back to article Microsoft half-bricks Asus Windows 7 PCs with UEFI boot glitch

A recent Windows 7 update partially bricks computers that have an Asus motherboard fitted, it emerged this week. Windows 7 machines that have installed Microsoft's KB3133977 update may trigger a "secure boot violation" during startup, preventing the PC from loading the operating system, Asus said. Though the KB3133977 patch …

  1. ADRM

    Secure boot

    Why would you even have secure boot enabled on a Windows 7 system? Three of my machines have ASUS Motherboards and Secure boot is disabled and other OS is selected. Enough of this nonsense Microsoft fecking with Windows 7 user base.

    1. Anonymous Coward
      Anonymous Coward

      @ADRM - Re: Secure boot

      Why would you even have secure boot enabled on a system ? There, I've fixed it for you.

    2. diodesign (Written by Reg staff) Silver badge

      Re: Secure boot

      "Why would you even have secure boot enabled on a Windows 7 system?"

      It's supported by default on newer Asus motherboards but Windows 7 doesn't use it. The update makes the firmware think Secure Boot is supported by the operating system, but really the OS cannot/does not ultimately provide the signatures needed, so the boot fails.

      I suspect - and we're waiting for more info from Microsoft - that the updated BitLocker drive encryption code that loads before the OS is run is cocking up the process: the firmware believes it's booting a Secure Boot OS but it's really not. Possibly.

      C.

      1. Anonymous Coward
        Mushroom

        Re: Secure boot

        Hoisted by their own fucking petard. ---->

        Would this be the same "Microsoft" that had the gall to call Linux cancer, perchance?

        http://www.theregister.co.uk/2001/06/02/ballmer_linux_is_a_cancer/

      2. Anonymous Coward
        Anonymous Coward

        Re: Secure boot

        I have an Asus P9X79 Pro motherboard, and I installed on it Windows 7 a couple of years ago with the default secure boot settings (enabled) and it worked fine until I installed the update. Then the message stating the secure boot checks failed appeared.

        I sent The Register a mail about it days ago, before it became an update installed by default. There were already threads about it in Microsoft support forums, thereby Microsoft was well aware of it and I'm "very surprised" it decided to make it installed by default knowing it would have caused not a few PC not to boot. Unless it was exactly another way to nag user to install Windows 10.

        Moreover, secure boot failure message are not really very informative and helpful.

        BTW: the way you disable secure boot on Asus boards may depend on the model and UEFI interface.

        1. Mpeler
          Mushroom

          Re: Secure boot - jackboot, that is

          I'm "very surprised" it decided to make it installed by default knowing it would have caused not a few PC not to boot.

          This is the "New Microsoft". Satan New Delhi doesn't care. Doesn't give a rip. Prepare to be a$$imilated...

    3. Anonymous Coward
      Anonymous Coward

      Re: Secure boot

      and so it begins

      1. Anonymous Coward
        Anonymous Coward

        Re: and so it begins

        Um, i think you'll find people have been posting without reading the article for years.

        This is about a feature that asus put on old pcs. Is also about the grief ms get for trying to support relatively ancient systems (if you have an android handset you know how quickly a machine can become outdated). It's not about ms trying to stop you installing linux.

        1. Roo
          Windows

          Re: and so it begins

          "This is about a feature that asus put on old pcs. Is also about the grief ms get for trying to support relatively ancient systems (if you have an android handset you know how quickly a machine can become outdated). It's not about ms trying to stop you installing linux."

          Fair point, but they clearly didn't do adequate regression testing and the guys doing the work clearly didn't understand the full implications of what they were up to. I would have thought a multibillion dollar multinational that took an active part in developing SecureBoot would be capable of getting this right before release. It's not as if they're short of skilled devs & cash to pay them.

        2. Anonymous Coward
          Anonymous Coward

          @AC - Re: and so it begins

          No, siree! An honest to God and trusted company like Microsoft would never dream of locking the PC hardware and prevent you from installing Linux. They are just trying to prevent you from installing anything but what they want you to have on their PC (I said their PC because with them controlling the boot process the computer is no longer yours).

        3. trapper

          Re: and so it begins

          No it isn't. You don't find a UEFI Bios on older machines. Mine was borked on a one-year-old ASUS mobo, courtesy of M$.

    4. Bob Vistakin
      Facepalm

      Gosh, Microsoft screws up an existing installation they found to be not running Windows 10.

    5. trapper

      Re: Secure boot

      Because the #$&^% board's BIOS sets itself up that way by default when installed. I know all too well - I was one of the ones borked by that stinking update and I had to haul out my laptop and Google furiously to discover what had happened and how to correct it.

      1. trapper

        Re: Secure boot

        Fixing the UEFI BIOS by disabling secure boot (setting it to "Other OS") worked, BUT:

        That still left me with two notices that appeared at boot, both of which I had to click through. One said, <Asus Setup C:\Users\******\AppData\Local\Temp\211540Log.iniis lost> and the other was identical except that it referenced 211241Log.iniis lost>.

        More Googling suggested entering Task Scheduler and deleting or disabling the i-21 entries. I did so and disabled them both; upon reboot both notices were gone and did not return. Whee! Note I went to Control Panel\Administrative Tools\Task Scheduler, not Task Manager.

    6. Lord_Beavis
      Linux

      Re: Secure boot

      Why would you even have Windows installed?

      There. Fixed it.

    7. TheVogon

      Re: Secure boot

      "A recent Windows 7 update partially bricks computers that have an Asus motherboard fitted, it emerged this week."

      Either it bricks them or it doesn't. Reading the article implies it does nothing of the sort. And it's not a Microsoft issue.

      "Microsoft half-bricks Asus Windows 7 PCs with UEFI boot glitch "

      So actually it's more like "Asus Windows 7 PCs fail to boot due to UEFI bios glitch" - but I guess that wouldn't get as many clicks?

    8. Mi Tasol

      Re: Secure boot

      The answer is simple - be like that California woman (see http://www.theregister.co.uk/2016/06/27/woman_microsoft_windows_10_upgrades/) and take them to the small claims tribunal where they are prohibited from sending along a lawyer (but make sure their representative has no legal training because you can be fairly sure that they will try that trick if they think they can get away with it).

      You are then on equal footing with one of their sales droid and in front of an judge who only has to decide on whether the "patch" was fit for purpose

  2. hplasm
    Gimp

    MS Magic Roundabout...

    Here it comes again! Grit your teeth...

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: MS Magic Roundabout...

      Grit your teeth...

      Why? I think the music and flashing lights are rather good.

  3. Anonymous Coward
    Anonymous Coward

    Be very afraid!

    This kind of glitch will become more and more frequent from now. Microsoft said they will just stop the GWX nagging but not that they will stop pushing you to install Windows 10 by any other means.

    1. Geoffrey W

      Re: Be very afraid!

      Aha. So this is a deliberate shove by Slurp? They can't even wait till they turn off GWX and Windows 1 0 becomes un-free. Windows will have to be paid for then...That makes it blackmail! Those evil bastards!

    2. Anonymous Coward
      Anonymous Coward

      Re: Be very afraid!

      You mean like clean installs of windows 7 that when you install updates, you end up with a borked windows update subsystem that takes major messing around with the get working again.

      Seen this exact behaviour on about 20 rebuilds now. It happened around about the same time as windows 10 nagware propaganda started. It's as if they didn't want me trying to fix win7 windows update and install windows 10 instead.

  4. Len Goddard

    One way to get the punters to upgrade!

    title says it all

    1. YARR
      Joke

      Re: One way to get the punters to upgrade!

      It's one small cock up for Microsoft,

      One giant sales boost for the PC industry.

  5. Anonymous Coward
    Anonymous Coward

    and after disabling UEFI...

    ...install Ubuntu.....sorted!

    1. Mikey

      Re: and after disabling UEFI...

      Or... just carry on using Win 7 like before. That's the easiest option, I would say. No formatting, faffing with other software, drivers, patches, troubleshooting when your already present OS works fine.

      Occams razor, and all that.

      1. Tom 7

        Re: and after disabling UEFI...

        I just got a brand new laptop and the manufacturers advised not to use Linux because the drivers might not be available - stuck the latest Xubuntu on it and everything works like a dream. There are a couple of proprietary drivers on offer but I haven't bothered to find out what they do to see if they're worth installing.

        Only heard of one machine with a driver problem under linux lately and that was where the bios/uefi had a bug so a quick update and sorted.

        1. John Brown (no body) Silver badge

          Re: and after disabling UEFI...

          "I just got a brand new laptop and the manufacturers advised not to use Linux because the drivers might not be availableI just got a brand new laptop and the manufacturers advised not to use Linux because the drivers might not be available"

          That's just fscking laziness on the part of the manufacture. What would it cost them to do a test install of a few popular Linux distros and maybe a couple of xBSDs and then advertise that such and such an OS, version x.x was tested and worked ok with all the inbuilt hardware. They don't have to care about updates or new/old drivers. Just that it worked with a specific version. They already do that with Windows and to a far greater extent so they can have the special permission from MS to put a sticker on the case.

          It may or may not generate lots of sales, but I bet it would at least generate enough to more than cover the day or two it would take to run some simple tests.

        2. Law

          Re: and after disabling UEFI...

          "Only heard of one machine with a driver problem under linux lately and that was where the bios/uefi had a bug so a quick update and sorted."

          I've got an recent Asus transformer (t100ha) that won't run Linux.... Yet.

    2. Geoffrey W

      Re: and after disabling UEFI...

      I like Linux but I'm careful who I say that to - I don't want them to think I'm like you or all the other Penguins you find in MS related threads

      1. kryptylomese

        Re: and after disabling UEFI...

        @Geoffrey

        "I like Linux but I'm careful who I say that to - I don't want them to think I'm like you or all the other Penguins you find in MS related threads"

        Too late - you have admitted it now! :)

    3. energystar
      Coffee/keyboard

      Re: and after disabling UEFI...

      You can't. Go get an old motherboard at the bazaar.

    4. Steve Davies 3 Silver badge

      Re: and after disabling UEFI...

      OR

      Install any other totally free OS

      This includes other Linux distros and the likes of FreeBSD.

      There is always an alternative to Windows that is not Ubuntu.

      1. dajames

        Re: and after disabling UEFI...

        There is always an alternative to Windows that is not Ubuntu.

        I thought it was quite refreshing to see something recommended other than Mint!

        1. Geoffrey W

          Re: and after disabling UEFI...

          RE: "I thought it was quite refreshing to see something recommended other than Mint!"

          Its hard to find something more refreshing than a Mint.

          1. davidp231
            Pint

            Re: and after disabling UEFI...

            One of these is shirley just as refreshing?

      2. Fred Goldstein

        Re: and after disabling UEFI...

        > There is always an alternative to Windows that is not Ubuntu.

        What a dumb statement. There's always an alternative to something if you don't need it. Like starving to death is an alternative to eating. But it's not a *good* substitute.

        Likewise, while there are other OSs besides Windows, there are a ton of valuable Windows applications that do not run on other OSs, and don't have compatible substitutes if even any substitutes Since people who are not hermits and use their computers for work often have to share documents with Windows users, an incompatible "alternative" won't suffice, either.

        What would be nice is a genuine fully-compatible Windows substitute that could run all Windows applications, but Microsoft has gone to great lengths to make that virtually impossible. WINE is a cute toy but doesn't cut it in the real world of business computing.

        1. MrTuK

          Re: and after disabling UEFI...

          What's all with the negativity !

          Look you are complaining that's there is no alternative but you are not going to try any other OS ?

          How do you think that MS became so popular, because people used it !

          Now you want a completely compatible OS to windows that can run all your Windows software etc, then use Windows and be damned !

          You state almost like its factual that there are a ton of Windows applications that do not run on other OS's, well in a Windows VM running under Linux I dispute what you say !

          Also many businesses are capable of using the various Office software's that are available on Linux and there are several Libre Office, WPS Office and several others here's a link for a review on Office software on Linux but you have to remember that t was done in 2013 and Linux has come on leaps and bounds since then. http://www.techradar.com/news/software/applications/best-office-suites-for-linux-5-reviewed-and-rated-1146417/1

      3. Chika
        Linux

        Re: and after disabling UEFI...

        There is always an alternative to Windows that is not Ubuntu.

        Agreed. How many times have I said it in the past...

        Linux is NOT Ubuntu. Nor is it Mint, RedHat, SUSE, Debian, Arch, Gentoo, Puppy, Slackware or any other distro you care to mention. If anything, distro evangelists do more damage than good when it comes to situations like this.

        1. Geoffrey W

          Re: and after disabling UEFI...

          RE: "distro evangelists do more damage"

          Evangelists of any flavour do damage to all around them including their cause. Even if Linux never ever ever becomes as huge as Windows <spit> it doesn't matter - Its still awesome for you in your little ideos cosmos!

  6. John Sanders
    Terminator

    What a nice os...

    What a nice OS you got there... it would be a shame if something happened to it...

  7. Rezillo

    This happened to me with a Z97-A mobo that had been happily working in UEFI mode with Windows 7 for a year. The answer given by Asus seems a bit extreme - to keep UEFI mode but disable secure boot, the Delete PK option deletes the Secure Boot keys - at least, I think that's what I did. The Asus menus didn't have a simple enable or disable secure boot option and it took a bit of digging in key management before I found an option that warned me secure boot would be disabled if I proceeded.

    I don't remember ever setting up a secure boot option when I built the PC but as it's not supported in Windows 7 and it booted, I assumed all was ok!

    1. TRT

      I had the same on my home PC a few weeks back. Hours of hair pulling to figure out what was wrong. Fixed it, then last week two "home-brew" number crunching machines at work (bought in from specialist builders and that moved to our centre with a research group) went the same way. The BIOS screens were vastly different from mobo to mobo though, making it hard to find exactly where to make the tweak - on mine it was under advanced boot settings, on the other two it was under security on one and advanced settings - key management on the other . Anyway my reputation as a miracle worker upheld.

      1. Rol

        Same happened to a friends PC, however, the problem was blamed on a recently installed game, and hence hours of looking in all the wrong places.

        A quick internet search brought up a youtube video that hadn't got a tenth the way through its explanation, before the secure boot light bulb turned on.

        Never encountered it before, and yes my WIN 7 machine has it enabled too, but it is air-gapped from the net, and hasn't had any updates for years, hence it was a new one on me.

        Pity he saw me cribbing from the net, otherwise my genius status, would have risen a few notches.

        Still, as long as some friends continue to refuse to go down the Linux route, I can always count on getting free beer and snacks every other week, from despairing Microsofties.

  8. TJ1
    FAIL

    Seem to be missing some critical information

    If the mobo has Secure Boot enabled, that infers it'll boot in UEFI mode, which implies either an entry in the firmware's boot menu, or the boot device has a removable media (simple) boot path loader at /EFI/BOOT/BOOTx64.EFI in an EFI System Partition, and that the boot-loader has a signing certificate indicating it was signed by a key trusted by a Certificate Authority embedded in the firmware.

    It sounds as if the Asus firmware is doing something that isn't in the UEFI specification - namely when Secure Boot is enabled it isn't actually enabled so much as *optional* - if the initial boot-loader stub it reads doesn't have a signing certificate attached the firmware will boot with Secure Boot disabled.

    If the MS KB3133977 update contains a boot-loader that is signed that would trigger Secure-Boot mode, but when the next stage is loaded and is found not to be signed it throws the reported error.

    If this is correct then the Asus firmware could very easily mislead a user into believing a Secure Boot happened with an OS that does support Secure Boot when it didn't - any malware or physical intervention could replace the initial EFI stub with an unsigned version and the system would boot without a warning.

    I hope this hypothesis is proved wrong else that's a big security FAIL on Asus' part.

    If you're interested in the attack vectors I recommend reading this Intel & Phoenix "UEFI Secure Boot in Modern Computer Security Solutions" paper [0] and footnote 1 on page 7 and its reference 21 link to the Blackhat USA 2013 paper "A Tale of One Software Bypass of Windows 8 Secure Boot" [1].

    [0] http://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf

    [1] http://www.c7zero.info/stuff/Windows8SecureBoot_Bulygin-Furtak-Bazhniuk_BHUSA2013.pdf

    1. energystar
      Boffin

      Re: Seem to be missing some critical information

      ;)

      Won't comment on this apparent 'unannounced audit?' update. So far, so clear than even Microsoft can't have full oversight over BIOS [or UEFI at this case]. Firmware is HISTORY.

    2. Adam 1

      Re: Seem to be missing some critical information

      If your hypothesis is right* then someone at a vulture desk will owe MS an apology for the title of this article. It would in that case be Asus causes some of its motherboards to crash** after faulty UEFI implementation.

      * I have nothing to add on that point.

      ** Brick is the wrong verb here.

  9. Pompous Git Silver badge

    halfbricks

    Sounds like a job for the mighty Fairport Convention

    https://www.youtube.com/watch?v=pAn9aD6U9mY

    1. David 132 Silver badge
      Happy

      Re: halfbricks

      Curses, you beat me to it with an "unhalfbricking" reference.

      Have an upvote as we wallow in smugness at our flawless taste in music.

  10. davidp231

    Windows 7 works fine with UEFI - so long Secure Boot is turned off. It also refuses to boot the installer if SB is turned on. Saying that, 8.1 and 10 work fine with SB off. My box dual boots Mint 17.3 and Win10 Education (it was free via Dreamspark). Both of which play nice with Secure Boot. However there are two reasons I don't use it - I can't be bothered derping about to get rEFInd signed so Secure Boot doesn't throw a wobbly, and it doesn't like my Radeon 6850 X2, even with the GOP ROM flashed onto it.

  11. a_yank_lurker

    Major Problem

    How many users know how to get the BIOS/UEFI at start up? This type of screw up makes one trust Slurp even less. I have seen something similar with a dual boot laptop (W8.1/Linux Mint) after a Winbloat update reset the UEFI settings which disabled the dual boot. Easy to fix if one knows how but not something I expect must users to have a clue about. Nor should they need to have a clue in their defence.

    1. Anonymous Coward
      Gates Horns

      Re: Major Problem

      Hmmmm.... nice little OS you've got there... be a shame if it was to suddenly... disappear...

      Oopsie

  12. energystar
    Linux

    Disable Secure Boot...

    Secure Boot is INTENDED as an enforced [Trust Chain]? between UEFI bring-to-life routines completion and Modern Windows own Boot.

    Anything else [Even Win7 at some cases], could become liability.

    By the way, Linux is effectively a missing member of UEFI. And that is inadmissible.

    1. Dr Spork
      Alien

      Re: Disable Secure Boot...

      Has someone rebooted AMFM?

    2. Zakhar

      Re: Disable Secure Boot...

      Agreed, "Secure" was a politically correct way to say "even more lock-in to M$".

      But I discovered, having recently bought an Asus mobo that they did a fine job. On top of being able to switch to good old "Legacy mode" (aka BIOS) and disabling "Secure" boot, apparently you can also import your own set of keys (didn't try, but it looks like you can).

      That was what EFF (or the likes) asked to make "Secure" boot acceptable, and not locked-in. Because that fact that Canonical or Redhat have to ask for a signing key to M$ in order for they OSes to boot is really bad; If you are able to change the keys, you can even compile your own flavour of Linux/FreeBSD, optimised to your hardware, and self-sign it with your own keys.

      If it really works as it looks like, then Asus did a fine work!

      1. Pompous Git Silver badge

        Re: Disable Secure Boot...

        If it really works as it looks like, then Asus did a fine work!

        Most of the machines I have built over the last 20+ years have used ASUS MoBos. ASUS do indeed make (mostly) very fine MoBos. Not to mention my ever so portable Zenbook. Fine work indeed!

      2. This post has been deleted by its author

    3. Tom 7

      Re: Disable Secure Boot...

      There are UEFI signed Linux distributions. But since you can install a UEFI compatible grub and then install any other OS on the system it tends to make you wonder what its meant to do apart from make things a pain.

  13. Mikel

    Wouldn't it be nice...

    Wouldn't it be nice if Microsoft would just stop messing with people? Breaking their stuff, forcing their updates, taking away features they already paid for?

    But they won't. People tolerate this behaviour. Consumers and businesses are so committed to Windows they will never leave. So Microsoft can do anything they want. And they do.

    1. Anonymous Coward
      Pirate

      Re: Wouldn't it be nice...

      It's the way it's always been.

      I don't think it's commitment so much as mass resignation/ignorance/indifference... for the individual consumer certainly... and I'm quite certain M$ understands this perfectly. M$ knows its OEM lock-in operation is the lifeblood of its racket.... and would sooner strangle the last gasps of life from the PC industry than loosen that grip.

  14. James Loughner

    Secure Boot is Security Theatre

    If malware is in a position to modify the boot stack you are already owned.

    Evil doers check list

    Secure boot on? Yes

    send email pay us $500 or we kill your machine

    Not paid mod boot stack

    Bang you are dead

    1. TheVogon

      Re: Secure Boot is Security Theatre

      "If malware is in a position to modify the boot stack you are already owned."

      Not with secure boot. If the malware tries to modify the boot stack, the PC wont boot, and you can then restore the boot stack to a known state. Malware cant persist.

  15. Anonymous Coward
    Gates Horns

    A deal with the devil

    Sounds like Asus actually tried to fashion a worthwhile product around M$'s anti-Linux clusterfuck!.. and is now being crapped upon by M$ in lieu of a thank you.

    That should learn 'em.

    1. ecofeco Silver badge

      Re: A deal with the devil

      Alright, I give up. Where'd you get that icon?

      1. Anonymous Coward
        Anonymous Coward

        Re: A deal with the devil

        Alright, I give up. Where'd you get that icon?

        If you look at the source it's a Reg icon, but not one that us plebs can see when using the "select an icon" interface. If you were keen enough you could try copying the HTML into a post and see if it works, but my guess is that it won't for you and I. Worth noting that the AC also has an icon, again something blocked for the masses.

        Could it be the Reg staff, using comments to say things or use language they can't in the article....

        1. GrumpenKraut

          Re: A deal with the devil

          > Could it be the Reg staff...

          No, that's some of us commentards (not me).

          1. davidp231

            Re: A deal with the devil

            There was an issue a few weeks ago where AC posts were given the wrong icon I think. Maybe that's reared it's ugly head again.

            1. Destroy All Monsters Silver badge
              Happy

              Re: A deal with the devil

              No, it's deliberate.

        2. Anonymous Coward
          Jobs Horns

          Re: A deal with the devil

          >Could it be the Reg staff, using comments to say things or use language they can't in the article....

          If that was the game, I'd hope they'd be less indiscreet about it... (it isn't)

      2. Solmyr ibn Wali Barad

        Re: A deal with the devil

        Icons! Fresh icons! Get yer icons from here!

        forums.theregister.co.uk/forum/containing/2777279

  16. Anonymous Coward
    Anonymous Coward

    If after all this time

    there are people who still believe Secure boot is about security, they are either in denial or plain dumb.

    Secure boot is about controlling your PC. With it Microsoft can prove to content and software vendors that your PC can be trusted (by them of course) and that their DRM can not be subverted.

    1. Anonymous Coward
      Anonymous Coward

      Re: If after all this time

      Maybe not digitally but I'm sure I could get a "good enough" recording by putting a coil of wire next to each speaker and a high-speed high-resolution camera in front of the screen.

  17. tempemeaty
    Big Brother

    Microsft has been accused of this before...

    ...dumping over bloated patches on the last OS when they release a new OS.

    The "New Microsoft" has now been more aggressive than ever.

    I'm calling this intentional sabotage.

  18. Steve Davies 3 Silver badge

    The next step?

    will be for MS to send out an update that borks ALL systems from booting that don't (or can't) have secure boot enabled.

    Then all those free upgrades will suddenly turn into paid ones as the PC makers see a sudden rise in demand.

    Fantasy?

    Well, I would not put it past MS for at least considering this as a way to turn the W10 revenue stream from a trickle to a veritable torrent.

    1. Anonymous Coward
      Pint

      Re: The next step?

      "a trickle" ??

      I think you are being over-generous.

      "a veritable uTorrent" - there, fixed that for you.

      1. Steve Davies 3 Silver badge

        Re: The next step?

        I was trying to be kind to MS but it seems that the shills are out already (hence the downvote). I was just raising a possible next step in their quest to be the world using METRO/Modern and importantly getting that step up in revenue to report to shareholders.

  19. Anonymous Coward
    Anonymous Coward

    UEFI

    Because computers didn't work properly with BIOS.

  20. TRT
    Gates Horns

    Horns.

    They were in the old El Reg icon set. It's fairly trivial to achieve this!

  21. dajames

    No, but seriously ...

    Because computers didn't work properly with BIOS.

    Computers did, of course, work properly with BIOS.

    Well, if they didn't (and most didn't, at least some of the time) it usually wasn't the BIOS's fault.

    UEFI is veritably the road to hell -- paved with good intentions. The good intentions are many: It's supposed to support booting from hard disks that are larger than a BIOS can handle. It's supposed to provide a mechanism whereby a an x86 PC can boot straight into protected mode, so the chip makers can finally stop supporting legacy real mode operations in their precious silicon. It's supposed to enable expansion cards to be made with on-board firmware that can work in a PCI/PCIe slot of any computer regardless of the type of CPU fitted (Intel wanted this so that cards designed for x86 could be used in Itanic^WItanium systems). It's supposed to provide an OS-agnostic pre-boot environment from which system administration functions can be run. It's supposed to provide a level of security that will ensure that a system will only boot from a properly signed and authorised image.

    The big problem is that it was designed by a committee, a committee of interested parties who each wanted to bring their own pet feature to the standard, and who apparently didn't pay too much attention to what else was getting in through the door; a committee that didn't have the budget, the trust, or the authority to take actual responsibility for the monster they created.

    Have you seen the size of the UEFI spec? Have you ever tried to read it? It's a fine example of a document that was put together by people who knew what they were trying to say, but didn't think to say it in a way that would be accessible by anyone else. To say that it was impenetrable would be kind. It's hardly surprising that it's taken several generations of supposedly UEFI-compliant motherboards and their firmware to get to anything that works somewhat consistently between different boards and vendors. The standard is far too ambitious, encompasses far too much, and explains far too little. Someone should have taken it in hand and whittled it down to usable size.

    Secure Boot is actually a very good idea -- it's in the users' interest to be able to have some confidence that the OS on a PC hasn't been suborned by malware. The problem with it is that the UEFI Forum didn't -- wasn't in a position to -- create a master set of vendor-neutral keys and set up a service whereby OS providers could get their OS images signed. The meant that Microsoft, as the biggest commercial provider of OS images, set up the signing infrastructure themselves, and own the main OS verification keys that board manufacturers supply preinstalled on their boards. This means that the boards that are sold accept only Microsoft-signed OS images, at least out of the box, and in order to install another image it is necessary either to get Microsoft to sign that image with their keys (which some Linux distros have done) or to add a new set of keys to the board (which not all boards allow).

    For most users, the main advantage of UEFI is that it supports GUID partitioning, and so enables disks larger than 2TiB to be visible at boot time. Even that's becoming less important than it once was, as many PCs are now fitted with a small (certainly less than 2TiB, at today's prices) SSD and larger spinning rust for storage, but the spinning rust doesn't have to be visible at boot time, so a traditional real-mode BIOS booting a GUID-capable OS will work just fine.

    When SSDs drop in price by another order of magnitude it may again be important to be able to boot from GUID disks, but by then I hope UEFI will have died the death it so richly deserves and been replaced by Coreboot or Open Firmware or something else that does the jobs that actually matter without the bloat of UEFI.

    1. Roo
      Windows

      Re: No, but seriously ...

      "Secure Boot is actually a very good idea -- it's in the users' interest to be able to have some confidence that the OS on a PC hasn't been suborned by malware."

      The thing is it is overkill, a read-only SD card slot that is only used to load the boostrap would achieve the same thing. When people want to change the bootstrap - (eg: add SecureBoot) they could swap out the SD cards - or with ILO type setups the ILO gear could manage the read-only bootstrap image. It's really not hard - and it doesn't force you into accepting a long chain of trust either. :(

      1. TheVogon

        Re: No, but seriously ...

        "The thing is it is overkill, a read-only SD card slot that is only used to load the boostrap would achieve the same thing."

        Your SD card could be malware infected when you obtained it. Secure Boot fixes that.

        1. Anonymous Coward
          Holmes

          Re: No, but seriously ...

          "Your SD card could be malware infected when you obtained it. Secure Boot fixes that."

          Quite.

          By eliminating the "could:"

          "Your system will be malware infected when you obtained it. SecureBoot™ secures that."

          PS What did "RICHTO" mean?

          1. TheVogon

            Re: No, but seriously ...

            "PS What did "RICHTO" mean?"

            Nothing - some people assumed it referred to money so I changed it.

    2. Destroy All Monsters Silver badge

      Re: No, but seriously ...

      Intel is very Coreboot-unfriendly.

      Feels bad, man.

    3. Anonymous Coward
      Anonymous Coward

      Re: No, but seriously ...

      ref. replaced by Coreboot or Open Firmware

      what makes you think it's going to be Coreboot / Open Firmware, rather than, say, "super-UEFI" aka UEFI v.2.0 (beta), "designed" by the very same people / businesses behind UEFI?

  22. Unicornpiss
    Meh

    Is the cure worse than the sickness?

    While I agree that on paper UEFI is useful to prevent tampering with the BIOS or OS, if a lousy update or a virus (which is what this is supposed to prevent), can so easily render the machine unbootable, isn't that somewhat worse than a machine you can at least boot?

    I realize in the case of ransomware, that the answer is emphatically "No."

    UEFI/GPT partitions are already a pain to work with compared to MBR. We were forced to change part of our imaging process to deal with UEFI, and it's been a pain in the butt all the way. (Oh, and there's a rather nice bug in MS's "DISM" tool that makes it idiotically use what appears to be PE's ramdrive for the cache when capturing an image if you don't specify a scratch directory)

    We all need to be protected, but with increasing complexity comes more and more woes of a single misstep bricking equipment. Soon will come a day where you'll have to authenticate to your toaster before you can insert bread, I expect.

    1. Anonymous Coward
      Coat

      Re: Is the cure worse than the sickness?

      Soon will come a day where you'll have to authenticate to your toaster before you can insert bread, I expect.

      Yes, and that toaster will have DRM to ensure you only insert bread from approved bakers, to ensure your dough goes into their back pockets and not anyone else's.

      1. Destroy All Monsters Silver badge
        Pirate

        Re: Is the cure worse than the sickness?

        Don't be a Dough Pirate!

        Only buy Monsanto-branded Monsanto Dough!

        And remember: rooting your toaster is a criminal offense!

        1. Anonymous Coward
          Anonymous Coward

          Re: Is the cure worse than the sickness?

          "rooting your toaster" … given what unspeakable things some people have done to other household appliances, the mind boggles!

          1. Anonymous Coward
            Gimp

            Re: Is the cure worse than the sickness?

            Suppose it allows the vacuum cleaner welcome respite...

        2. Anonymous Coward
          Anonymous Coward

          Re: Is the cure worse than the sickness?

          re. rooting your toaster, somehow it looked to me like "rooting your hamster"

          oh well, time to see my eye weasel :(

  23. Anonymous Coward
    Anonymous Coward

    Damed if they do, damned if they don't

    Putting aside the whole Windows 10 upgrade thing.

    Windows had, for a long time, a reputation for having more holes than a sponge.

    So the industry decides to come up with something to make it more difficult for an operating environment to be modified without the user's knowledge.

    Appears that's wrong too.

    So, what exactly is a company expected to do?

    1. Anonymous Coward
      Holmes

      Re: Damed if they do, damned if they don't

      What, precisely, do you pretend SecureBoot™ does to make MS™ Windows™ itself less insecure?

      Hint: Nothing. That's not its purpose and it's simply impossible for it to do any such thing.

      SecureBoot™ secures "your" computer against you. On behalf of the Microsoft Corporation Inc. / RIAA / MPAA. That is ALL.

    2. Anonymous Coward
      Anonymous Coward

      Re: Damed if they do, damned if they don't

      You can do plenty of damage to a computer and its users without modifying its operating system.

      SecureBoot will do nothing to protect against that.

      A good example is ransomware, which can run as the local user without administrative privileges, do its nasty work, drop its files then leave. The only way it would be detected, would be by its activity, and this has to be compared with what is "normal" for that computer to be executing.

      Not an easy task.

      SecureBoot however, is built upon UEFI, which is estimated to have more code than the Linux kernel. If you think that code is going to be bug (exploit) free, then you are living in a dream land.

      1. energystar
        WTF?

        Re: Damed if they do, damned if they don't

        "...is built upon UEFI, which is estimated to have more code than the Linux kernel. If you think that code is going to be bug (exploit) free, then you are living in a dream land."

        F_(k, [idem], [idem]...

        Seriously thinking of collecting all remaining, working BIOS motherboards could get a grip on.

  24. LoCatus

    I was wondering when they would pull this out their pockets

    BAH ! Secureboot.. Another unneeded MS creation. Seemingly created to attempt to keep people from running OS's other than winblows. Kept folks from running Linux for a short time until MS was forced to cough up the keys.. This is not a glitch. It's a feature now being utilize in an attempt to "encourage" users to migrate to windows 10.

    Microsoft... The McDonalds of the computer industry. Trying to cover so many niches they've forgotten how to make the one thing that made them popular.

    1. Anonymous Coward
      Anonymous Coward

      Re: I was wondering when they would pull this out their pockets

      Actually, some form of secure boot is also used by Apple devices, consoles, and so on. It's all up to ensure the whole stack is trusted. Of course it can also be used to deny installing other OSes, if those controlling the keys don't "trust" them. But whenever you can boot untrusted code you have a big issue lurking around.

      1. Anonymous Coward
        Anonymous Coward

        Re: I was wondering when they would pull this out their pockets

        But whenever you can boot untrusted code you have a big issue lurking around.

        Indeed… now the question is, trusted by whom?

        Articles like this one seem to vindicate my lack of trust in Microsoft.

      2. Anonymous Coward
        Anonymous Coward

        @AC - Re: I was wondering when they would pull this out their pockets

        Exactly, Apple trusts their whole stack will not allow you to install other OSes. That's the whole point of secure boot, didn't you know it ?

  25. sikejsudjek

    First it was the windows 7 telemetry updates that you could hide, but would re-appear. Then the nag ware for windows 10. Then the ultra slow updates making a new windows 7 installation a day long process. Now this. Anyone would think ms didn't want you to stay on windows 7.

    Well I didn't stay on windows 7, I got Linux mint. I only use windows 10 on one machine, and its crap in comparison.

    1. Anonymous Coward
      Anonymous Coward

      Yep, there's a laptop at work that I managed to get Windows 7 installed onto, but now will have the arduous process of getting up to date.

      I got as far as getting our standard operating environment going on it Friday evening, and left it at that. I'll be tackling it tomorrow morning when I get in. Hopefully it'll be ready by the time its user arrives at work.

      1. Anonymous Coward
        Anonymous Coward

        Since forever (well, actually, since 52k dial-up) I've saved Windows updates to disc. To update more than one machine; or to do a clean install, which pre-XP I did a lot. So, I have all the updates - less the telemetry, GWX etc - for W7 x64. However, where you used to be able to chain about 99% of them in a batch and come back an hour later and a clean install was ~99% updated, that doesn't work any more.

        There came a time when it was quicker to update via WU than with a batch, so I stopped updating offline, so I don't know at what point it stopped being effective. When updating a clean W7 install via WU turned to molasses, I went back to doing it offline. Only you get about half a dozen updates into the batch and it slows to WU clean install speed. Whether the batch will ever complete, I don't know, for most of the time what you have to do is reboot; most of the time on returning to the desktop the batch will continue - for about another half-dozen patches, then go glacial again. Or if you run each patch manually, clicking 'close' rather than 'reboot', after about half a dozen, you'll get 'searching for installed updates' running indefinitely. Again, rebooting will often get past this and that patch will run sometime before the heat death of the Universe. But I for one am not going to run a hundred-odd patches manually, or by batch requiring multiple restarts and me having to sit in front of the computer for a couple of hours watching and waiting for the cues. It takes so long that more-often-than-not WU will finally present the list well before manually updating is even half done.

        It has been said WU is so slow on W7 these days because of the 'checking for installed updates' process. It certainly seems a contender! This doesn't happen on Windows 8.1; on 8.1 updating is like it used to be on 7.

        It seems a no-brainer that Microsoft don't fix it, because it reduces the appeal of Windows 7; rather than that they sabotaged it's update process. But that would be so vindictive of them that you couldn't rule out it's being a deliberately-introduced 'bug'. Ethically there is little difference between the two behaviours.

        There was a bug in NT4.0 whereby you couldn't chain patches and guarantee newer libraries - for example - would not be overwritten by older ones. They fixed that. Now, in Windows 7, chaining updates is broken more than it was nearly 20 years ago - and they don't give a stuff. But then, updates are no longer for our benefit.

        1. Anonymous Coward
          Anonymous Coward

          It was a relief when 56k came along! Just not much.

  26. Paul 129
    Black Helicopters

    UEFI

    This was all about killing alternate OSes.

    Not Linux, thats not a serious M$ competitor, by installed user base. XP, Vista and were the targets, and with win10 certified motherboards you can't boot them. M$ win!

    They really didn't have to stuff win10 down our throats as they are now, I guess they've become impatient.

    Coreboot was looking so good, then this came along :-(

  27. tempemeaty

    Stabbity stab stabbity stab.....

    I wonder if the PC hardware manufactures have finally figured out that stabbing sensation in their back is the same MS they thought was covering it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Stabbity stab stabbity stab.....

      Hopefully they will take Wintel with it.

      Could be Microsoft is serving itself the Polonium tea it so richly deserves.

      1. TheVogon

        Re: Stabbity stab stabbity stab.....

        "Hopefully they will take Wintel with it."

        Some Windows versions run on Arm too don't forget...

        1. Anonymous Coward
          Anonymous Coward

          Re: Stabbity stab stabbity stab.....

          "Some Windows versions run on Arm too don't forget..."

          None of any significant relevance though.

  28. MJI Silver badge

    Better check

    Two Win7 ASUS boarded gaming PCs here

    1. Chika
      Happy

      Re: Better check

      That's nice, dear.

  29. alpine

    Not an asus issue, but I dual boot my Dell XPS13 with Win 7 and Win 10 for various reasons. I reformatted the drive to get rid of all the 'secure' boot stuff. It all works, but Microsoft or Intel are certainly still up to sillies because when I choose Win 7, the machine loses the sound drivers on the Win 10 installation and I have to reinstall them each time...

    1. Anonymous Coward
      Terminator

      You should stop messing with our computer. "Telemetry" & OSaaS WindowsX is the one true path. Resistance is futile.

    2. energystar
      Coat

      Realtek...

      Of course.

      1. energystar
        Holmes

        Re: Realtek...

        Maybe a small 'RIAA' bug.

  30. Anonymous Coward
    Anonymous Coward

    And ladies and gentlemen, this is why auto updating is a bad idea for Windows

    You just can't be too sure what the monkeys in Microsoft's patch factory will botch next.

  31. Anonymous Coward
    Anonymous Coward

    For customers experiencing an issue after installing the update, we recommend they contact Asus.

    = F.O.

  32. adam payne

    First the nag screens and now this.

    Microsoft have really got it in for Windows 7.

    1. Anonymous Coward
      WTF?

      > Microsoft have really got it in for Windows 7.

      Yes, it was intentional, the update had been around for weeks before they changed the "optional" flag on it, as a "field test".

      1. Anonymous Coward
        Anonymous Coward

        Its a conspiracy! A conspiracy I tells ya! AAAAAHHHH!

        1. energystar

          bless you!

  33. azaks

    half-bricked?

    Is that like being partially pregnant? Or just being a bit over-zealous in the sensational headline department?

    Go into UEFI setup, disable secure boot, reboot. Unbricked...

  34. Sentar

    Microsoft are trahing legally purchased WIN7 PRO 64bit computers I OWN the O/S purchased retail and should be able to run it on a ASUS Z170M-Plus motherboard, without Microsoft screwing it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like