> Microsoft itself has been the _first_ vendor who shipped systems where SecureBoot could neither be disabled nor the whitelist of signatures/keys replaced with your own.
It’s misleading to mention that but not say that you’re referring to Surface RT tablets, which were Microsoft’s equivalent of an iPad ecosystem — only Store apps, OEM OS only, etc. It’s also running a different flavor of Windows on an ARM processor.
Surface Pro devices have always had toggleable & configurable Secure Boot.
Why misleading? It shows exactly what the long-term MS strategy was, what SecureBoot was designed for, and it also shows exactly who shipped the first "shitty" SecureBoot implementation. People had to resort to cracks in order to run plain Win32 apps! Except, of course, Office. That one is the only Win32 app which was allowed. Good ol', classy Microsoft.
> Surface Pro devices have always had toggleable & configurable Secure Boot.
Not at all. While it is true that Secure Boot has been deactivable in the "Pro" family, disabling Secure Boot results in Scary Boot Prompts (TM) (a _permanent_, literal red screen warning during the boot process that would drive most users away). _To this day_, there is no way to install your own Secure Boot keys in the Surface UEFI setup. Again, one of the "shitty" implementations, and comes from Microsoft!
It's actually worse than that. At least the first two Surface Pro iterations didn't even ship with the UEFI CA key, meaning you could not even install MS-signed Linux distros! The only way would be to disable Secure Boot, and thus have to suffer the red Scary Boot Prompts (TM) on every boot prompt. Again, MS leading the way for the other OEMs in terms of shittiness.
Almost two years afterwards, MS started shipping a WMI-based method that would allow you to install the MS UEFI CA. So you had to install Windows and run a Windows program in order to be able to install an OS signed with your own keys. This is _still true_ even in the latest iteration of Surface Pro devices. This is the example that MS sets for other OEMs.
And almost 10 years later, Lenovo starts disabling the UEFI MS CA key by default....
It’s misleading to mention that but not say that you’re referring to Surface RT tablets, which were Microsoft’s equivalent of an iPad ecosystem — only Store apps, OEM OS only, etc. It’s also running a different flavor of Windows on an ARM processor.
Surface Pro devices have always had toggleable & configurable Secure Boot.