Windows 10 Build 14342
-
@nadnerB said in Windows 10 Build 14342:
Righto, here it is: http://www.theregister.co.uk/2016/05/06/microsoft_update_asus_windows_7/
Well, this article doesn't really go far enough to say who made the mistake here. Did Asus, by creating their own special personal version of Secure Boot-Like environment that supported Windows 7? So this is really Asus's fault? But MS changed the way some part of Bit locker reporting - so is MS to blame?
-
@Dashrender said in Windows 10 Build 14342:
@nadnerB said in Windows 10 Build 14342:
Righto, here it is: http://www.theregister.co.uk/2016/05/06/microsoft_update_asus_windows_7/
Well, this article doesn't really go far enough to say who made the mistake here. Did Asus, by creating their own special personal version of Secure Boot-Like environment that supported Windows 7? So this is really Asus's fault? But MS changed the way some part of Bit locker reporting - so is MS to blame?
Welcome to unsecure boot. Just hearing the devs talk about that cluster made me wonder what was going on with it. It's larger and more complicated than an entire OS, all available right in our BIOS code. Nothing bad could happen with that, right?
-
Actually I really like the idea of Secure Boot - kill off Root kits.
-
@Dashrender said in Windows 10 Build 14342:
Actually I really like the idea of Secure Boot - kill off Root kits.
Yeah, the idea is great. Looking at the actual implementation made me go, wtf?
-
@travisdh1 said in Windows 10 Build 14342:
@Dashrender said in Windows 10 Build 14342:
Actually I really like the idea of Secure Boot - kill off Root kits.
Yeah, the idea is great. Looking at the actual implementation made me go, wtf?
I guess I'm not sure why you say that?
-
@Dashrender said in Windows 10 Build 14342:
@travisdh1 said in Windows 10 Build 14342:
@Dashrender said in Windows 10 Build 14342:
Actually I really like the idea of Secure Boot - kill off Root kits.
Yeah, the idea is great. Looking at the actual implementation made me go, wtf?
I guess I'm not sure why you say that?
Just talk to someone that's dealt with the code some time. The stated goal was more secure systems. What they actually did was create a complex beast that only Microsoft could (theoretically) actually comply with the thing. At least that's what I got from the talk the devs from RedHat gave about secureboot. Turns out not even Microsoft can get it right. Wish I could say I'm surprised.
-
Huh - granted I've barely brushed against it.
It's my understanding that you have to put the public certificate into the UEFI so that it will recognize the OS as secure, but beyond that I haven't heard of any issues.
Of course MS has provided the Certificate to all the manufactures, so it's included in all PCs made today - Is RH and everyone else doing the same? I'm guessing not, so of course this means more work on the side of the device owner to install the cert into UEFI first before installing a Linux variant and using Secure Boot.
But I suppose there could be more issues than just that involved here that I just haven't heard of.
-
@Dashrender said in Windows 10 Build 14342:
Actually I really like the idea of Secure Boot - kill off Root kits.
I have always had to disable Secure Boot to be able to boot from USB. Thoughts?
-
@BBigford said in Windows 10 Build 14342:
@Dashrender said in Windows 10 Build 14342:
Actually I really like the idea of Secure Boot - kill off Root kits.
I have always had to disable Secure Boot to be able to boot from USB. Thoughts?
What OS is on the USB? I'm not surprised by this at all - in fact I expect it. Why? For starters, probably the OS isn't signed, and even if it is, the public cert isn't in the UEFI.
These are easy things to fix, and in a corporate setup I would highly suggest looking at possible solutions for this, but that might really not be needed, if you - IT - need to boot from USB that's not signed, that's fine because you know the UEFI password, you log into it, disable Secure Boot, do your job, re-enable it, done.
-
@Dashrender said in Windows 10 Build 14342:
@BBigford said in Windows 10 Build 14342:
@Dashrender said in Windows 10 Build 14342:
Actually I really like the idea of Secure Boot - kill off Root kits.
I have always had to disable Secure Boot to be able to boot from USB. Thoughts?
What OS is on the USB? I'm not surprised by this at all - in fact I expect it. Why? For starters, probably the OS isn't signed, and even if it is, the public cert isn't in the UEFI.
These are easy things to fix, and in a corporate setup I would highly suggest looking at possible solutions for this, but that might really not be needed, if you - IT - need to boot from USB that's not signed, that's fine because you know the UEFI password, you log into it, disable Secure Boot, do your job, re-enable it, done.
I use a variety of boot tools to check hardware (mostly all found on HBCD). Definitely not going to sign them on every incoming PC. I usually just disable SB.
-
@BBigford said in Windows 10 Build 14342:
I use a variety of boot tools to check hardware (mostly all found on HBCD). Definitely not going to sign them on every incoming PC. I usually just disable SB.
This is a personal choice - how secure do you want your environment to be? Hiren could definitely sign his CDs and make them compliant with Secure Boot, I'm guessing he just doesn't have people requesting it, and doesn't see the value to cost as worthwhile.
-
@Dashrender said in Windows 10 Build 14342:
@BBigford said in Windows 10 Build 14342:
I use a variety of boot tools to check hardware (mostly all found on HBCD). Definitely not going to sign them on every incoming PC. I usually just disable SB.
This is a personal choice - how secure do you want your environment to be? Hiren could definitely sign his CDs and make them compliant with Secure Boot, I'm guessing he just doesn't have people requesting it, and doesn't see the value to cost as worthwhile.
Just start here.
Then read about how pointless it really is.
I mean, it can't be that bad, right? You can't need a different signing key for every kernel and kernel module! Try again.
Yeah, with the latest Asus no-more-boot thanks to a windows update bug, not even Microsoft can stay compliant with their own system.
I could go on and on with reference pages.