Microsoft’s Windows 10 operating system is launching later this year, and – as any computer technician will only be too happy to tell you – this usually is accompanied by a lot of reading, many headaches and some retreading back on what you’ve learned in the preceding years. This time, though, not only does Windows 10 change a few things about itself (YAY, GPT partitions, I’m totally not looking forward to fixing hard drive faults in the future), Microsoft is also urging their partners to make a few changes to their systems that will be shipping either with Windows 10 pre-installed on them, or with an official certification to say that it is Windows 10-Ready.
Most of the changes that Microsoft usually institutes have been easily worked around. Prior to the launch of Windows 8, Microsoft told their partners that all machines moving forward should support the UEFI-based Secure Boot system, but they did also require that there be a switch to turn this off if the user wanted to install another operating system. This was a god-send for Linux and Hackintosh systems, because neither of these were completely ready for Secure Boot and a lot of Linux distributions weren’t compatible with it. As far back as 2012 there were also still businesses buying new hardware and installing Windows XP on it, so that was also something that the industry needed to move away from.
This time around, things get a little trickier. While the system requirements for the actual Windows 10 operating system remain the same as Windows 8/8.1, and even though you can install it on much older hardware, newer systems are a bit different.
For the Windows 10 launch, devices shipping with it must have Secure Boot enabled by default – in this regard, nothing has changed since the Windows 8 launch. However, we now have something interesting for mobile devices – Microsoft now says that devices that will ship with their latest OS must not allow Secure Boot to be turned off, while it is now an optional requirement to have the user able to turn it off on desktop devices. If that sounds a bit heavy-handed, well… it kind of is. What follows also sort-of applies to pre-built desktops and motherboards, but the OEM vendors must decide if they want you to have the option to turn it off.
“Must not allow secure boot to be turned off on retail device”
When Microsoft says “retail device”, what they mean to say is a device that should be sold as-is with a support warranty, pre-assembled for the user, which applies to laptops, tablets and hybrid devices. Working around the Secure Boot option for reinstalling Windows 10 on these devices should be straightforward so long as you’re starting the install from the Windows desktop, but doing a fresh install, or repairing an install, could be tricky. I have a UEFI-enabled netbook that I had to reformat this weekend with Windows 8.1. Even though I had downloaded the installation files from Microsoft, and even though I had used their own tools to make my flash drive bootable, it wasn’t recognised under the UEFI boot options.
In fact, once I had completed the OS setup, it still wasn’t bootable without configuring the netbook to use Legacy BIOS instead of UEFI Secure Boot. There are several ways, some of them hugely complicated, to make any Legacy BIOS Windows 8/8.1 install turn into one compatible with Secure Boot, but it is a pain in the ass. So, I usually just don’t bother with it.
So this means that for a lot of you out there, reinstalling Windows 10 on a new notebook that has had its hard drive removed or upgraded might be tricky, because stuff like your flash drive might not be UEFI-bootable (a lot of the older ones that I have don’t work properly with UEFI). Its more difficult for Linux users, because there are quite a few distributions out there that don’t function at all with Secure Boot, because they need to have a signed key handed out by Microsoft to allow the OS to boot into the installer. Hell, this makes it doubly difficult for anyone who boots off a Linux install on a USB for troubleshooting. Unless you can turn Secure Boot off, you simply aren’t going to be running that copy of Hiren’s Boot Disc, or a Linux Live CD, if it doesn’t have these keys to allow it.
That’s right folks – that awesome Offline NT Password Recovery Tool simply won’t boot on these new machines if they don’t let you turn off Secure Boot. I don’t usually need to use tools like these, but when I do its usually to fix a relatively new copy of Windows on a recently-released machine, not an old one on older hardware.
Still, while the internet panics about this slightly, there is a silver lining to it – the companies that create some of the popular Linux distributions, like the Debian Group, Canonical and Red Hat, have all been working with Microsoft to get their distributions signed with the correct keys to enable Secure Boot. This won’t mean that all Linux distros will do it as well, but at least there is some form of a back-up available in case you get a new machine one day and it throws hissy fits while you install Arch Linux on to it.
Two steps forward, one step back, as the saying goes. If you’re a computer techie by trade, or just have to fix these blasted things for your family, let me know in the comments below if you’ve run into any of the many mind-numbing issues that have been the fault of Microsoft since the launch of Windows 8. Supporting, fixing and refreshing Windows 7 devices used to be dead easy, didn’t it?
Source: Ars Technica