Windows 10 Build 14342

BRRABill

@Dashrender said

Actually, this case applies to Open source too. Anyone who wants to write software to accomplish this same goal is free to, and distribute it anyway they want. It will probably have a lot more options, but the reality is that very few people want this so no one will probably bother to create it.

I'm not saying I support open source. I'm just waiting for the banter.

Dashrender

@Breffni-Potter said in Windows 10 Build 14342:

@Dashrender said

A service we paid for? Are you kidding me?

Where's my ability to remove the store from Windows 10 pro via GPO?
Where is X
Where is Y
Where is Z

That's the problem.

@Dashrender said

MS removes things from time to time.. they are no where near as bad as Google - Google kills things all the time.

But with this model, they can actually kill features. When has that ever happened on locally installed MS software? between say Exchange 07 and 10? Sure but installing an update which cripples feature X in the same version? Oh dear.

Well, they just did that to Windows 7 so I heard - Windows 7 Secure Boot is no longer supported apparently. MS changed a patch from suggested to Important, and since most users have have Important updates install automatically, when the patch was installed, suddenly anyone who use using Secure Boot in the BIOS was no longer able to boot into Windows.

Deleted74295

@Dashrender said

Well, they just did that to Windows 7 so I heard

My point exactly, they've changed direction.

Dashrender

@Breffni-Potter said in Windows 10 Build 14342:

@Dashrender said

Well, they just did that to Windows 7 so I heard

My point exactly, they've changed direction.

Agreed - MS, at least with the Secure Boot, is changing direction. I use so little of the built in option, I can't recall if they have removed things in the past or not.

nadnerB

@Dashrender that patch only effected some Asus boards. It's due to how Asus implemented secure boot... which was outside their arrangement with Microsoft... According to a press release/the register's interpretation of it.

If I can find a link when I get into the office, I'll post it.

nadnerB

Righto, here it is: http://www.theregister.co.uk/2016/05/06/microsoft_update_asus_windows_7/

bbigford

@scottalanmiller said in Windows 10 Build 14342:

Sadly it wasn't because "it was the right thing to do" but only because it cost too much to make a feature everyone was ignoring.

Definitely. The right thing to do, was to never put it in the build in the first place.

Dashrender

@nadnerB said in Windows 10 Build 14342:

Righto, here it is: http://www.theregister.co.uk/2016/05/06/microsoft_update_asus_windows_7/

Well, this article doesn't really go far enough to say who made the mistake here. Did Asus, by creating their own special personal version of Secure Boot-Like environment that supported Windows 7? So this is really Asus's fault? But MS changed the way some part of Bit locker reporting - so is MS to blame?

travisdh1

@Dashrender said in Windows 10 Build 14342:

@nadnerB said in Windows 10 Build 14342:

Righto, here it is: http://www.theregister.co.uk/2016/05/06/microsoft_update_asus_windows_7/

Well, this article doesn't really go far enough to say who made the mistake here. Did Asus, by creating their own special personal version of Secure Boot-Like environment that supported Windows 7? So this is really Asus's fault? But MS changed the way some part of Bit locker reporting - so is MS to blame?

Welcome to unsecure boot. Just hearing the devs talk about that cluster made me wonder what was going on with it. It's larger and more complicated than an entire OS, all available right in our BIOS code. Nothing bad could happen with that, right?

Dashrender

Actually I really like the idea of Secure Boot - kill off Root kits.

travisdh1

@Dashrender said in Windows 10 Build 14342:

Actually I really like the idea of Secure Boot - kill off Root kits.

Yeah, the idea is great. Looking at the actual implementation made me go, wtf?

Dashrender

@travisdh1 said in Windows 10 Build 14342:

@Dashrender said in Windows 10 Build 14342:

Actually I really like the idea of Secure Boot - kill off Root kits.

Yeah, the idea is great. Looking at the actual implementation made me go, wtf?

I guess I'm not sure why you say that?

travisdh1

@Dashrender said in Windows 10 Build 14342:

@travisdh1 said in Windows 10 Build 14342:

@Dashrender said in Windows 10 Build 14342:

Actually I really like the idea of Secure Boot - kill off Root kits.

Yeah, the idea is great. Looking at the actual implementation made me go, wtf?

I guess I'm not sure why you say that?

Just talk to someone that's dealt with the code some time. The stated goal was more secure systems. What they actually did was create a complex beast that only Microsoft could (theoretically) actually comply with the thing. At least that's what I got from the talk the devs from RedHat gave about secureboot. Turns out not even Microsoft can get it right. Wish I could say I'm surprised.

Dashrender

Huh - granted I've barely brushed against it.

It's my understanding that you have to put the public certificate into the UEFI so that it will recognize the OS as secure, but beyond that I haven't heard of any issues.

Of course MS has provided the Certificate to all the manufactures, so it's included in all PCs made today - Is RH and everyone else doing the same? I'm guessing not, so of course this means more work on the side of the device owner to install the cert into UEFI first before installing a Linux variant and using Secure Boot.

But I suppose there could be more issues than just that involved here that I just haven't heard of.

bbigford

@Dashrender said in Windows 10 Build 14342:

Actually I really like the idea of Secure Boot - kill off Root kits.

I have always had to disable Secure Boot to be able to boot from USB. Thoughts?

Dashrender

@BBigford said in Windows 10 Build 14342:

@Dashrender said in Windows 10 Build 14342:

Actually I really like the idea of Secure Boot - kill off Root kits.

I have always had to disable Secure Boot to be able to boot from USB. Thoughts?

What OS is on the USB? I'm not surprised by this at all - in fact I expect it. Why? For starters, probably the OS isn't signed, and even if it is, the public cert isn't in the UEFI.

These are easy things to fix, and in a corporate setup I would highly suggest looking at possible solutions for this, but that might really not be needed, if you - IT - need to boot from USB that's not signed, that's fine because you know the UEFI password, you log into it, disable Secure Boot, do your job, re-enable it, done.

bbigford

@Dashrender said in Windows 10 Build 14342:

@BBigford said in Windows 10 Build 14342:

@Dashrender said in Windows 10 Build 14342:

Actually I really like the idea of Secure Boot - kill off Root kits.

I have always had to disable Secure Boot to be able to boot from USB. Thoughts?

What OS is on the USB? I'm not surprised by this at all - in fact I expect it. Why? For starters, probably the OS isn't signed, and even if it is, the public cert isn't in the UEFI.

These are easy things to fix, and in a corporate setup I would highly suggest looking at possible solutions for this, but that might really not be needed, if you - IT - need to boot from USB that's not signed, that's fine because you know the UEFI password, you log into it, disable Secure Boot, do your job, re-enable it, done.

I use a variety of boot tools to check hardware (mostly all found on HBCD). Definitely not going to sign them on every incoming PC. I usually just disable SB.

Dashrender

@BBigford said in Windows 10 Build 14342:

I use a variety of boot tools to check hardware (mostly all found on HBCD). Definitely not going to sign them on every incoming PC. I usually just disable SB.

This is a personal choice - how secure do you want your environment to be? Hiren could definitely sign his CDs and make them compliant with Secure Boot, I'm guessing he just doesn't have people requesting it, and doesn't see the value to cost as worthwhile.

travisdh1

@Dashrender said in Windows 10 Build 14342:

@BBigford said in Windows 10 Build 14342:

I use a variety of boot tools to check hardware (mostly all found on HBCD). Definitely not going to sign them on every incoming PC. I usually just disable SB.

This is a personal choice - how secure do you want your environment to be? Hiren could definitely sign his CDs and make them compliant with Secure Boot, I'm guessing he just doesn't have people requesting it, and doesn't see the value to cost as worthwhile.

Just start here.

Then read about how pointless it really is.

I mean, it can't be that bad, right? You can't need a different signing key for every kernel and kernel module! Try again.

Yeah, with the latest Asus no-more-boot thanks to a windows update bug, not even Microsoft can stay compliant with their own system.

I could go on and on with reference pages.