• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.
  • The forums have been upgraded with support for dark mode. By default it will follow the setting on your system/browser. You may override it by scrolling to the end of the page and clicking the gears icon.

Secure Boot.. yay or nay?

I just discovered a new thing. Windows "Core Isolation" feature (seemingly can't even turn it off without reg editing) actually prevents Virtual Box and others from running. lol.

Just seems like it's all part of the same MS shenanigans. They just want you to use Hyper-V, I think (that or not dual booting). Which I have, but it's kind of B.S. to do this.

Isn't there a slider in the Windows Security panel to disable it? I don't know if there are more options available, but I have Memory integrity available and disabled...

Memory integrity is the feature that interferes with VMs.
 
Isn't there a slider in the Windows Security panel to disable it? I don't know if there are more options available, but I have Memory integrity available and disabled...

Memory integrity is the feature that interferes with VMs.

It doesn't work. It's greyed out and says only an Adminstrator can do it...even on my own exclusive machine where I am admin. Even when I specifically unlock a hidden Admin profile and log in manually that way.. it's still greyed out.

That said, it's just one switch (1 to 0) in the registry. If it's so simple this way, the interface must be bugged, I guess.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
 
Secure Boot is useless, and was pushed to avoid people changing the preinstalled OS.
Exactly this. In some cases it can provide a more secure operating environment. However that kind of situation is rarely, if ever, needed in the consumer sector. It is just another way Microsoft(the largest supporter by far) is trying to control everything.
 
What issues have you run into?
Had an interesting issue when 1803 came out, which cost me many hours of headache at work.
If I had EFI+Secure boot enabled, then Windows would get stuck in "S" mode right after online activation (can't install third-party software).
Tried EFI and no SB: all relatively good, but activation may break on rare occasions (a legit key is accepted during installation, but at the end the machine is not activated), and you end up with Windows 10S once again.
CSM: no problems whatsoever.

I guess MS had fixed this issue, cause I haven't encountered it for a few months while using the same 1803 installation media.
 
I'm dabbling around right now with it on. I don't plan on using this machine full time anyway, until Oct update rolls out, I think. We'll how it goes. I kind of just want to learn more about the innards of Windows, even if I end up avoiding many features (one new cool thing I did find is Windows Application Guard.. which can run Edge in it's own virtualized container.. for safer browsing than usual).

The main ability I lose from that SuperO app is the ability to turn off the damn RGB. I can tweak the BIOS in the usual places. And luckily, I don't see the inside of my computer much anyway.
 
I can almost appreciate them wanting their own platform.. like Apple.. but not a damn PC. Go do it to ARM.
They did on their Surface with Windows RT. Damn thing is practically padlocked. Couldn't even compile your own programs in Visual Studio and run it on there. Well you could by doing a lot of hacking but if the machine ever restarts, it reverts to not allow it (application signing). If Microsoft didn't give your program its stamp of approval, it's a PITA to make it work.
 
They did on their Surface with Windows RT. Damn thing is practically padlocked.

Hah.. yes, I have one. In a box.. sitting under my bed. Not much I can do with it... even it's version of Windows doesn't offer much.

edit: Wait, I at least can turn off Secure Boot temporarily, launch the Super Micro app.. turn off the RGB.. then turn on Secure boot again. Duh. I should have known that.

Still, when I turn off Secure Boot at first, it booted straight into the EFI shell. I had to redirect to the Windows boot loader again. Any reason why that happens?
 
Last edited:
Secure Boot is useless, and was pushed to avoid people changing the preinstalled OS.
Exactly this. In some cases it can provide a more secure operating environment.
Then it is NOT "exactly this", is it?

Secure boot is not useless and it was pushed to prevent badguys from hijacking systems by, for example, inserting a bootable USB drive. It also is useful in preventing rootkits from replacing the boot loader

It is only useless if you don't know how to use it.

For most users with modern UEFI hardware who will not be dual-booting, it is an additional and worthwhile extra layer of security. But with a little effort, dual-booters can effectively use it too.

https://www.howtogeek.com/116569/ht...e-boot-feature-works-what-it-means-for-linux/
 
I've never had a rootkit issue, and haven't known anyone who did since like... the early 2000s.

But I suppose it's better to be safe than sorry. I'm not going to knock having more security. I'm just curious of all the ways it might be an inconvenience.
 
I'm just curious of all the ways it might be an inconvenience.
I guess that's my point. When it was first introduced with W8, it caused me minor problems when a new dual-boot build. But those were easy to overcome. I have not encountered any problems with secure boot and current motherboards and W10.
 
It doesn't work. It's greyed out and says only an Adminstrator can do it...even on my own exclusive machine where I am admin. Even when I specifically unlock a hidden Admin profile and log in manually that way.. it's still greyed out.

That said, it's just one switch (1 to 0) in the registry. If it's so simple this way, the interface must be bugged, I guess.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
@RejZoR made a tool to do it quick and easy. https://www.techpowerup.com/forums/threads/download-windows-10-th-rs.216164/page-16#post-3835025
 
Then it is NOT "exactly this", is it?

Secure boot is not useless and it was pushed to prevent badguys from hijacking systems by, for example, inserting a bootable USB drive. It also is useful in preventing rootkits from replacing the boot loader

It is only useless if you don't know how to use it.

For most users with modern UEFI hardware who will not be dual-booting, it is an additional and worthwhile extra layer of security. But with a little effort, dual-booters can effectively use it too.

https://www.howtogeek.com/116569/ht...e-boot-feature-works-what-it-means-for-linux/
If someone has access to the USB ports, he can just take the whole computer as well, you have bigger problems.
Secure boot is using a password at post, there was no need for it.
 
It's not "secure boot" so much "daddy-has-my-keys boot"

I mean, you can supply your own keys, if you care to do so.

It's designed to protect against "evil maid" attacks primarily, or any kind of bootvector virus/malware.

Secure boot is using a password at post, there was no need for it.

Bill is right here. It's a little more than that.
 
If someone has access to the USB ports, he can just take the whole computer as well, you have bigger problems.
Can and will are two completely different things. You are using a single narrowly focused example to prove an entire point. But there are many other scenarios to make your example invalid.

For example, many bad guys have no interest in the hardware. They want the data! For many people and especially companies, the data is way more valuable than the computer.

Why plant a keylogging device if the bad guy can just steal the computer? Because it is the data he wants, not the computer!

It is often much easier, faster and safer (for the bad guy) to boot to an inserted USB flash drive, do the dirty work, then walk away than it is to disconnect, pick up and attempt to walk out the door carrying a computer without being noticed.
Secure boot is using a password at post, there was no need for it.
Not even! To avoid looking uninformed, please learn about the subject you are talking about before making totally inaccurate comments. Secure boot comes into play long before the OS is touched at boot and long before a user is prompted to enter any password during boot. In fact, booting with Secure Boot does NOT even require a password!
 
I wouldn't be worried about any hardware theft except with a laptop or phone. If someone broke into my house and actually took the time to get the desktop, I have bigger things to worry about.
 
Isnt it when first introduced at win8 you cant even install win8 os if secure boot is disabled? I dont know now on win 10. I just leave it enabled. Dont know if it will cause problems if I disabled it
 
Isnt it when first introduced at win8 you cant even install win8 os if secure boot is disabled? I dont know now on win 10. I just leave it enabled. Dont know if it will cause problems if I disabled it

It appears they've fixed this.. and/or half of the Linux distros out there work with secureboot and provide their own keys.

Although, as I linked to in an earlier post here, it seems that Linus himself is not a fan.
 
Isnt it when first introduced at win8 you cant even install win8 os if secure boot is disabled?
First, it is important to note Secure Boot was required ONLY with factory assembled computers and ONLY if those makers wanted to put a "Windows certified" (or some similar verbiage) sticker on the computer (and box). And of course, the motherboard had to have a UEFI BIOS, not a traditional BIOS. Home builders did not have to enable it.

But StrayKAT is right again and MS has fixed and changed a lot about how SB is implemented in W10.

It should also be noted that MS endured years and years of relentless bashing over security (or lack of it). Even 10 years after XP came out, they were still getting bashed when it was the bad guys perpetrating the crimes, not MS. And why didn't Norton, McAfee, TrendMicro and the others stop it? Because they had no financial incentive to rid the world of malware - but that's for another discussion.

MS is stuck between a rock and hard place. If they make Windows too flexible, it exposes security vulnerabilities and gives the bad guys lots of opportunities and ways to get in - and then MS gets bashed for not caring about user security.

If Microsoft locks down Windows and takes away flexibility, even though security is greatly improved, MS gets bashed for not caring about user flexibility.

With XP, a great amount of flexibility (which included legacy hardware and software support) was built in, but security was compromised and Microsoft was relentlessly bashed. So then the pendulum swung the other way and Windows 8, while much more secure, was very inflexible. YOU WILL LIKE the new UI for example. You WILL USE secure boot. And more. And then of course, MS was relentlessly bashed for being too rigid and Windows sales plummeted.

Microsoft, and rightfully so IMO, would much rather be bashed for being inflexible than for allowing the bad guys to run roughshod over their users.

So now with W10, the pendulum has swung back closer to the middle. Microsoft is putting security well ahead of flexibility, but at the same time, allowing users to once again customize and personalize Windows to our own liking. And IMO, they are doing a great job of that.

We (consumers) have to realize one of Windows greatest assets is it is highly customizable. Users can configure it to look and feel just about anyway we want. We can install all sorts of hardware from 1000s of different makers and be confident Windows will support it. Same with software. If we wanted a computer that was so locked down, so controlled with "proprietary" configurations and parts, we all would have bought Macs! Right?

But we must also understand and accept that one of Windows greatest liabilities is it is highly customizable. And that leaves opportunities for mistakes and vulnerabilities to be accidentally (intentionally?) written into or opened up in the software or driver code - especially if we dink with W10 defaults.
 
Password during post, not boot, that means before the boot device selection. I'm not talking about an account's password.
 
Still not needed unless you set one.
 
There are vendor keys, but it's transparent.

At least for me, since I'm using a noob Standard mode. I don't know a thing about custom keys. Hopefully this is good enough. Isn't it normal to use "Standard mode"? I have to wonder what the Supermicro guy really meant when he said factory defaults shouldn't be used. What the hell is that? Do they really expect random users to generate complex encryption keys? These guys live in their own little world.
 
Back
Top