Access UEFI firmware variables from a Universal Windows App

[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]

How to access Unified Extensible Firmware Interface (UEFI) firmware variables from a Universal Windows app.

Starting with Windows 10, version 1803, Universal Windows apps can use GetFirmwareEnvironmentVariable and SetFirmwareEnvironmentVariable (and their 'ex' variants) to access UEFI firmware variables by doing the following:

  • Declare the Microsoft.firmwareRead_cw5n1h2txyewy custom capability in the manifest to read a firmware variable, and/or the Microsoft.firmwareWrite_cw5n1h2txyewy capability to write a firmware variable.

  • Also declare the protectedApp restricted capability in the app manifest.

  • For example, the following app manifest additions allow the Universal Windows app to read firmware variables:

      IgnorableNamespaces="uap mp uap4 rescap">  
        <rescap:Capability Name="protectedApp"/>
        <uap4:CustomCapability Name="microsoft.firmwareRead_cw5n1h2txyewy" />
  • Set the linker option /INTEGRITYCHECK, for all project configurations, before submitting the app to the Microsoft Store. This ensures that the app will be launched as a protected app. See /INTEGRITYCHECK (Require Signature Check) for details.

  • Obtain a Signed Custom Capability Descriptor (SCCD) file from Microsoft. See Creating a custom capability to pair a driver with a Hardware Support App (HSA) and Using a custom capability to pair a Hardware Support App (HSA) with a driver for information about how to obtain signed SCCD file from Microsoft, how to package it with your app, and how to enable developer mode. Here is an example SSCD file from the CustomCapability sample:

    <?xml version="1.0" encoding="utf-8"?>
    <CustomCapabilityDescriptor xmlns="" xmlns:s="">
        <CustomCapability Name="microsoft.hsaTestCustomCapability_q536wpkpf5cy2"></CustomCapability>
        <CustomCapability Name="microsoft.firmwareRead_cw5n1h2txyewy"></CustomCapability>
        <AuthorizedEntity AppPackageFamilyName="Microsoft.SDKSamples.CustomCapability.CPP_8wekyb3d8bbwe" CertificateSignatureHash="ca9fc964db7e0c2938778f4559946833e7a8cfde0f3eaa07650766d4764e86c4"></AuthorizedEntity>
        <AuthorizedEntity AppPackageFamilyName="Microsoft.SDKSamples.CustomCapability.CPP_8wekyb3d8bbwe" CertificateSignatureHash="279cd652c4e252bfbe5217ac722205d7729ba409148cfa9e6d9e5b1cb94eaff1"></AuthorizedEntity>
  • Submit the app to the Microsoft Store to get it signed. For development purposes, you can skip signing by enabling test-signing in the boot configuration database (bcd). See The TESTSIGNING Boot Configuration Option for details.

Restricted capabilities





Access SMBIOS information from a Universal Windows App