Funny thing here is that the feature OP stumbled upon, Device Guard, does prevent quite a few different malware preinstallation methods. Including the infamous Lenovo one.
This is ridiculous. Lenovo controls all the preinstalled software as well as the drivers that are shipped with the device. Any of them could install a Superfish-like thing at any point.
They may control those parts, but Device Guard won't let you install most rootkits. Starting from Secure Boot and Virtualization Based Security ending with Trusted Boot, the system should be capable of rejecting unsigned privileged components and remain secure. Then an AV is probably capable of detecting and removing actual malware.
Superfish was not a kernel rootkit by any measure of the word. You just have to install a new CA then a NDIS filter, neither of these is either a rare or even blocked operation since they are required for preinstalled software such as drivers or even an AV. There would be absolutely no difference on whether you used Secure Boot or not.
But worst of all: Superfish was actually _signed_ itself. MS has improved the level of vetting they do now, specially for kernel drivers, but how come anyone can still claim with a serious face that a signature requirement from one CA specifically improves security against malware _from that CA_ (or their associates) ?
> Superfish was not a kernel rootkit by any measure of the word.
I didn't say it was, you kinda ignored the context. The person who I replied to was asking how can they trust their Windows is genuine, I replied to them that the feature causing a stir here does protect against some types of malware.
It's a fair assumption that the next thing akin to Superfish would try to implant itself deeper, if given the chance, Device Guard does eliminate some of those ways.
> for preinstalled software such as drivers
If that driver is actually malicious then Early-Launch Antimalware alongside the kernel being protected, can get rid of it.
> There would be absolutely no difference on whether you used Secure Boot or not.
I wasn't talking exclusively about Secure Boot.
> But worst of all: Superfish was actually _signed_ itself.
Sure, now there's a toggle that won't trust some signatures that aren't as heavily vetted (amongst many other things). How is that "ridiculous" or "won't make a difference". Are you just looking for a reason to argue?
> [Device Guard] does prevent quite a few different malware preinstallation methods. Including the infamous Lenovo one.
Which is the infamous Lenovo malware "preinstallation method" ?
How would a signature system would have prevented malware that was literally signed by Lenovo _and_ MS from being preinstalled on a Lenovo OEM image shipped with Lenovo hardware ?
Yes, and I didn't call it a "kernel rootkit" as you said I did.
> How would a signature system would have prevented a malware that was literally signed by Lenovo _and_ MS from being preinstalled on a Lenovo OEM image ?
Because AFAIK Device Guard sets limitations to what WPBT can do. Not to mention it's likely that additional kernel and boot integrity helps against all types of malware.
I do want to use secure boot and TPM2 (I do, currently). Just not with windows. Why should be secure boot windows exclusive feature? Until now, it wasn't.
> device guard and secure boot are different things, related, but different.
The problem is that it can have potentially catastrophic impact. If the user enabled Bitlocker, and didn't save recovery key (it will happen for mainstream users), he can lose his windows drive when he tries linux.
As I wrote above, another extra-hop for those who would like to go off the beaten windows path.
So they steal different certificate from the same subject instead? (Both CAs are Microsoft's, and only Microsoft is signing).
The default for years was to boot from external storage, when the internal is not bootable. To change it, you would have to change boot priorities or manually use the built-in boot selector.
That's a message from the Windows installer. Normally you would have to remove the optical disc after the files are copied or change the boot order/devices when the first stage of the installation ends and the computer is rebooted. With this trick, you don't have to do anything.
It is legacy boot, not UEFI. And I vaguely remember that this message came from the boot loader on the CD, of all places. It was a convenience for the user, who forgot the CD in the drive.
A former work computer of mine (a Lenovo, too!) wouldn't boot one day. After some time trying to figure out the issue I discovered I'd left a (non-bootable) USB drive attached to the machine. Removed the drive and it booted fine.
Having said all that, this comment is all anecdotal, much like yours.
And you need that for recovery purposes, at least.