During WinHEC (Windows Hardware Engineering Conference), Microsoft announced that PCs with Windows 10 and UEFI must ship with Secure Boot enabled by default. Secure Boot is a feature to protect PCs from malware which can infect the OS boot loader to load itself at the earliest stage of booting. What Secure Boot does it allows only a Microsoft-verified / signed boot loader to be used. So boot loaders that are not signed can no longer boot other operating systems like Linux. With Windows 8, Microsoft had not mandated that Secure Boot be enabled by default. With Windows 10, now hardware manufacturers (OEMs) must enable it by default if they want Windows logo certification, and it is up to the OEM to decide whether they even want to give you the ability to disable Secure Boot. This is an extremely alarming situation as you can potentially be locked out of using other operating systems thanks to Microsoft. Here is what you should do to avoid this.
Now that OEMs no longer have to provide the ability to disable Secure Boot for PCs with Windows 10, if you end up accidentally buying a new Windows 10 PC without the ability to disable Secure Boot, you might not be able to install Linux!
In case of Windows 8.x, OEMs were not required to sell Windows 8 logo certified PCs with Secure Boot enabled. They were free to disable all boot security restrictions.
Users who want to install an alternative OS on a Windows 10 Secure Boot-enabled computer will have to use a special UEFI bootloader, signed by Microsoft. Alternatively, developers of the "alternative" bootloader need to contact the hardware vendor directly to ask them to include a special digital key to allow their bootloader to be loaded properly.
If at any point in time, Microsoft changes their mind and discontinues their boot loader certification program, you are screwed. Also, this gives Microsoft full authority over which OSes you can install on your hardware.
Being a Linux user, I am certainly not happy with these changes as these go against the spirit of freedom that free software offers. At this moment, ALL my PCs are running Linux. Workstations and laptops run Arch Linux (which is the best Linux distro, IMHO) and servers are running Debian. There is only one PC which has Windows 8.1 in a dual boot configuration, which I use to develop my freeware for you in order to make your Windows experience better.
What is the solution?
I see no solution to this other than to be careful while purchasing a new PC. Choose your laptop or desktop OEM carefully - choose one that allows you to disable Secure Boot. If you assemble your own desktop PC, make sure your motherboard OEM allows disabling Secure Boot.
In the worst case, I believe that all hardware can eventually be locked to run only Windows 10 and we will lose the ability to install Linux. I am looking forward to projects like CoreBoot (which is an alternative UEFI BIOS firmware) and CubieTruck (open hardware). However, they will always lag behind the mainstream UEFI BIOS firmwares in terms of hardware compatibility. CubieTruck is in fact an ARM-based SoC. While it can be used for lightweight tasks like writing this article for Winaero, it will not run virtual machines and is very limited in performance. Welcome to a brave new world.
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!