We need to talk about TPM and Windows (and will do, later).https://twitter.com/jonasLyk/status/1424096404654465024 …
Show this thread
but it is super confusing what secure boot is there to protect against, if you have it enabled you cannot enable kernel debug, if kernel debug is enabled when you enable secure boot its removed. Why would it be ok if selected during boot then?
-
-
You can though bcdedit /import settings that enable kernel debug while secure boot is enabled - but then you cannot start the machine... I can though enable flightsigning even when its enabled...
-
So Windows 11 now won't allow you to enable kernel debugging/test signing if secure boot is enforced through the advanced boot menu? But you get it back through some BCD mods? That would be annoying :-)
- Show replies
New conversation -
-
-
It’s not confusing at all
-
SecureBoot is designed (partly) to protect against a post-boot OS component achieving preboot persistence. A user with a physical presence check can obviously debug their system — they can equally go in the BIOS and turn secure boot off. The threat model is very crisp.
- Show replies
New conversation -
-
-
Windows 10 is not a DRM solution. Thank
$deity, you (device owner with physical presence) still control UEFI settings and (as Administrator) can turn off anti-malware/anti-tamper/security settings. TPM settings - please look up "PPI".Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.