Microsoft Secure Boot vs live Linux OS

[Bagels]

Like to try out different operating systems? Brief cautionary tale from a novice here:

I had heard about Secure Boot causing problems with dual booting in The Verge, but I’d forgotten. Just wanted to try out a live USB of Puppy Linux (bookworm pup). That all went well except that first I had to disable Secure Boot.
An AI walked me through it and eventually I got the arrow keys working and a cursor eventually appeared on the Bios screen.

Linux loaded and I had a good time testing everything out. I shut down and then restarted the computer, only to find a scary Bitlocker recovery screen.

— it’s a good idea to have your Microsoft password handy. I had it in a password keeper. I’ve never really used it. Haven’t had a windows pc for years until recently.

— I logged into Microsoft and got an obnoxiously long recovery key. it’s clear that they don’t want you messing around with dual booting or even temporarily booting with a usb.

Edit: https://en.wikipedia.org/wiki/UEFI#Secure_Boot_2

— I had to reset my PIN and was warned that “data saved by organizations may be erased.” I suppose they mean passkeys. I was afraid that my computer was going to be compelely factory reset but it was otherwise intact. I’ll probably have to redo the fingerprint reader, which only works until the next Windows update anyway. But, my files were intact.

What I don’t know is if I’m going to have to re-enable that secure boot every single time. Hopefully they turned it back on for me and left it that way. I’m never rebooting again. Don’t want to find out. And, I don’t know that I’d have much of a chance to get to the Bios screen from the Bitlocker screen.

In the meantime, maybe it’s best to try out live USB’s on computers that are too old to have secure boot.

[enad]

Like to try out different operating systems? Brief cautionary tale from a novice here:

I had heard about Secure Boot causing problems with dual booting in The Verge, but I’d forgotten. Just wanted to try out a live USB of Puppy Linux (bookworm pup). That all went well except that first I had to disable Secure Boot.
An AI walked me through it and eventually I got the arrow keys working and a cursor eventually appeared on the Bios screen.

Linux loaded and I had a good time testing everything out. I shut down and then restarted the computer, only to find a scary Bitlocker recovery screen.

— it’s a good idea to have your Microsoft password handy. I had it in a password keeper. I’ve never really used it. Haven’t had a windows pc for years until recently.

— I logged into Microsoft and got an obnoxiously long recovery key. it’s clear that they don’t want you messing around with dual booting or even temporarily booting with a usb.

— I had to reset my PIN and was warned that “data saved by organizations may be erased.” I suppose they mean passkeys. I was afraid that my computer was going to be completely factory reset but it was otherwise intact. I’ll probably have to redo the fingerprint reader, which only works until the next Windows update anyway. But, my files were intact.

What I don’t know is if I’m going to have to re-enable that secure boot every single time. Hopefully they turned it back on for me and left it that way. I’m never rebooting again. Don’t want to find out. And, I don’t know that I’d have much of a chance to get to the Bios screen from the Bitlocker screen.

In the meantime, maybe it’s best to try out live USB’s on computers that are too old to have secure boot.

Is your goal to move away from Windows into Linux, or stay in Windows and play/learn about Linux?

Whichever one you choose to be your primary OS, you can install Oracle's Virtualbox software and create a virtual machine of the other, enable bi-directional drag & drop and create a shared folder.

[bombcar]

I saw some clearance laptops at Walmart for $100 or so. If you want to play with Linux, might as well just get a dedicated machine to fart around on.

[Makefile]

It isn't just a Windows vs. Linux issue but a combination of several factors. Windows 11 aggressively pushes a Microsoft account unless you make modified install media to avoid one, and once you sign up for one, automatically enables BitLocker (encrypting your hard drive) and escrows the key on Microsoft servers. A readily-accessible version of the BitLocker key is stored locally in your TPM so that you don't have to use the recovery key on every boot. The TPM has technology (called a PCR) to sniff out any changes to the running operating system, like a pinball machine's tilt switch, and booting an entirely different OS from removable media is a huge such change, and it wipes itself. If it didn't do this, you could overcome BitLocker just by booting (Windows, even) from USB and then peeking at the C: drive.

Since unfortunate coincidental timing of needing this key while banned from your Microsoft account could in theory result in losing all data off the machine, backups are more important than ever given this "too close to ransomware for comfort" default behavior.

[Bagels]

Is your goal to move away from Windows into Linux, or stay in Windows and play/learn about Linux?

While *my* goal is to keep one PC with Windows in case I need it to help a relative with something over the phone, I have noticed a lot of recommendations for trying out Mint on live USB’s or CD’s and I just thought my fellow novices should know what they’re getting into if they have a fairly new PC.

Unless it was made for Linux in the first place.

Whichever one you choose to be your primary OS, you can install Oracle's Virtualbox software and create a virtual machine of the other, enable bi-directional drag & drop and create a shared folder.

I did use that once upon a time. It seemed limited. Maybe it was something else with the word “box” in it.

[Bagels]

I saw some clearance laptops at Walmart for $100 or so. If you want to play with Linux, might as well just get a dedicated machine to fart around on.

Absolutely. In my case it’s going to be a laptop that’s old and already has Linux on it. I’ll leave the new Windows machine for Win11 and wsl2.

[Bagels]

It isn't just a Windows vs. Linux issue but a combination of several factors. Windows 11 aggressively pushes a Microsoft account unless you make modified install media to avoid one, and once you sign up for one, automatically enables BitLocker (encrypting your hard drive) and escrows the key on Microsoft servers.
…
backups are more important than ever given this "too close to ransomware for comfort" default behavior.

That’s good info, thank you.
Escrow is the perfect word. And yes, it does feel like ransomware!
TPM — for my fellow beginners - https://en.wikipedia.org/wiki/Trusted_Platform_Module

[Makefile]

Escrow is the perfect word. And yes, it does feel like ransomware!

The idea is the "lost laptop" problem is a bigger security issue than the risk that you will need the key while locked out of your Microsoft account.
Highly likely true, but it does seem like an "informed consent" issue.

[SnowBog]

— I logged into Microsoft and got an obnoxiously long recovery key. it’s clear that they don’t want you messing around with dual booting or even temporarily booting with a usb.

FWIW - Secure Boot is a safety/security feature. IMHO telling someone to "use an older - and thus less secure - computer" isn't great advice...

If it helps understand it, think of it this way... Most "security" programs on computers run after the operating system is running. The time between "turning on" the computer and the "security program" running - is in effect - "unprotected."

More specifically, some types of computer malware specifically targeted the "boot process" - to get a foothold before security programs could catch/stop them.

Secure Boot is an attempt to help protect you from these situations. It does so by "comparing" that boot environment, and noticing "differences" that could be a sign of issues.

Unfortunately, there's no way for it to delineate between a potentially OK thing like you choosing to boot into another OS (like Linux) vs. malware. Ultimate both "alter" the boot process - which forces the protection/recovery...

IMHO that's a "good thing" - not a "bad" thing.

[SnowBog]

It isn't just a Windows vs. Linux issue but a combination of several factors. Windows 11 aggressively pushes a Microsoft account unless you make modified install media to avoid one, and once you sign up for one, automatically enables BitLocker (encrypting your hard drive) and escrows the key on Microsoft servers.
…
backups are more important than ever given this "too close to ransomware for comfort" default behavior.

That’s good info, thank you.
Escrow is the perfect word. And yes, it does feel like ransomware!
TPM — for my fellow beginners - https://en.wikipedia.org/wiki/Trusted_Platform_Module

I'd like to think that was sarcasm... "Too close for ransomware", really?

As noted above, Secure Boot is a good thing... BitLocker drive encryption is a good thing... Requiring someone to use a recovery key to validate they have proper access to the data is a good thing... (But yes, a potentially "painful" thing - as few people have done so and might struggle doing so the first time they are required to do so.)

Saving a copy of the recover key associated with your Microsoft account is arguably a good thing (so long as you aren't just generically still paranoid about "all things cloud"). Before they did so - almost no one actually bothered to save their recovery key - which meant they actually did lose their local data on the machine. I've had data recoverable from many machines - expressly because Microsoft saved my butt by saving a copy of that recovery key for me...

And "locking yourself out of your account", people should be setting up more than 1 way to authenticate. Personally, I can use their Authenticator app, a passkey saved on my mobile device, a passkey saved on my laptop(s), a FIDO key, get a code to my cell phone, get a code to a recovery email, etc. If I lock myself out of all of those (or never setup a recovery method) - that's not Microsoft's fault... https://support.microsoft.com/en-us/acc ... _LearnMore

And as for backups - sure they can be useful, can't deny that... But again, "human nature" comes into play. A backup is only as good as someone's process... If you don't do frequent backups, you risk losing more data... If you don't have an "offsite" (or cloud) backup, you risk losing everything in the event of a fire/flood/etc. that destroys your location. Despite my higher-than-average technical skill, my "knowing" that backups were important, my repeated attempts to automate the processes - short of paying for a backup service to do this for me in an automated fashion including "offsite" (cloud) storage - everything else was "theater" (not real protection).

I've since moved anything I care about into OneDrive - so I no longer care if my local machine's data is lost/wiped/etc., no longer need to rely on a 3rd party backup solution (OneDrive is in effect that backup solution - although admittedly not a "true" backup - more resilient storage across all my devices).

IMHO what they do is about the furthest thing away from ransomware I can think of... In fact, those things protect you from ransomware on multiple fronts...

[Bagels]

— I logged into Microsoft and got an obnoxiously long recovery key. it’s clear that they don’t want you messing around with dual booting or even temporarily booting with a usb.

FWIW - Secure Boot is a safety/security feature. IMHO telling someone to "use an older - and thus less secure - computer" isn't great advice...
...

Fair enough. I mean, it's got "Secure" in the name, so it's pretty obvious. But your point is well taken: when speaking explicitly to fellow beginners, I shouldn't be so casual in the context of trying out new operating systems.

- To maintain security on a Windows pc, it may be best to use wsl2 (Windows Subystem for Linux). No need to dual boot or boot from anything external, no need to disable secure boot, and it works well.

- To eliminate the hassle of Secure Boot (yes, it's a "good thing") when trying out whatever flavor of Linux one wants, another option could be a dedicated vendor of hardware built for Linux, something Microsoft hasn't touched.

- Then, for us careless types, there's the old, used machine.

[Makefile]

It's not even Secure Boot that is the issue. You can use Linux with Secure Boot turned on. But you can't just keep booting alternate OSes and not expect the TPM to step in to block the other OS from accessing the BitLocker key.

[techbud]

If your goal is to try out other operating systems, you should look into using virtual machine software such as HyperV, VMware, or VirtualBox. IMHO, there’s little reason to dual boot these days. As you encountered, it’s too easy to corrupt your primary environment when trying to dual boot.

[SnowBog]

- To eliminate the hassle of Secure Boot (yes, it's a "good thing") when trying out whatever flavor of Linux one wants, another option could be a dedicated vendor of hardware built for Linux, something Microsoft hasn't touched.

To my knowledge, there isn't a "dedicated vendor of hardware built for Linux." And by extension, Microsoft isn't really a hardware company, beyond their limited Surface offerings...

Most of the hardware made is from the likes of Dell, Lenovo, HP, etc. I guess I haven't looked if any sell a pre-configured Linux device before... Did find this on a quick search: https://hpdevone.com/linux-laptop

But I think this is more a thing of "if you want to play with something - do it the right way."

Secure Boot is compatible with Linux - but you can't just grab a random distribution and "try it out", at least not without risking what you ran into. https://linuxsecurity.com/news/cryptogr ... ecure-boot

If you want to "experiment", as others have mentioned running a virtual machine "within" your primary environment is probably the simplest. It doesn't require any major changes to your primary environment. If it's more "permanent", then the Linux sub-system might make more sense - but given that requires a bit more "setup", probably not the thing someone just wanting to "try something out" would start with. https://www.geeksforgeeks.org/how-to-ru ... n-windows/

[Bagels]

It's not even Secure Boot that is the issue. You can use Linux with Secure Boot turned on. But you can't just keep booting alternate OSes and not expect the TPM to step in to block the other OS from accessing the BitLocker key.

That would make sense to people who are already well experienced, already know what a TPM is, and already know what a BitLocker key is. People who don’t know what these things are aren’t expecting anything, because they don’t exist yet.

This was just a case of learning by doing.

I really don’t have many files on my Windows machine, which is why I was willing to take the risk. At most, I’d be redownloading some programs into wsl. Tedious, but not too many personal files lost. (but yes, the possibility of starting from scratch did make my heart race just the same).

[SnowBog]

If your goal is to try out other operating systems, you should look into using virtual machine software such as HyperV, VMware, or VirtualBox. IMHO, there’s little reason to dual boot these days. As you encountered, it’s too easy to corrupt your primary environment when trying to dual boot.

For anyone unfamiliar, HyperV is Microsoft's VM platform, which is built-in to Windows, thus "free" to use.

For anyone unfamiliar with a Virtual Machine - think a "machine within a machine." Assuming the primary device runs Windows, you can "start a VM" - which is basically like starting a 2nd computer "within" your existing computer. That lets you try out new things, new OS's (like different Linux distributions, even different Windows versions), etc. Here's a guide on setting up a Linux distro in the "free" HyperV platform. https://documentation.ubuntu.com/server ... index.html

Of note - doing this wouldn't have requiring making a bootable USB drive, would have triggered issues with Secure Boot, wouldn't have required any "recovery" steps. Much cleaner and simpler and faster (for experimenting)...

[Bagels]

- To eliminate the hassle of Secure Boot (yes, it's a "good thing") when trying out whatever flavor of Linux one wants, another option could be a dedicated vendor of hardware built for Linux, something Microsoft hasn't touched.

To my knowledge, there isn't a "dedicated vendor of hardware built for Linux."
..

Oh, there are many, Snowbug. I mean, one could get pedantic and say the components are often produced in a factory in China and can run any OS, but that would be miles from the point.

There are many companies that assemble hardware and sell it to you with your choice of Linux or just with nothng loaded on it. Some have been mentioned on the forum. System76 is one. They even put their own OS on it. (PopOS. It’s got mixed reviews). I think System76 is at least assembled in the U.S.

When I first tried Linux in the mid-aughts there was a hardware conflict with a laptop that’s was born to be a Windows machine, so I tried one of those dedicated vendors. That one is now defunct. But, there are plenty of others.

And by extension, Microsoft isn't really a hardware company, beyond their limited Surface offerings...

Right, but they may as well be. Outside of Mac, vendors by and large put together PCs to run Windows. (I don’t mean servers).
Dell had Linux-friendly machines for a few years but there was a time when you could buy a Windows PC, put linux on it, and find out that it wasn’t too friendly — trying to get the wi-fi to work, even with a dongle, was an uphill battle.

Aside from the Secure Boot unpleasantries, Bookworm Pup was a breeze. There were 5 tools just for wi-fi and the first one I chose just set it up instantly.

[Makefile]

It's not even Secure Boot that is the issue. You can use Linux with Secure Boot turned on. But you can't just keep booting alternate OSes and not expect the TPM to step in to block the other OS from accessing the BitLocker key.

That would make sense to people who are already well experienced, already koew what a TPM was, and already know what a BitLocker key is. People who don’t know what these things are aren’t expecting anything, because they don’t exist yet.

This was just a case of learning by doing.

I really don’t have many files on my Windows machine, which is why I was willing to take the risk. At most, I’d be redownloading some programs into wsl. Tedious, but not too many personal files lost. (but yes, the possibility of starting from scratch did make my heart race just the same).

Yes, every Linux install guide has urged a full backup for decades (due to the potential for a partitioning accident), but even more important nowadays is to double check the Microsoft account situation before beginning due to everything discussed in the thread.

Also, you could have backed up the BitLocker key to USB media before starting, which would've saved you from having to deal with getting into the Microsoft account and hand typing a recovery key. All non-enterprise Windows users should do that, whether experimenting with Linux or not. It's the new emergency boot disk.

[Bagels]

Also, you could have backed up the BitLocker key to USB media before starting

That’s a good idea. I may even have such a usb stick in my strongbox and forgot about it. It was great to find my password in my password keeper, but it would be even better to have a note in said keeper telling me where the usb drive is with that long key on it.

[Bagels]

I should just add that all my important files are on a Mac, backed up on an external drive, and are also in a secure place in the cloud. I doubt that the average person who tries out new operating systems is as scatterbrained as I am, but when it comes to file storage I did do a lot of planning.

I also use antivirus software and am very careful about disk partitioning, even though it’s easier than it used to be.

I just didn’t count on Microsoft locking me out of my computer, even temporarily.

[Makefile]

I should just add that all my important files are on a Mac, backed up on an external drive, and are also in a secure place in the cloud. I doubt that the average person who tries out new operating systems is as scatterbrained as I am, but when it comes to file storage I did do a lot of planning.

I also use antivirus software and am very careful about disk partitioning, even though it’s easier than it used to be.

I just didn’t count on Microsoft locking me out of my computer, even temporarily.

I understand and I agree.
Compromised data off a lost laptop is a real problem. It happens all the time. It's a source of identity theft. That's what BitLocker-by-default is supposed to help. But the computer industry's attitude of "we know what's best" and that computers have to be so oversimplified that the crash screen is reduced to emoticons, rather than explaining to the presumably-intelligent user why it's so important that BitLocker be on and what their responsibilities are before they "accept" the default setting of it being on, and that the user is too stupid to have any control over that, grates on me too.

Thankfully, I don't get asked to work on relative's computer's anymore. But you can imagine:
"My computer won't start and keeps asking for some key."
"Oh. You need to log in to your Microsoft account."
"My what? Is that MozillaFox?"
"Sorry. It's between you and Microsoft now."

[Bagels]

"Oh. You need to log in to your Microsoft account."
"My what? Is that MozillaFox?"
"Sorry. It's between you and Microsoft now."

I have to admit, I didn't miss having a PC because I could truthfully claim ignorance on all Windows matters. Now that my parents are very elderly I'm just going to give it my all, make them comfortable. (If I had the skills I'd give them Linux computers and maintain them. Maybe in the next life).

But, making this thread was well worth it to get your comments, as well as advice and opions from others. I've learned a lot, and did it free from the things I don't like on computer forums.

[enad]

While *my* goal is to keep one PC with Windows in case I need it to help a relative with something over the phone, I have noticed a lot of recommendations for trying out Mint on live USB’s or CD’s and I just thought my fellow novices should know what they’re getting into if they have a fairly new PC. Unless it was made for Linux in the first place.

I did use that once upon a time. It seemed limited. Maybe it was something else with the word “box” in it.

We run Linux Mint on all of our computers/laptops and on many Linux machines run Oracle's Virtualbox software with Windows running in a virtual machine. When running a Windows virtual machine, network access to the internet is disabled by default and we only turn it on around tax time to run the desktop version of Turbotax. Dual booting with windows was much easier in the past but nowadays an update from Microsoft can break dual boot. Office and TurboTax work great in a Windows virtual machine.

Have you tried Teamviewer to help friends or relatives? Once the application is downloaded by the person you're trying to help, they can run it without actually installing it and then you can remote into their machine to help them out (assuming they can boot).

[meebers]

The way I do Windows/linux is to use a separate drive via one of the front panel slide out trays. Take Windows ssd out, put the linux ssd in. Done using Linux, swap the Windows drive in. No interference between systems. Currently running W12 or Mint. I also have an ssd with chrome on it that can be used.

[BolderBoy]

Have you tried Teamviewer to help friends or relatives? Once the application is downloaded by the person you're trying to help, they can run it without actually installing it and then you can remote into their machine to help them out (assuming they can boot).

For those technically inclined, I found Rustdesk https://rustdesk.com/ to be a superior and free alternative to Teamviewer. Just FYI.

[enad]

For those technically inclined, I found Rustdesk https://rustdesk.com/ to be a superior and free alternative to Teamviewer. Just FYI.

rustdesk is very controversial and may not be secure. Those who want to use it should evaluate for themselves if the risk is worth it or not i.e. google what are the risks to using rustdesk, or rustdesk controversy.

[hoofaman]

I wouldn't setup a dual boot Windows/Linux system, Windows like to mess up Linux bootloaders with random Windows updates.

Unless you game why use Windows at all anyway?

[enad]

I wouldn't setup a dual boot Windows/Linux system, Windows like to mess up Linux bootloaders with random Windows updates.

Unless you game why use Windows at all anyway?

I agree that dual booting is Windows/Linux often breaks nowadays.

As to your question, I have been using Microsoft Office for more than 40 years. I have written many macros that just don't work in LibraOffice and for me it's not worth the effort to try and make my spreadsheets work, plus I am getting set in my ways. So for me Windows is still required and having it run in a Virtual machine gives me the best of both world. I can control internet access to the virtual machine. For those that can remember it's sort of like running XP MODE in Windows 7 but without any of the headaches

[Bagels]

Have you tried Teamviewer to help friends or relatives?

Interestingly, you’re the second person to recommend it to me. I may have to give it a shot.
I’d be the second person to remote into Dad’s computer, the first being a scammer from India who claimed to be fixing a problem with Windows.

[Bagels]

The way I do Windows/linux is to use a separate drive via one of the front panel slide out trays. Take Windows ssd out, put the linux ssd in. Done using Linux, swap the Windows drive in. No interference between systems. Currently running W12 or Mint. I also have an ssd with chrome on it that can be used.

Brilliant. But where does the BIOS live? Isn’t it in the guts of the computer, staying there when you swap out the drive?
Or, does it leave you alone because it doesn’t have any Windows OS to talk to when it boots up?

[enad]

Have you tried Teamviewer to help friends or relatives?

Interestingly, you’re the second person to recommend it to me. I may have to give it a shot.
I’d be the second person to remote into Dad’s computer, the first being a scammer from India who claimed to be fixing a problem with Windows.

You'll like Teamviewer. I would get on the phone with friends and remote into their computer and help them out while catching up. Best of luck.

[enad]

The way I do Windows/linux is to use a separate drive via one of the front panel slide out trays. Take Windows ssd out, put the linux ssd in. Done using Linux, swap the Windows drive in. No interference between systems. Currently running W12 or Mint. I also have an ssd with chrome on it that can be used.

Brilliant. But where does the BIOS live? Isn’t it in the guts of the computer, staying there when you swap out the drive?
Or, does it leave you alone because it doesn’t have any Windows OS to talk to when it boots up?

Yes, the BIOS is in the guts of the computer i.e main board where the computer chip and memory reside. Linux can run with Secure Boot enabled and as long as you don't change any BIOS settings swapping out the Windows drive for a Linux drive should not interfere with Windows.

On one of our PC's (which is stand-alone i.e. not connected to the Internet) we use a SATA drive rack with removable trays that have SSD's in them. We can boot Windows XP, 7, 10, 11 or Linux Mint. We have specialized hardware that only works on Windows XP and a retail license of PhotoShop that runs on Windows 7. Windows 10 is rarely used (replaced by Windows 11). We disabled BitLocker on Windows 11 so that's not an issue.

[Bagels]

- To eliminate the hassle of Secure Boot (yes, it's a "good thing") when trying out whatever flavor of Linux one wants, another option could be a dedicated vendor of hardware built for Linux, something Microsoft hasn't touched.

To my knowledge, there isn't a "dedicated vendor of hardware built for Linux."

I had said there are many, but meant to come back and list some that are still operating:

System76 -- I think they're American
Starlab -- UK
TuxedoComputers -- Assembled in Germany

There are a few more that you can find by googling for a list, but I haven't really explored them yet.