> hey only allow software from Microsoft, not signed by them for third parties.
Not the entire picture here, that option is a part of a more holistic set of measures Microsoft calls Device Guard (part of Secured Core)
> it has no real use, except maybe delaying an attacker by a few seconds (and then again, that attacker won't access any data, so…).
It does prevent potential abuse of the signed shim that's not very difficult to get signed by. E.g. nobody can install the signed shim to rootkit a Windows installation.
> It does prevent potential abuse of the signed shim that's not very difficult to get signed by. E.g. nobody can install the signed shim to rootkit a Windows installation.
How would that worked if combined with FDE + TPM ?
For the average user, FDE is unlikely to be enabled by default. But yes, Secure Boot's measurements with BitLocker would prevent this as well.
Though seeing a recovery screen will not inform you that your bootloader has been tampered with and by entering a recovery key you're basically authorizing the malware to run.
Without FDE, modification of the file system to create autoruns and system services is so easy that you wouldn't need to go through the effort of using a bootloader. Just pop out the storage device or boot a Windows install disk and run some software.
Not the entire picture here, that option is a part of a more holistic set of measures Microsoft calls Device Guard (part of Secured Core)
> it has no real use, except maybe delaying an attacker by a few seconds (and then again, that attacker won't access any data, so…).
It does prevent potential abuse of the signed shim that's not very difficult to get signed by. E.g. nobody can install the signed shim to rootkit a Windows installation.