Free Newsletters for the Channel
Register for Your Free Newsletter Now
September 22, 2011
If you’re an OEM and you want the coveted Windows 8 logo on your new Windows 8 machines, you’re going to have to do a few things to satisfy Microsoft. No big deal, right? Just a few minimum RAM and CPU requirements, right? Not this time. According to some recently surfaced BUILD slides on Windows 8, machines now must use UEFI with “hardened boot” certificate authentication. And that might mean no alternative OSes can boot …
Brian Proffitt at ITWorld.com has a very lengthy and detailed explanation of what Windows 8 using UEFI and hardened boot means, but we’ll keep it really simple here. UEFI, for the uninitiated, is the Unified Extensible Firmware Interface, and like Apple’s computers (which use the UEFI platform and which boot very quickly), Windows 8 computers also will use the UEFI platform, which does away with the BIOS. The BIOS often bogs things down, since it exists to support a swath of legacy hardware and chipset needs. Since Windows 8 aims to push Windows beyond its current status, Microsoft believes the past must stay in the past, especially to achieve super-fast (and instant-on) boot times.
But what do super-fast boot times have to do with “hardened boot” and authentication on power-up? According to Microsoft’s BUILD slides from Arie van der Hoeven, the principal lead program manager for Microsoft, Windows 8 client computers are required to have this technology for their own protection. Straight from Hoeven’s slides:
Current issues with boot:
Growing class of malware targets the boot path
Often the only fix is to reinstall the operating system
UEFI and secure boot harden the boot process
All firmware and software in the boot process must be signed by a trusted Certificate Authority (CA)
Required for Windows 8 client
Does not require a Trusted Platform Module (TPM)
Reduces the likelihood of bootkits, rootkits and ransomware
It’s nice to know that Microsoft is combating security issues, but this certificate signing means that the version of Windows 8 you install on your Windows 8 machine can only come from the OEM from whom you purchased your computer. It also means installing any other operating system on that computer is basically impossible without (hypothetically) fudging the certification keys. In plain English, Microsoft has devised a way to ensure that once a Windows 8 computer is purchased, Windows 8 will be the only OS to ever run on it.
What does this mean for VARs and partners of computer manufacturing companies such as Dell and Lenovo? It means that customers will not be able to install anything other than the OEM version of Windows 8 on their machines, if you, the partner, is selling them a “certified” Windows 8 computer. It also means licensing will be much more tightly controlled, thanks to the certificate authority authentication. If customers are looking for flexibility, they may want to buy “older” Windows 7 machines and manually upgrade to Windows 8 to ensure old PCs can continue to be repurposed after they’ve outlived Windows 8. Conversely, VARs can always just build a fleet of their own computers and install and update them as needed.
There is one other way: Proffitt discusses how Red Hat’s Matthew Garrett uncovered the majority of these Windows 8 issues, but Garrett believes OEMs can include an option to disable full certification and authentication to allow users more freedom with what they install on their machines. That could mean users can boot Linux, but not Windows 8. To boot back into Windows 8, the user would likely have to flip on their security switch. Windows 8-certified machines are still about a year off, and it will be interesting to see how OEM vendors work with partners to ensure customers are happy and comfortable with their purchases.
Here’s my spin on this: Other than blocking out alternative operating systems, Microsoft and OEM vendors stand to gain some substantial cash from this lockdown — sort of. Many PCs are often cheaper than Apple alternatives for a multitude of reasons, but one of which is bundled third-party “bloatware.” With the Windows 8-certified machine locked down to reinstall only the OEM-certified version of Windows 8 that shipped with the machine, the bloatware essentially always will be packaged. This eliminates those people who buy super-cheap PCs, wipe them clean, install Linux or their own version of Windows, and extend the “value proposition” of a third party bundling its software with an OEM.
But don’t let all the fear, uncertainty and doubt get to you. Let’s hope for the best, prepare for the lockdown, and see where OEMs and Microsoft take the world with Windows 8. At the very least, it’ll be interesting.
You May Also Like
Zero Trust World: ThreatLocker Unleashes New Tools to Stop ThreatsFeb 27, 2024
Mobile World Congress: VMware Talks SASE, 5G, SD-WANFeb 27, 2024
Zero Trust World: ThreatLocker Providing an Action Plan for Preventing AttacksFeb 26, 2024
The Gately Report: Trellix Partners Shielding SMBs from RansomwareFeb 26, 2024