>For more information, search for the System.Fundamentals.Firmware.UEFISecureBoot system requirements in PDF download of the Windows Hardware Compatibility Program Specifications and Policies.
>Windows 11 >Download Specifications and Policies, version 21H2
This is a .zip file containing multiple PDFs. From "Systems.pdf":
>System.Fundamentals.Firmware.UEFISecureBoot (page 99 of 184)
>15. No in-line mechanism is provided whereby a user can bypass Secure Boot failures and boot anyway.Signature verification override during boot when Secure Boot is enabled is not allowed. A physically present user override is not permitted for UEFI images that fail signature verification during boot. If a user wants to boot an image that does not pass signature verification, they must explicitly disable Secure Boot on the target system.
So if you want to boot an OS that doesn't work with Secure Boot, you're allowed to disable it. You just won't be able to boot Windows 11.
>20. (Optional for systems intended to be locked down) Enable/Disable Secure Boot. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv. A Windows Server may also disable Secure Boot remotely using a strongly authenticated (preferably public-key based) out-of-bandmanagement connection, such as to a baseboard management controller or service processor. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible.
So they don't disallow the OEM from allowing Secure Boot to be disabled.
It does seem weird to see "must be allowed to disable" in a point marked "Optional", but maybe there's a strict definition of "systems intended to be locked down" that OEMs can't apply willy-nilly to any arbitrary consumer device. At the very least, they're not requiring the OEM to disallow Secure Boot from being disabled.
>https://docs.microsoft.com/en-us/windows-hardware/design/dev...
>For more information, search for the System.Fundamentals.Firmware.UEFISecureBoot system requirements in PDF download of the Windows Hardware Compatibility Program Specifications and Policies.
>https://docs.microsoft.com/en-us/windows-hardware/design/com...
>Windows 11 >Download Specifications and Policies, version 21H2
This is a .zip file containing multiple PDFs. From "Systems.pdf":
>System.Fundamentals.Firmware.UEFISecureBoot (page 99 of 184)
>15. No in-line mechanism is provided whereby a user can bypass Secure Boot failures and boot anyway.Signature verification override during boot when Secure Boot is enabled is not allowed. A physically present user override is not permitted for UEFI images that fail signature verification during boot. If a user wants to boot an image that does not pass signature verification, they must explicitly disable Secure Boot on the target system.
So if you want to boot an OS that doesn't work with Secure Boot, you're allowed to disable it. You just won't be able to boot Windows 11.
>20. (Optional for systems intended to be locked down) Enable/Disable Secure Boot. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv. A Windows Server may also disable Secure Boot remotely using a strongly authenticated (preferably public-key based) out-of-bandmanagement connection, such as to a baseboard management controller or service processor. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible.
So they don't disallow the OEM from allowing Secure Boot to be disabled.
It does seem weird to see "must be allowed to disable" in a point marked "Optional", but maybe there's a strict definition of "systems intended to be locked down" that OEMs can't apply willy-nilly to any arbitrary consumer device. At the very least, they're not requiring the OEM to disallow Secure Boot from being disabled.