Let's install Windows 11 on incompatible hardware

spapakons · Oct 29, 2025

Of course we all want to upgrade our computers to keep them current, regardless if we use Secure Boot or not. Last time I checked Secure Boot wasn't available in my Asus P8H61 motherboard (Intel socket 1155). However, I have CSM enabled because I run Windows 11 in Legacy BIOS mode. This was an intentional choice because my first SSD back in 2021 was just 120GB, too small to waste about 1GB for the extra system partitions required by GPT. So I decided to use MBR and bypass compatibility check in order to do a Legacy BIOS installation instead. My computer (2nd system specs) is unsupported anyway. So I guess I am not affected by the change in certificates. Besides, even if I had an UEFI mode installation and Secure Boot on, I doubt my old motherboard would be able to upgrade the certificate, so I would have to turn Secure Boot off.

Buddywh · Oct 29, 2025

HarleyQuinn said:
from an old microsoft engineer "Secure boot only keeps operating system from boot into any other or from any other operating system, if you do not pay much attention to security; don’t have good anti virus and malware software, and visit potentially dangerous sites, then secure boot may not offer really help as all it protects is the boot process. It will not offer protection against many of the attacks that hit the operating system but are nothing to do with the boot process."

what i do know secure boot is really useful if you are white collar worker in corporations or government OR if you play valorant because their anti cheat system cant reach out boot status ect..

What i say if you are simple home user secure boot won't give you much advantage... opposite many home users reporting they unable to boot system bc of certificate migration. I have read even companies IT departments mass disable secure boot in workers laptops.

Secure Boot is just one component in a multi-layered cyber-security defense system. The way it works in conjunction with the TPM and Bitlocker, though, makes it a very important component for someone with a need to secure access to locally stored data. In short:, while it may not stop attacks against the OS it prevents the TPM from unsealing bitlocker keys thereby giving access to BL protected drives if anything in the boot chain has been altered. This goes a long way to understanding why MS is so hot to trot for TPM2.0, UEFI/Secure Boot and Bitlocker protection.

I'm no expert in this but there is one thing I do know: the best component in a layered defense starts and ends with the user. I admit, I'm not particularly careful so I've chosen to keep the other layers shored up. And maintain backups for that time it fails anyway and I have to clean-install, with a back-up strategy that goes back several months to evade "time bomb" threats.

spapakons · Oct 29, 2025

The weakest security point is the human factor. Even if you give a locked and "protected" gun to a fool (s)he will manage to hurt himself/herself. Likewise no matter how "secure" you think you make Windows, a careless user will manage to get infected.

garlin · Oct 29, 2025

HarleyQuinn said:
from an old microsoft engineer "Secure boot only keeps operating system from boot into any other or from any other operating system, if you do not pay much attention to security; don’t have good anti virus and malware software, and visit potentially dangerous sites, then secure boot may not offer really help as all it protects is the boot process. It will not offer protection against many of the attacks that hit the operating system but are nothing to do with the boot process."

There are many old MS engineers, including a number that no longer work for MS. Or actually worked in the Window groups responsible for security features. I would take that story with a giant grain of salt unless they identified which teams they worked for.

Secure Boot helps protect against rootkits, which embed themselves into the boot process. And your "attacks that hit the operating system" may have just written one to your Windows or BIOS. A number of security features exist because things have been already exploited in the real world.

spapakons · Oct 29, 2025

garlin said:
There are many old MS engineers, including a number that no longer work for MS. Or actually worked in the Window groups responsible for security features. I would take that story with a giant grain of salt unless they identified which teams they worked for.

Secure Boot helps protect against rootkits, which embed themselves into the boot process. And your "attacks that hit the operating system" may have just written one to your Windows or BIOS. A number of security features exist because things have been already exploited in the real world.

Even then, hackers will most likely target corporation, bank or other computers with sensitive data. They rarely target a regular home computer, unless of course you visit illegal sites to do illegal downloads or you trade illegal applications/games in USB flash drives, formerly floppies. So a legitimate user that takes care what disks he uses in his PC, avoids suspicious sites and watches were he clicks has much fewer probabilities to get infected.

Try3 · Oct 29, 2025

spapakons said:
They rarely target a regular home computer

A British consumer group set up a heavily-monitored home network then sat back & watched.
They saw infiltration attempts every five minutes.

[report published - Which magazine dated August 2021]

Denis

garlin · Oct 29, 2025

spapakons said:
Even then, hackers will most likely target corporation, bank or other computers with sensitive data. They rarely target a regular home computer, unless of course you visit illegal sites to do illegal downloads or you trade illegal applications/games in USB flash drives, formerly floppies. So a legitimate user that takes care what disks he uses in his PC, avoids suspicious sites and watches were he clicks has much fewer probabilities to get infected.

This is like thinking, "I live in a really nice neighborhood. I don't need to lock the doors, or protect myself because crime is rare where I live."

Buddywh · Oct 29, 2025

spapakons said:
They rarely target a regular home computer

I'm not so sure about that...

I think it would very much in the interests of nation states to plant as many monitoring applications in as many devices as possible in the population of their opponent state(s). A modern twist on the old methods of collecting "dirt" on your opponents to use for turning them into your agent.

spapakons · Oct 29, 2025

garlin said:
This is like thinking, "I live in a really nice neighborhood. I don't need to lock the doors, or protect myself because crime is rare where I live."

Of course I will lock my doors and even put an electronic alarm ringing police when there is a breach in security, but hiring a private guard and put him outside my door 24/7 is too much. Also if you invite the thief in, by mistake, the private guard won't stop the attack. This is the equivalent of careless user on your house analogy.

HarleyQuinn · Oct 29, 2025

beside all these, one little point should be highlighted is that this whole secure boot thingy from microsoft also prevents an avarage user to install linux on their comp using usb stick

Distros would not able to boot on a SB enabled.

MOREOVER in the beginning when Microsoft started implementing sb to industry they also wanted manufacturers to NOT allow user keys.

spapakons · Oct 29, 2025

Microsoft tries to discourage us adopting Linux.

Buddywh · Oct 29, 2025

HarleyQuinn said:
beside all these, one little point should be highlighted is that this whole secure boot thingy from microsoft also prevents an avarage user to install linux on their comp using usb stick Distros would not able to boot on a SB enabled.

MOREOVER in the beginning when Microsoft started implementing sb to industry they also wanted manufacturers to NOT allow user keys.

I'm confident there are ways to work with Secure Boot and Linux and dual booting: I think that's the purpose of the Microsoft CA 2023 third party certificate. Probably getting into higher levels of technical difficulty, but anyone wanting to dive into Linux is looking for just this sort of challenge. Or better be.

I haven't come across anything concerning Microsoft's position on allowing third party keys, but I suppose the pitiful UEFI implementations in many of the big manufacturers (HP, Lenovo, Dell) might be explained by that. I thought it was just "Dell being Dell (and the others too)": they're simply hostile to allowing user access to BIOS internals.

HarleyQuinn · Oct 29, 2025

Secure boot is just a fancy way of them selling services and product... It's a pure win win situation for both manufacturers and MS. I am not denying the facts that it makes your computer much more secure yes, BUT again mostly it covers physical access vulnerabilities.

With or without sb, users will keep getting all windows update security patches and will be protected against %99 of potential risks.

garlin · Oct 29, 2025

The MS 3rd-party certificate was provided so Linux and other OS'es can Secure Boot. Linux distros always had the option to install THEIR OWN Secure Boot certs, instead of piggy backing off the MS official certs. And some distros provide you the instructions.

It's just Linux distros can't convince the PC makers to pre-load their certs in the factory UEFI firmware.

Buddywh · Oct 29, 2025

garlin said:
It's just Linux distros can't convince the PC makers to pre-load their certs in the factory UEFI firmware.

Hence the rise of tools like MOSBY I suppose?

garlin · Oct 29, 2025

Mosby builds upon the fact that such Linux tools already exist. The problem is you need to be a hard-core Linux user to know about them. But there's been a number of Linux guides going back years on how to create your own personal PK and self-sign the Linux boot files. Most users' eyes just glaze over and skip the entire process.

UEFI and Secure Boot are not MS standards, it's an industry working group. MS has an outsized influence based on the sheer number of Windows-based PC's being sold, but it has to pretend to play nice with its peers.

HarleyQuinn · Oct 29, 2025

According to arch wiki Warning
"Replacing the platform keys with your own can end up bricking hardware on some machines, including laptops, making it impossible to get into the firmware settings to rectify the situation. This is due to the fact that some device (e.g GPU) firmware (OpROMs), that get executed during boot, are signed using Microsoft 3rd Party UEFI CA certificate or vendor certificates."

We talking about home users btw who have no idea about Microsoft giving kernal level permission for system to work properly. What i see ms really trying to be central authority.

spapakons · Oct 29, 2025

What about latest Rufus version? I have read that it allows you to select certificates when creating a USB flash drive. Is that only true for Windows 11 ISO, or it also works for other ISOs including Linux? If it does, then that's a way to create a 2023 certificate bootable USB flash drive for Linux.

HarleyQuinn · Oct 30, 2025

@spapakons
I don't know but watch this. I am super annoyed. Even a tech guy like him locked out from his own system... I really want to get rid of this "Secure Boot CA/keys need to be updated" kernal error in event log every four hours. This started after update, any idea how to bypass device check?

spapakons · Oct 30, 2025

Probably someone else has better Registry knowledge than me, but an obvious workaround is to temporarily disable Secure Boot. I haven't checked latest Winaero Tweaker, it might have a tweak to do what you want.

Let's install Windows 11 on incompatible hardware

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Similar threads