New Windows 10 Devices From Microsoft

[Someone1234]

The Surface Pro 3 you could. Just had to disable Secure Boot for setup, boot from a USB stick, and after installation you could re-enable it (assuming you had a Linux distribution that supports Secure Boot signing).

Obviously nobody outside of Microsoft will know if that remains true with the Surface Pro 4.

[Arnavion]

Secure Boot is always disable-able on x86. This has been true since Surface Pro 1.

[cmurf]

The Windows 10 hardware certification permits the OEM to make Secure Boot not disablable. But the way the major distros work, they get a pre-bootloader signed with the Microsoft key through Microsoft's signing service, and that pre-bootloader contains a key permitting the chaining of the real bootloader, the kernel, signed with the distro key. So it's not a big problem.

[Arnavion]

Up till W8.1, the spec (https://msdn.microsoft.com/en-us/library/windows/hardware/jj...) explicitly requires the ability to disable Secure Boot:

    On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:
    ...
    B.If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system is operating in Setup Mode with SecureBoot turned off.
    ...
    Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv.

I can't find the doc for W10. Has the language changed? Can you link it?

The closest thing I found is https://msdn.microsoft.com/en-us/library/windows/hardware/dn... which isn't really a spec, but does say:

    For most PCs, you can disable Secure Boot through the PC’s firmware (BIOS) menus. For logo-certified Windows RT 8.1 and Windows RT PCs, Secure Boot is required to be configured so that it cannot be disabled.

which seems to imply that it is no longer a hard requirement for x86 unlike before.

[cmurf]

I'm not finding an actual Windows 10 hardware certification requirement document. Yet Windows 10 is out and shipping pre-installed on hardware, so how can there not be a document somewhere?

"The precise final specs are not available yet, so all this is somewhat subject to change, but right now, Microsoft says that the switch to allow Secure Boot to be turned off is now optional. Hardware can be Designed for Windows 10 and can offer no way to opt out of the Secure Boot lock down." http://arstechnica.com/information-technology/2015/03/window...