Why does Windows 11 need secure boot

Try3 · Nov 28, 2021

spapakons said:
I am not trying to push anyone to upgrade. I just help anyone already decided to do so.

I invariably find your posts well-informed & useful.

And many of the retorts seem to be arguing against suggestions you have not made. All rather baffling.

Yours in puzzlement,
Denis

spapakons · Nov 28, 2021

I bet our friend has already given a fortune for a new computer with Windows 11 preinstalled, and now he hates to discover he could have used his old one.
It's not my fault if he didn't do some research first and just rushed to replace his computer.

markw51 · Dec 10, 2021

mcp111 said:
So why wasn't secure boot required for windows 10? Windows 10 was a smooth upgrade. Didn't have to fiddle with bios settings

Because Windows 11 is not Windows 10 and the requirements have changed, not that hard to understand really.

spapakons · Dec 10, 2021

markw51 said:
Because Windows 11 is not Windows 10 and the requirements have changed, not that hard to understand really.

No, this level of security is overkill and therefore useless for the average home or work computer. This level of security is only needed in army computers and large enterprises with sensitive data. Anyone else simply disables all this stuff to make the computer faster. So Microsoft wants to force users upgrade their systems or replace them. They don't give a damn about our security. This is not too hard to understand, unless you have already invested a fortune on a new system and you just don't want to admit that all this was not absolutely necessary. That you were tricked. Sorry for the bad news, but that's the truth.

tomdsr · Dec 12, 2021

spapakons said:
No, this level of security is overkill and therefore useless for the average home or work computer. This level of security is only needed in army computers and large enterprises with sensitive data. Anyone else simply disables all this stuff to make the computer faster. So Microsoft wants to force users upgrade their systems or replace them. They don't give a damn about our security. This is not too hard to understand, unless you have already invested a fortune on a new system and you just don't want to admit that all this was not absolutely necessary. That you were tricked. Sorry for the bad news, but that's the truth.

Before you say it, no, i did not "rush out and invest a fortune on a new system". My less than 2 year old computer more than meets win11 requirements.

Sensitive data is not an entitlement of only large government entities or multinational conglomerates.

My banking info, my stocks, my business contacts, my customer contacts, my supplier and vendor contacts, my own notes for my cancer treatment, and quite a bit of other info on my system is quite sensitive to me and worth protecting.

Your attitude and posture with it sounds more like conspiracy theories and wanting people to rush out and buy tinfoil hats maybe?

It is not your place to determine what is necessary for me, jim on the corner, or anyone else besides yourself.

Yes, you are entitled to your opinion, but in my "opinion" you sound like you are only playing with half the deck.

spapakons · Dec 12, 2021

It's not your business to tell anyone else to avoid upgrading their old computer and buy a new "safer" instead. No computer is 100% safe as long as it is connected to the internet and the user is not careful enough. Sorry if anyone felt like I was trying to force them into doing something they don't like. I just want to let you know that there are alternatives besides buying new computer to install Windows 11 on.

cereberus · Dec 12, 2021

spapakons said:
I bet our friend has already given a fortune for a new computer with Windows 11 preinstalled, and now he hates to discover he could have used his old one.
It's not my fault if he didn't do some research first and just rushed to replace his computer.

This is a weak argument. We are already seeing instances of upgrades not meeting the W11 requirements having upgrade issues. MS have categorically stated they do not actively supprt unofficial upgrades bypassing their security contstraints.

In the end, it is blooming simple:-

If you bypass the specs needed for W11, you are taking a risk and have no one to blame except yourself if things go pearshaped.

The-Hive · Dec 12, 2021

Security is the answer IMO you can turn it off and tweak your way around it but I have always said if you don't meet win 11 specs, stay on 10 they are there for a reason whether you agree with the idea or not

BunnyJ · Dec 12, 2021

Installing 11 on a noncompatible device doesn't mean you'll have the security features available on it. That's one of the reasons MS changed the hardware requirements.

BunnyJ · Dec 12, 2021

spapakons said:
It's not your business to tell anyone else to avoid upgrading their old computer and buy a new "safer" instead. No computer is 100% safe as long as it is connected to the internet and the user is not careful enough. Sorry if anyone felt like I was trying to force them into doing something they don't like. I just want to let you know that there are alternatives besides buying new computer to install Windows 11 on.

Huh? What most of us are doing is simply making life as easy for users as possible that happen to come here. If their hardware isn't compliant for 11 there's nothing wrong with them staying on 10. The procedures that are needed to install 11 on a non compliant device isn't as easy as you're making it out to be and should only be tried by a more experience user.

I for one just wants to solve problems and not create more for a member here.

zbook · Dec 12, 2021

These links may be useful:

Update on Windows 11 minimum system requirements and the PC Health Check app

Today’s blog post provides two updates. First, an update on Windows 11 minimum system requirements based, in part, on feedback from the Windows Insider community. Second, information on the updated PC Health Check app that is now available to Windo

blogs.windows.com

Security:
Windows 11 raises the baseline of Windows security by improving the security default configuration
to combat increasing cyber-attacks. These requirements were informed based on trillions of signals
from Microsoft’s threat intelligence as well as input from leading security experts like the NSA,
UK National Cyber Security Center and Canadian Centre for Cyber Security.

Security:
Windows 11 has raised the security baseline to make it the most secure version of Windows ever.
We have used the more than 8.2 trillion signals from Microsoft’s threat intelligence, reverse engineering
on attacks as well as input from leading experts like the NSA, UK National Cyber Security Center and
Canadian Centre for Cyber Security to design a security baseline in Windows 11 that addresses increasing
threats that software alone cannot tackle. We have carefully designed the hardware requirements and
default security features based on an analysis of the most effective defenses. This analysis was based on the
Microsoft data set of blocked attacks in 2020 which included 30 billion email threats, six billion threats to
endpoint devices and 30 billion authentications. In addition to benefitting from these intelligence sources,
Windows 11 enables proven security controls based on industry wide recommendations from global experts
like the NSA and NCSC.

The UEFI Secure Boot requirement ensures that a system boots with only code signed by either the
device builder, the silicon vendor, or Microsoft. It does this by ensuring all code is signed by specific entities
and by recording cryptographic hashes in hardware that can also be sent to the cloud to verify integrity.
If a system can be compromised prior to the operating system boot, then all kernel, user and endpoint security
tools can be completely undermined. The “NotPetya” attack, which cost hundreds of millions in damages,
leveraged legacy bios to inject ransomware code before boot, which can now be mitigated by Secure Boot.
The value and best practices of Secure Boot have also been validated by the U.S. National Security Agency.
We have been requiring OEMs to ship using UEFI Secure Boot enabled since June 26, 2013 and want all
Windows 11 devices to be able to provide that customer benefit.

tomdsr · Dec 12, 2021

spapakons said:
It's not your business to tell anyone else to avoid upgrading their old computer and buy a new "safer" instead. No computer is 100% safe as long as it is connected to the internet and the user is not careful enough. Sorry if anyone felt like I was trying to force them into doing something they don't like. I just want to let you know that there are alternatives besides buying new computer to install Windows 11 on.

Please link or point me to where i have told anyone to avoid upgrading?

Isn't that what you are trying to do? You know, when you said:

spapakons said:
No, this level of security is overkill and therefore useless for the average home or work computer. This level of security is only needed in army computers and large enterprises with sensitive data. Anyone else simply disables all this stuff to make the computer faster. So Microsoft wants to force users upgrade their systems or replace them. They don't give a damn about our security. This is not too hard to understand, unless you have already invested a fortune on a new system and you just don't want to admit that all this was not absolutely necessary. That you were tricked. Sorry for the bad news, but that's the truth.

BunnyJ · Dec 12, 2021

Better security is never overkill. I don't know why anyone would make that claim. IMO, more is better and the more we can get the better off we are. I suspect there's an other issue here and it's not about security. More like people going out and buying new hardware.

spapakons · Dec 12, 2021

The OP asked why secure boot is necessary. If you want full security at the cost of compatibility, then "The UEFI Secure Boot requirement ensures that a system boots with only code signed by either the device builder, the silicon vendor, or Microsoft. It does this by ensuring all code is signed by specific entities and by recording cryptographic hashes in hardware that can also be sent to the cloud to verify integrity. If a system can be compromised prior to the operating system boot, then all kernel, user and endpoint security tools can be completely undermined."

If on the other side you prefer full compatibility and you are using the internet carefully, then I just say Secure Boot is not absolutely necessary.

The final choice is yours. If you don't mind spending money on something you might not really need, who am I to judge you. Your money, your decision. I have made mine. I have already upgraded my main PC to Windows 11 (see 2nd PC specs) and so far I had no issues.

cereberus · Dec 12, 2021

spapakons said:
The OP asked why secure boot is necessary. If you want full security at the cost of compatibility, then "The UEFI Secure Boot requirement ensures that a system boots with only code signed by either the device builder, the silicon vendor, or Microsoft. It does this by ensuring all code is signed by specific entities and by recording cryptographic hashes in hardware that can also be sent to the cloud to verify integrity. If a system can be compromised prior to the operating system boot, then all kernel, user and endpoint security tools can be completely undermined."

If on the other side you prefer full compatibility and you are using the internet carefully, then I just say Secure Boot is not absolutely necessary.

The final choice is yours. If you don't mind spending money on something you might not really need, who am I to judge you. Your money, your decision. I have made mine. I have already upgraded my main PC to Windows 11 (see 2nd PC specs) and so far I had no issues.

Security is all about layers of protection. The more layers, the better you are protected. This is well shown philisophically by the Swiss Cheese Model.

Each layer represents some security aspect e.g. layer 1 could be AV, Layer 2 could be Secure Boot, Layer 3 - Firewall, Layer 4 - Common Sense.

Each layer will have some weaknesses (the holes), and if really unlucky, all the holes line up and the "spear" gets through if aimed just right.

In the above, most "spears" will not get through.

The critical point is if you reduce the layers, you increase the chances of a "well aimed spear" particularly with the common sense layer as that will have more holes than other layers as "human error" is much more likely than a virus getting through an AV package.

Ok, maybe "secure boot is not absolutely necessary" but I contend that anything that reduces security is to be avoided.

The problem is many go one stage further e.g. turning off Defender as well (2 layers switched off).

Ok, I know this is all obvious to you and most users here, but when I explain it like the above to my relations and friends it just makes them think about what they are doing.

Equally, one should not become complacent - some believe the "marketing hype" that package XYZ is the best and then they stop thinking and completely destroy the "common sense layer".

In real life, the holes might be bigger than you think, e.g. an AV package may be susceptible to the latest viruses.

In the end, it is all about risk mitigation.

Incidentally, I do a lot of Risk Analysis in the Offshore Industry and we use a lot of techniques (LOPA - Layers of Protection Analysis, SIL - Safety Integrity Levels, HAZID - Hazard Identification etc) but they all boil down to one common theme - minimise overall risk by minimising ALL individual risk elements that you can think of where possible.

In the end, the same principle apply here as in many other aspects of life, driving, eating (except perhaps in marriage which defies all logic known to humankind LOL)

spapakons · Dec 13, 2021

Unfortunately the common sense layer is usually compromised when people think they are safe. It's like wearing a seatbelt and drive dangerously. Windows 11 doesn't make your computer totally secure. Never forget common sense. If you prefer an analogy, Windows 11 on unsupported machine (no TMP, no Secure Boot) is like an old car with seatbelt and ABS, but not airbags, collision detection etc. Windows 11 on a supported machine is like a new car with any safety measure you can think of. I rather drive carefully the old car than go like crazy in the new car. That is provided you never click on anything unless you read it and always make sure to close suspicious windows and never accept any unknown offer. This way Windows 11 safe on any machine or even safer.

BunnyJ · Dec 13, 2021

spapakons said:
Unfortunately the common sense layer is usually compromised when people think they are safe. It's like wearing a seatbelt and drive dangerously. Windows 11 doesn't make your computer totally secure. Never forget common sense. If you prefer an analogy, Windows 11 on unsupported machine (no TMP, no Secure Boot) is like an old car with seatbelt and ABS, but not airbags, collision detection etc. Windows 11 on a supported machine is like a new car with any safety measure you can think of. I rather drive carefully the old car than go like crazy in the new car. That is provided you never click on anything unless you read it and always make sure to close suspicious windows and never accept any unknown offer. This way Windows 11 is as safe as using Windows 10 or even safer.

Huh?? Yes.. users have to use a tad bit of common sense to make security secure it's still better to have the OS add more layers to the security.

Windows 11 can only make a device more secure if the hardware features are present.. otherwise there's no additional security present. When a user installs 11 on a non compliant device all they get is half of the benefits of 11.. the looks and cosmetic changes, oh and some of the under the hood things. But that's it. Don't forget the downside that MS may cut off support for 11 on non complaint devices.

While I like 11 I would only use it on a device that is compliant to the new specs or I would have to understand that I may have to go back to 10 at a moments notice. As I have mentioned before the only individuals who should set up 11 on a non compliant device are experienced users who are testing it out. Other than that there no need to use 11.

spapakons · Dec 13, 2021

Yes, Windows 11 is not necessary, but the point of Elevenforum is to help users who either want to switch to 11 or install it temporarily for testing. That's what I am trying to do here. Help unsuspicious Windows 11 users (or want-to-be users) realize they don't need a new computer to experience Windows 11, they can use their existing PC without some of the advanced security features. I don't know about others, but I install Windows 11 for the new visuals and the compatibility with new standards that eventually they won't be available in 10. Security is the least of my concerns, as I am always careful online. Yes, it is welcome, as long as it doesn't demand to change my system just to install Windows 11. If I could not run 11 at all, I might consider upgrading in the future. But I don't like all that compatibility checks that try to block us only because we don't meet the specs of higher security. It could be a disclaimer that we proceed at our own risk, not block us.

It's like removing the audio system from a car to avoid distraction of the driver. would you buy the car? Of course not. I would rather buy a car with audio system and use it at my own risk. The same goes installing Windows 11 on an unsupported system without all the new security features. I prefer to take the risk.

BunnyJ · Dec 13, 2021

The point, IMO., is to advice people if they should or shouldn't install 11then if they opt to install it tell them how. But with that.. I'm done here.

tinmar49 · Dec 30, 2021

I almost feel sorry for Microsoft, they got slated for not providing enough security, and now for trying to protect users.
One problem is the total lack of standardisation of BIOS settings between manufacturers, I have set up W11 on Asrock, MSI and Gigabyte motherboards and there is a new learning curve each time. I remember when all motherboards were similar to setup, there only being 2 different makes of BIOS.