

Windows 8.1: Not Using Secure Boot? Don't Worry We'll Let You Know - Tomdarkness
https://tom-pryor.co.uk/blog/2013/10/21/windows-8-dot-1-not-using-secure-boot-dont-worry-well-let-you-know/

======
AaronFriel
The problem isn't that it's displaying an important security setting in a way
that forces users to notice it. Kudos to Microsoft for finally having the
courage to do so. Rather, the problem is that they haven't surfaced a method
for expert users to disable the warning.

I think I found that method.

Run `gpedit.msc`. Navigate to:

    
    
        Computer Policy > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives
    

Set the following two policies to __Disabled __:

    
    
        Allow Secure Boot for integrity validation
    
        Use enhanced Boot Configuration Data validation profile
    

Should disappear the watermark.

~~~
cobookman
I've only got to wonder, how does Microsoft think of these crazy menus. Why
would secure boot settings be under Bitlocker drive encryption?

~~~
AaronFriel
It's all wrapped up in the same technology platform - SecureBoot and BitLocker
work together/are the same thing in some cases during the boot process. There
are differences, but I don't want to be pedantic.

~~~
cobookman
As a non-microsoft employee I'd never know that drive encryption and secure
boot settings would be the same 'technology' or even under 'bitlocker'. As
bitlocker to me is the same as os x filefault or truecrypt.

Why wouldn't you just put bitlocker, anti-virus, secure boot, UAC, ...etc
under one menu called 'Comp. Security'.

~~~
AaronFriel
Because then there'd be hundreds of settings in the same folder. This isn't a
user-visible menu or a wizard for configuring security settings, this is
something for expert users to really modify how their OS is designed.

Your suggestion is akin to putting _every_ RHEL/SLED/Ubuntu security setting
into one flat configuration file. IPSec, Sudo (and gksudo and friends), anti-
virus, cryptfs, apparmor / selinux, ufw / iptables, package signing
requirements (including repositories to use), etc.

Something like that would never happen even if Red Hat did control all of the
pieces of the puzzle. Now contrast Linux versus Windows here: if you want to
configure those things you have to discover the tools or file formats for each
security layer configuration manually, versus going into "gpedit.msc" and
having categorized settings for the whole OS.

~~~
vetinari
Still, it's the same rationale as sticking your network adapters configuration
under http server configuration. The httpd uses the network, right?

Still makes no sense.

------
perlgeek
I've recently got a laptop with secure boot enabled by default (an Asus
Zenbook), and man that was a pain. I wanted to install Linux on a second
partition, and it wouldn't let me boot anything from a removable medium until
I turned off secure boot.

But of course the option to disable secure boot was grayed out, and it took me
some searching on the Internet to find a solution: first you have to go to the
key management window, and delete all the keys there. Then you're allowed to
turn off secure boot.

If they wanted it to be usable, they'd just offer me an option 'boot once
without secure boot' (and ask for the BIOS/EFI administrator password if set).

After this experience, my hypothesis is that the main purpose of "secure boot"
is to discourage the user from installing anything non-default (aka Linux).

~~~
clebio
I routinely wipe all partitions and start fresh when setting up a new laptop.
What you describe seems to indicate I would have to boot into Windows
initially in order to delete those keys. Is there any other way around that?
Can anyone else comment as well?

~~~
Scorponok
I assume he means the key management window in the BIOS - UEFI BIOS interfaces
are pretty wacky and complex these days.

~~~
clebio
Ah, ok, good thought. I don't remember seeing such options in bios, but
they're all different after all. Thanks!

------
wrl
Just a reminder that Microsoft is cool with dual-booting, but only if it's to
increase their own marketshare.

In particular, the bit about wanting to dual-boot WP8 on Android phones:
[https://news.ycombinator.com/item?id=6497126](https://news.ycombinator.com/item?id=6497126)

~~~
Locke1689
Uh... that looks to me like they want to license WP8 to hardware manufacturers
for "Android" marked phones. Where did you get dual-boot from?

~~~
noinsight
They are actually trying it. [http://www.digitaltrends.com/mobile/android-
windows-phone-ch...](http://www.digitaltrends.com/mobile/android-windows-
phone-chestburster-dual-booting/)

(First link I found)

~~~
Locke1689
OK, once again that article seems to just be making stuff up. Its references
don't say anything aside from the fact that MS wants OEMs to put Windows on
Android phones, which probably just means offering all Android-exclusive
devices with an optional Windows version instead.

------
ksk
>I can’t see any reason why this message should be displayed so prominently.

Because an important security feature (in their eyes, DUH) is disabled.

> If a message is needed, at all, then why not display it on the System “View
> Basic Information about your computer” control panel item.

lol.

~~~
AaronFriel
The above user's incredulous response probably warranted some downvote or two,
but _ksk_ is correct in the spirit of his response. What portion of users ever
go to the control panel, let alone desire to view basic information about
their computer?

That's a dark pattern itself, hiding important settings in places where users
can't see it.

~~~
ksk
Well, there was nothing incredulous about my response. I found the article
devoid of any substance. Its one of those articles that shows up on HN just to
spark a few circle-jerks.

------
m_mueller
There'd be a more appropriate place for this: The action center. Recommended
actions can still be disabled can't they?

~~~
Tomdarkness
Actually, I'd agree. This would seem a better place than the "View basic
information about your computer".

------
ChuckMcM
That's interesting. When Intel was developing speech hardware one of the FAEs
was given a Ford Thunderbird with speech enabled to 'try out'. When ever you
were driving faster than 55[1] it would say about once every 10 seconds "Speed
limit exceeded!" The FAE decided that maybe speech wasn't everything it was
cracked up to be :-).

In this case there is a valid use case for not having secure boot enabled, but
I can see where Microsoft might not recognize any of them as the 'general
case.' Another step in the process of appliancizing computers into application
platforms.

[1] At the time federal law stated that no speed limit could be higher than 55
MPH so exceeding 55 was by definition 'speeding' anywhere in the US.

------
nticompass
On my Lenovo laptop, I have Windows 8.1 dual-booting with Arch Linux, and I
don't see this message. Pretty sure I have secure boot (UEFI) disabled in my
BIOS.

------
wmf
"the same method of displaying a watermark is also done if you are not running
a genuine copy of Windows"

Maybe that's because a prominent reason to disable secure boot is to use
Windows Loader to pirate Windows. Of course, there may be an updated version
soon that tricks Windows into thinking it booted securely.

~~~
venomsnake
Except no - the amount of MS Whining about piracy is disproportionate about
the real situation - the majority of laptops that a person can buy already
come with some form of windows license. To the point that it is actually hard
to buy a PC without windows. Sadly the self assembled laptop was never a
thing.

The real pirated software is MS Office.

~~~
rtkwe
In the States maybe, Windows is massively pirated over seas especially in
Asia.

Also there's a reason self assembled laptops aren't a thing, packing all the
components in the size of a laptop is a really hard problem.

------
winfred
I always end up with some watermark on my machines. I don't know, I consider
them honor badges I suppose?

------
api
Microsoft's products have long had broken security models close to their core,
mostly owing to the fact that they pre-date the net and were originally not
multi-user.

Instead of fixing this -- and to maintain backward compatibility -- they've
always applied security models further up the tree, closer to the apps and the
user. As a result MS has more and more complex security controls but is less
secure. This complexity and security bloat results from trying to patch a boat
that's full of holes in its fundamental design.

Secure boot is needed for the same reason lots of other controls are needed--
to make it harder to permanently screw the system once you've gotten malware
onto it. This is so important because it is historically so easy to get
malware onto Windows.

~~~
ksk
I didn't imagine a single person could type this amount of factually incorrect
information in a single post. Hats off to you, sir !

~~~
pritambaral
Why, I agree with most of what he said. Please enlighten us to whatever you
find incorrect!

~~~
ksk
>Why, I agree with most of what he said.

Sorry, then nothing I say will change your mind. It would be a waste of my
time.

~~~
pritambaral
So, you firmly believe that people's minds can't be changed? By logic and
reason, that is, of course.

------
Toshio
This kind of what's-a-good-word-for-it behavior is what makes me wish upon a
star that microsoft would slide into irrelevance already and leave the
software industry alone.

Oh. I know what a good word for it is: douchey.

~~~
pjmlp
As if the alternatives were any better.

~~~
babby
I think the point he is trying to make is that MS falling into irrelevancy
correlates with something else replacing their products, thus, the
alternatives in this scenario are better.

It's a nice thought, and not en entirely pointless one. The more population
that migrates to alternatives, the better those alternatives become. Of course
it's not linear, but right now it's all likely positive gains.

~~~
pjmlp
Sure, I am also for having more choice.

The only point being that all corporations that aspire to Microsoft's market
share are no saints either.

------
icecreampain
The author seems busy trying to put out small fires, instead of focusing on
what's really burning: Windows. There is, for most people, very little reason
to stay on Windows.

In todays world of wonderfully powerful machine, a WindowsXP or Windows7
installation in a seamless Virtualbox machine will solve most Windows-related
problems: proprietary apps at work, a photobook creation Windows app or maybe
an old game or so. For everything else there's at least one Linux distribution
that works.

I install Mint 15 Mate for my retirees and with it they can surf, bank, write
e-mail and word process. After installing it I never hear about viruses,
trojans or weird popups telling them that something is out of date.

Now if only younger people would have the courage to try something other than
Windows for once. Unfortunately you're going to be playin the latest Call of
Duty or Madden 2047, but them's the breaks.

~~~
alan_cx
Have your retirees tried installing something them selves?

I, today, had a very quick look at installing Libre Office on a Fedora VM.
Windows: download exe file, double click, it installs. Now go look up the
instruction for Linux. So absurdly, hilariously complicated. I thought of
Linux fanbois, and began to laugh, then cry. Right there is one reason Linux
has a long, long way to go.

Yeah, fine for geeks and great for running server services, as I have been
doing for decades, but as a general desk top for normal human beings? No way.
Not even slightly. Sure Windows has its issues, but you know what? It works.

But, I'll give your Mint a go. See if that is as easy as Windows. You never
know....

~~~
nobleach
The biggest problem I have is what to do when a newer version of something
comes out. Sure I run 3rd party repos for things like Node.js... but getting
Postgres 9.2 on Ubuntu is an exercise I can't imagine a normal GIS person
undertaking. Sure a developer or sysadmin would dive right in. But on Windows,
it's download exe and run. Mac it's download DMG and double click. For linux
it's "hope they have the release I want to use in their packaging system".

~~~
yebyen
I don't use Postgres, but on their website they tell you that 9.2 is the
default on Ubuntu, and how to downoad other versions. Trolling? Or is there a
real issue here?

[http://www.postgresql.org/download/linux/ubuntu/](http://www.postgresql.org/download/linux/ubuntu/)

It's hard to argue that secure boot, on which your machine comes with keys
installed by Microsoft (I don't trust them) and requires the user to know how
to a: install another set of keys to run Ubuntu (or b: disable the feature
entirely and forsake bootloader signing)... should be blessed

... but that users installing a piece of software as complex as a database
server, on a system where packages are cryptographically signed, can't be
arsed to follow the instructions on this page provided by the vendor, that was
the first search result on Google, to install the vendor key and to download
vendor packages from the vendor's own PPA repos.

