OEMs Allowed To Lock Secure Boot In Windows 10 Computers

[Speedbird]

Microsoft deserves a ton of hate as well since they are the ones mandating that secure boot should be implemented and enabled by default. They are also the ones that changed their requirements from "users must be in control" to "you are free to screw your customers over".

 

Yes BIOS modding is a thing, but this is a huge inconvinence for people who might want to try out SteamOS or Ubuntu or stick with Windows 7 (or earlier version of Windows). Having to mod the BIOS will scare most people off from ever trying a different OS.

 

 

You can't crack secure boot just because the Microsoft signature is already in there. That's not how signatures work. Even if you have the signature (which is very easy to find) you can't sign your own things with the same one.

MS changing the Secure Boot policy won't affect anything unless the OEMs start forcing it. And if a lot of people want to try alternative OSs the BIOS modding community will eventually create a simple automated script to disable Secure Boot. And I didn't say anything about the MS Secure Boot signature. Read my post again. I said that if MSDM tables with the Windows product key have been inserted onto UEFIs, it means the UEFI can be modded.

[Dabombinable]

I agree microsoft shoves this up the OEMS face if they want "certification"

 

Now they say the option to turn it off is "optional"

 

And people ask me why I like Linux more and more.

The funny thing is that if all new motherboards have secure boot locked, I can easily find a LGA1150 mobo and a decent CPU that will do me just fine for several years.

[zappian]

The funny thing is that if all new motherboards have secure boot locked, I can easily find a LGA1150 mobo and a decent CPU that will do me just fine for several years.

 

Lol dont even mention that.

People that build their own computers will be safe.

This is a capitalist market , people who buy motherboards wont stand for this shit.

If motherboard manufacturares want to actually make money they will tell microsoft to fuck off.

OEMS cant do that however because it would mean lose windows certification.

So the conclusion is :

BUILD YOUR OWN PC OR HAVE SOMEONE ELSE DO IT FOR YOU.

Take it to a NCIX , take it to a computer store , they will build it for a fee.

DONT BUY PREBUILTS.

[Dabombinable]

Lol dont even mention that.

People that build their own computers will be safe.

This is a capitalist market , people who buy motherboards wont stand for this shit.

If motherboard manufacturares want to actually make money they will tell microsoft to fuck off.

OEMS cant do that however because it would mean lose windows certification.

So the conclusion is :

BUILD YOUR OWN PC OR HAVE SOMEONE ELSE DO IT FOR YOU.

Take it to a NCIX , take it to a computer store , they will build it for a fee.

DONT BUY PREBUILTS.

Windows certification is a joke anyway, if it fits an Intel or AMD x86/64 CPU, it can run Windows.

[Geekazoid]

This will affect custom built PCs as well.

How so?

[Bogica]

A) Laptops are pre built but are always opened to other OS. I have never seen a locked laptop to a single OS even though it says made for windows 7/works best with windows 7. Or maybe that is because of the EU laws? Have any of you Americans (US& Canada) encountered locked laptops?
 

B ) Mobo's won't be locked in custom builds, not in a 100 years and not today. Manufacturers don't want to kill their own sales. If they do, some other manufacturer will leave the board unlocked and have insane amounts of sales. Let's be real for a moment, when non tech people or people with little tech knowledge need any IT related help they come to us (the enthusiasts) for help. And we will know who the assholes are and which brands are reliable and advise so. They don't want to piss us off!

[Dabombinable]

A) Laptops are pre built but are always opened to other OS. I have never seen a locked laptop to a single OS even though it says made for windows 7/works best with windows 7. Or maybe that is because of the EU laws? Have any of you Americans (US& Canada) encountered locked laptops?

 

B ) Mobo's won't be locked in custom builds, not in a 100 years and not today. Manufacturers don't want to kill their own sales. If they do, some other manufacturer will leave the board unlocked and have insane amounts of sales. Let's be real for a moment, when non tech people or people with little tech knowledge need any IT related help they come to us (the enthusiasts) for help. And we will know who the assholes are and which brands are reliable and advise so. They don't want to piss us off!

I actually encountered a locked laptop here in Australia once, needless to say it wasn't locked to Windows Vista for long.

[Bogica]

I actually encountered a locked laptop here in Australia once, needless to say it wasn't locked to Windows Vista for long.

Seriously? How did you unlock it? Flash the BIOS? Was it locked to just Windows or Windows Vista specifically?

[Dabombinable]

Seriously? How did you unlock it? Flash the BIOS? Was it locked to just Windows or Windows Vista specifically?

Specifically to Vista, and I had to download the latest bios, modify it, then flash it.

[LAwLz]

MS changing the Secure Boot policy won't affect anything unless the OEMs start forcing it. And if a lot of people want to try alternative OSs the BIOS modding community will eventually create a simple automated script to disable Secure Boot. And I didn't say anything about the MS Secure Boot signature. Read my post again. I said that if MSDM tables with the Windows product key have been inserted onto UEFIs, it means the UEFI can be modded.

Basically, Microsoft is handing out loaded guns and then going "Hey! You are NOT allowed to put the guns down ever, and they have to be loaded at all times, you are free to put the safety on but it will be off when I give them to you". You can't just say "wow Microsoft is innocent! They were allowed to put the safety on if they wanted" if someone ends up being shot.

 

The only way Microsoft would be innocent if an OEM decides to not include an off switch is if Microsoft completely removed the requirement for Secure Boot altogether. As long as they are forcing manufacturers to have Secure Boot and have it enabled to default, they are guilty.

 

Even if someone creates a simple script they would have to do that for each and every motherboard, and there is still the risk of bricking your motherboard when flashing your BIOS. It will be a huge speed bump for people wanting to try it out.

 

It's not necessarily moddable either. The signatures could be stored on a ROM.

 

 

 

 

BUILD YOUR OWN PC OR HAVE SOMEONE ELSE DO IT FOR YOU.

Take it to a NCIX , take it to a computer store , they will build it for a fee.

DONT BUY PREBUILTS.

How so?

B ) Mobo's won't be locked in custom builds, not in a 100 years and not today. Manufacturers don't want to kill their own sales. If they do, some other manufacturer will leave the board unlocked and have insane amounts of sales. Let's be real for a moment, when non tech people or people with little tech knowledge need any IT related help they come to us (the enthusiasts) for help. And we will know who the assholes are and which brands are reliable and advise so. They don't want to piss us off!

Every single motherboard that I know of has been certified for Windows. Just look at your motherboard box. Of course, motherboard manufacturers might just skip the certification program and then they can do whatever they want, but I am not sure if there is any drawback to it (why would they bother with it to begin with if there was no drawback?).

[flibberdipper]

Psh, the BIOS on my grandma's HP won't even recognize a Linux install. Doesn't impact that computer in any way.

[Speedbird]

Basically, Microsoft is handing out loaded guns and then going "Hey! You are NOT allowed to put the guns down ever, and they have to be loaded at all times, you are free to put the safety will be off when I give them to you". You can't just say "wow Microsoft is innocent! They were allowed to put the safety on if they wanted" if someone ends up being shot.

 

The only way Microsoft would be innocent if an OEM decides to not include an off switch is if Microsoft completely removed the requirement for Secure Boot altogether. As long as they are forcing manufacturers to have Secure Boot and have it enabled to default, they are guilty.

 

Even if someone creates a simple script they would have to do that for each and every motherboard, and there is still the risk of bricking your motherboard when flashing your BIOS. It will be a huge speed bump for people wanting to try it out.

 

It's not necessarily moddable either. The signatures could be stored on a ROM.

 

 

 

 

Every single motherboard that I know of has been certified for Windows. Just look at your motherboard box. Of course, motherboard manufacturers might just skip the certification program and then they can do whatever they want, but I am not sure if there is any drawback to it (why would they bother with it to begin with if there was no drawback?).

The decision is up to the OEM. If an OEM forces Secure Boot, they shpuld be contacted when you want them to disable it, not Microsoft. And once again, I was not talking about Secure Boot signatures. I was talking about Windows product keys stored in the UEFI. Have I made myself clear?

 

And no, they would not have to create a separate script for each motherboard. There only about 5 BIOS vendors in total, and everything made by a vendor would be compatible with other BIOSs made by the same vendor.

 

And just because a board would say "Windows 10 certfied" does not means it would have Secure Boot forced. Those "Windows 8 Cerfified" boards do not have it enabled by default. In fact, the factory defaults are made with alternative OSs in mind.

[AlexGoesHigh]

this OP has half the info, @GoodBytes post goes into much detail about it, the OEM is the one deciding if the user can turn it off for desktop, is only fully enforced for mobile

http://www.neowin.net/news/windows-10-to-lock-out-linux-with-non-disableable-secure-boot same source as goodbytes post

[Trik'Stari]

Basically, Microsoft is handing out loaded guns and then going "Hey! You are NOT allowed to put the guns down ever, and they have to be loaded at all times, you are free to put the safety will be off when I give them to you". You can't just say "wow Microsoft is innocent! They were allowed to put the safety on if they wanted" if someone ends up being shot.

 

The only way Microsoft would be innocent if an OEM decides to not include an off switch is if Microsoft completely removed the requirement for Secure Boot altogether. As long as they are forcing manufacturers to have Secure Boot and have it enabled to default, they are guilty.

 

Even if someone creates a simple script they would have to do that for each and every motherboard, and there is still the risk of bricking your motherboard when flashing your BIOS. It will be a huge speed bump for people wanting to try it out.

 

It's not necessarily moddable either. The signatures could be stored on a ROM.

 

 

 

 

Every single motherboard that I know of has been certified for Windows. Just look at your motherboard box. Of course, motherboard manufacturers might just skip the certification program and then they can do whatever they want, but I am not sure if there is any drawback to it (why would they bother with it to begin with if there was no drawback?).

Bad analogy, since anyone around a firearm should automatically assume it is loaded and treat it as such at all times, even if they know it is not.

 

Just nit picking

[zappian]

Basically, Microsoft is handing out loaded guns and then going "Hey! You are NOT allowed to put the guns down ever, and they have to be loaded at all times, you are free to put the safety will be off when I give them to you". You can't just say "wow Microsoft is innocent! They were allowed to put the safety on if they wanted" if someone ends up being shot.

 

The only way Microsoft would be innocent if an OEM decides to not include an off switch is if Microsoft completely removed the requirement for Secure Boot altogether. As long as they are forcing manufacturers to have Secure Boot and have it enabled to default, they are guilty.

 

Even if someone creates a simple script they would have to do that for each and every motherboard, and there is still the risk of bricking your motherboard when flashing your BIOS. It will be a huge speed bump for people wanting to try it out.

 

It's not necessarily moddable either. The signatures could be stored on a ROM.

 

 

 

 

Every single motherboard that I know of has been certified for Windows. Just look at your motherboard box. Of course, motherboard manufacturers might just skip the certification program and then they can do whatever they want, but I am not sure if there is any drawback to it (why would they bother with it to begin with if there was no drawback?).

 

They wont lock the motherboard to a single os.

That would piss of the enthusiasts and hurt their bottom line.

I dont see every mobo manufacturer doing that , not in my lifetime.

[LAwLz]

The decision is up to the OEM. If an OEM forces Secure Boot, they shpuld be contacted when you want them to disable it, not Microsoft. And once again, I was not talking about Secure Boot signatures. I was talking about Windows product keys stored in the UEFI. Have I made myself clear?

Read:

Basically, Microsoft is handing out loaded guns and then going "Hey! You are NOT allowed to put the guns down ever, and they have to be loaded at all times, you are free to put the safety will be off when I give them to you". You can't just say "wow Microsoft is innocent! They were allowed to put the safety on if they wanted" if someone ends up being shot.

 

The only way Microsoft would be innocent if an OEM decides to not include an off switch is if Microsoft completely removed the requirement for Secure Boot altogether. As long as they are forcing manufacturers to have Secure Boot and have it enabled to default, they are guilty.

Because Microsoft forces OEMs to ship with Secure Boot enabled, they are guilty if an OEM decides to not implement a switch.

Also, check mobile phones. All phones could ship with unlocked bootloaders but manufacturers prefer to limit what customers can do with their products as much as possible.

 

 

If you weren't talking about secure boot signatures then what the hell were you talking about, and why did you bring it up if it's irrelevant to secure boot? No you have not made yourself clear.

 

 

And no, they would not have to create a separate script for each motherboard. There only about 5 BIOS vendors in total, and everything made by a vendor would be compatible with other BIOSs made by the same vendor.

5 vendors doesn't necessarily mean 5 scripts. For example adding SLIC is not always straight forward and the same method might not work on two motherboards from the same manufacturer.

 

 

And just because a board would say "Windows 10 certfied" does not means it would have Secure Boot forced. Those "Windows 8 Cerfified" boards do not have it enabled by default. In fact, the factory defaults are made with alternative OSs in mind.

[Citation Needed], because I was under the impression that they needed to actually meet the requirements to get the certification. The whole thing seems kind of pointless otherwise.

[LAwLz]

They wont lock the motherboard to a single os.

That would piss of the enthusiasts and hurt their bottom line.

I dont see every mobo manufacturer doing that , not in my lifetime.

Yep, that idea clearly stopped phone and tablet manufacturers from locking the bootloaders.

Oh wait...

[Speedbird]

Read:

Because Microsoft forces OEMs to ship with Secure Boot enabled, they are guilty if an OEM decides to not implement a switch.

Also, check mobile phones. All phones could ship with unlocked bootloaders but manufacturers prefer to limit what customers can do with their products as much as possible.

 

 

If you weren't talking about secure boot signatures then what the hell were you talking about, and why did you bring it up if it's irrelevant to secure boot? No you have not made yourself clear.

 

 

5 vendors doesn't necessarily mean 5 scripts. For example adding SLIC is not always straight forward and the same method might not work on two motherboards from the same manufacturer.

 

 

[Citation Needed], because I was under the impression that they needed to actually meet the requirements to get the certification. The whole thing seems kind of pointless otherwise.

I meant Windows product keys stored in the UEFI. Formerly known as SLIC tables, they are now called MSDM when they're in UEFI on a Windows 8 PC.

 

And, well, very well then. The mobile phone example is pretty good. However, very few of them are not unlockable.

 

Adding SLIC indeed is not the same for all BIOSs made by the same vendors. However, there are usually only 3 different ways to add SLIC. My point is that BIOS modding can be made very simple with automated scripts and GUIs.

 

"Windows 8 Certified" on retail boards is not the same as the "Windows 8 Logo" on OEM systems. I believe "Windows 8 certified" just means that all hardware on that board has drivers for 8.

[LAwLz]

I meant Windows product keys stored in the UEFI. Formerly known as SLIC tables, they are now called MSDM when they're in UEFI on a Windows 8 PC.

What relevance does that have to Secure Boot? Can you please tell me your argument again because I don't understand how it is relevant at all.

 

 

And, well, very well then. The mobile phone example is pretty good. However, very few of them are not unlockable.

Because of complicated workarounds which has a chance of bricking your phone, and breaking when updating it.

 

 

Adding SLIC indeed is not the same for all BIOSs made by the same vendors. However, there are usually only 3 different ways to add SLIC. My point is that BIOS modding can be made very simple with automated scripts and GUIs.

That remains to be seen.

 

 

"Windows 8 Certified" on retail boards is not the same as the "Windows 8 Logo" on OEM systems. I believe "Windows 8 certified" just means that all hardware on that board has drivers for 8.

Hmm I see. If that's the case then this will "only" be an issue for laptops.

[zappian]

I meant Windows product keys stored in the UEFI. Formerly known as SLIC tables, they are now called MSDM when they're in UEFI on a Windows 8 PC.

 

And, well, very well then. The mobile phone example is pretty good. However, very few of them are not unlockable.

 

Adding SLIC indeed is not the same for all BIOSs made by the same vendors. However, there are usually only 3 different ways to add SLIC. My point is that BIOS modding can be made very simple with automated scripts and GUIs.

 

"Windows 8 Certified" on retail boards is not the same as the "Windows 8 Logo" on OEM systems. I believe "Windows 8 certified" just means that all hardware on that board has drivers for 8.

 

Exactly.

I think the prospect of EVERY  motherboard having OS lock is very Orwellian and not in touch with reality at all.

And even if thats the case in the future people will find ways around it.

[Misanthrope]

what the hell whats the point of that make it configurable like win 8 prebuilt computers

 

Indeed. See this is what botters me see if you guys follow me

 

1) Satya says "You get a free 10 upgrade, and YOU get a free 10 upgrade and YOU get a free 10 upgrade too pirate!"

 

2) A few days later the hype passes and someone reads the small letters: you don't really get windows 10 for free pirate, in fact we don't clarify what happens to not genuine so it might as well be a lame trick to attempt to kill your installation

 

3) A few more days go by and now the real strategy comes out: Yea free upgrades to windows 10....also prebuilt machines, still the majority of the pcs people actually use, those can now be fully locked from other OSes, because fuck SteamOS, that's why.

 

So first it looks like you're tricking pirates into giving up their install and reverting back to non-genuine on their copies (Granted mostly an annoyance I fully expect to be an activator crack within weeks if not days of Windows 10 being out) and now you also go back to the aggressive tactics of just locking you out of other oses (Not just Linux though but looks like old copies of Windows too, if you buy a new computer you might not even be able to revert it to 7 easily) 

 

What they intially made seem like a bold move to be inclusive and get everybody on their ecosystem now seems to be also an aggressive move to lock everybody in without exit.

[Misanthrope]

Hmm I see. If that's the case then this will "only" be an issue for laptops.

Not really, is "up to the manufacturer" so they could do it on a desktop motherboard. What we don't know and can  happen in the background is that Microsoft might give big time discounts on the OS if they do it. 

[LAwLz]

Exactly.

I think the prospect of EVERY  motherboard having OS lock is very Orwellian and not in touch with reality at all.

And even if thats the case in the future people will find ways around it.

One word: smartphones.

 

You can't deny that manufacturers have been pretty aggressive when it comes to restricting the installation of OSes other than what they ship on their smartphones. It's foolish to assume that they won't try the same with desktops if they are given the chance.

Also, Microsoft are going out of their way to make this change. They wouldn't change from "you must allow users to be in control" to "you don't have to do it if you don't want to" for no reason. Either OEMs have asked them to remove the requirement, or Microsoft thinks they will benefit from removing the requirement. In either scenario the customers lose.

 

 

This is not just about installing other OSes either. Some modifications such as skins for Windows will trigger Secure Boot. Glass8 for example, which enables transparency in Windows 8, triggers it because it modifies some system files.

[zappian]

One word: smartphones.

 

You can't deny that manufacturers have been pretty aggressive when it comes to restricting the installation of OSes other than what they ship on their smartphones. It's foolish to assume that they won't try the same with desktops if they are given the chance.

Also, Microsoft are going out of their way to make this change. They wouldn't change from "you must allow users to be in control" to "you don't have to do it if you don't want to" for no reason. Either OEMs have asked them to remove the requirement, or Microsoft thinks they will benefit from removing the requirement. In either scenario the customers lose.

 

 

This is not just about installing other OSes either. Some modifications such as skins for Windows will trigger Secure Boot. Glass8 for example, which enables transparency in Windows 8, triggers it because it modifies some system files.

 

I highly doubt it.

Smartphones arent desktop pcs.

They are much more restrict , just look at apple.

Desktop pcs allow you to access much lower levels and have more flexilbility.

They can TRY to do that shit but the market will not respond favorably and they will lose money.

Like nvidia did with the locked voltage on laptops , people were pissed.

Stressand effect will kick them in the ass and they will regret ever fucking pondering about that.

[harrynowl]

Not really, is "up to the manufacturer" so they could do it on a desktop motherboard. What we don't know and can  happen in the background is that Microsoft might give big time discounts on the OS if they do it. 

I think to get the "Windows 8 Ready" certification on a PC shipped the OEM would have to implement and by default enable secure boot. So I see this as being likely.