware update experience, and it improves the ability to deliver important system firmware updates for end-users.

This ability is available starting in Windows 8.1. However, some recent changes require that firmware providers combine Computer Hardware ID (CHID) targeting along with a model unique EFI System Resource Table (ESRT) UEFI_RES\{UNIQUE ID} to more accurately target specific systems or range of systems.

A unique ID {UNIQUE ID} in the ESRT is critical. The purpose of the UNIQUE ID+CHID is so the firmware provider is able to create a firmware update package/BIOS to be deployed via Windows Update (WU) to all the systems that match the UNIQUE ID+CHID. Microsoft doesn't have a mechanism to validate the firmware package, and is dependent on the firmware provider (creator of package) to verify the payload hasn't been tampered with. It should be cryptographically verified; Checksum or other CRCs aren't validation. If the payload fails validation it should fail and record status in ESRT as described in ESRT table definition.

If the OEM, ODM, or persons tasked with populating the ESRT {UNIQUE ID} were to discover that the ESRT was prepopulated with a {Unique ID}, don't assume that this usage is unique. Populate the ESRT with your {UNIQUE ID} and record this for later use. Microsoft has guidance on how to create a UNIQUE ID, for these scenarios. The guidance is in the downloadable document for Driver Publishing Workflow for Windows 10.

In this section

Build and submit a firmware package to Windows Update (WU)

Target a system using CHID

Firmware user experience (UX) best practices

Firmware update validation testing