Most active commenters
  • grishka(5)
  • throwaway48476(3)

←back to thread

Upcoming Windows 11 builds cannot install without internet and Microsoft Account

(infosec.exchange)
268 points tech234a | 13 comments | 29 Mar 25 04:13 UTC | HN request time: 1.358s | source | bottom
Show context
samiv ◴[29 Mar 25 07:00 UTC] No.43513408[source]
I'm also 100% convinced Microsoft will introduce mandatory code signing at some point and make it so that you can only ever install software from Windows Store.

They are envious of the Google and Apple walled gardens/cashcows and are now determined to turn Windows into one.

Windows is no longer a product for users, the users of Windows are the product for Microsoft to be shoved into the Azure sales funnel.

replies(13): >>43513481 #>>43513509 #>>43513544 #>>43513761 #>>43513801 #>>43513860 #>>43514065 #>>43514218 #>>43514472 #>>43516006 #>>43516046 #>>43529439 #>>43529599 #
1. grishka ◴[29 Mar 25 10:06 UTC] No.43514218[source]
Mandatory code signing is meaningless without secure boot though, which can't be made mandatory on x86 systems.
replies(4): >>43514480 #>>43514556 #>>43515221 #>>43516349 #
2. jychang ◴[29 Mar 25 11:03 UTC] No.43514480[source]
Good thing they’re trying to move off x86, then
3. throwaway48476 ◴[29 Mar 25 11:17 UTC] No.43514556[source]
MS's pluton is in every new CPU.
replies(1): >>43515053 #
4. grishka ◴[29 Mar 25 12:35 UTC] No.43515053[source]
And? Just, uh, boot without secure boot and patch things until they work again without enforcing code signing? The only way this sort of thing could be possibly partially enforced is by remote attestation for apps that depend on a server to function. So do what iOS jailbreaks did, except you don't need a vulnerability to start because secure boot will always be optional.
replies(1): >>43518779 #
5. theandrewbailey ◴[29 Mar 25 13:06 UTC] No.43515221[source]
I was under the impression that Secure Boot was a lot of the reason behind Windows 11's TPM 2.0 requirement.
replies(1): >>43515592 #
6. grishka ◴[29 Mar 25 13:59 UTC] No.43515592[source]
That requirement isn't technical though. It's purely a marketing one. You can still install Windows 11 on a TPM-less machine and, for all intents and purposes, it'll work just fine.
7. bitwize ◴[29 Mar 25 15:38 UTC] No.43516349[source]
Who decided that secure boot can't be made mandatory on x86 systems?

Microsoft.

They can reverse their decision at any time. Inasmuch as you are able to boot Linux on your PC, it's only because Microsoft deigns to allow it.

replies(1): >>43517449 #
8. charcircuit ◴[29 Mar 25 18:23 UTC] No.43517449[source]
>only because Microsoft deigns to allow it

Other operating systems could still collaborate with manufacturers to have their key be trusted.

replies(1): >>43519341 #
9. throwaway48476 ◴[29 Mar 25 21:12 UTC] No.43518779{3}[source]
Secure boot will not always remain optional for windows.
replies(1): >>43519155 #
10. grishka ◴[29 Mar 25 22:07 UTC] No.43519155{4}[source]
And how could that possibly be enforced?
replies(1): >>43522235 #
11. bitwize ◴[29 Mar 25 22:36 UTC] No.43519341{3}[source]
But manufacturers won't cooperate. One OEM (Asus?) once cited a price of like $16M to trust one key. The price for Microsoft is nothing because Microsoft can say "trust our keys or lose Windows certification".
12. throwaway48476 ◴[30 Mar 25 07:48 UTC] No.43522235{5}[source]
Same way it works for anti cheat.
replies(1): >>43523199 #
13. grishka ◴[30 Mar 25 11:06 UTC] No.43523199{6}[source]
The whole point of anti-cheat is to provide some sort of proof to a game server that your client is unmodified. What would be the server in this case?