Is secure boot necessary for a business?

[sthcm]

We've had some problems with some new Dell PCs at work.

They boot fine the first time and allow you to set-up your account and what not. However, after letting windows run updates, which is pretty much a necessity these days, the PCs will not boot correctly with 'Secure Boot' enabled.

If however I turn Secure Boot off then the machines all work fine. It happens on all the machines and only after the first updates have been installed. Secure Boot was enabled initially which makes me think if Microsoft suggest it should be used then it should.

Is it a necessity for a business to use Secure Boot? I have wasted hours with Dell's online and phone support with them offering no solution apart from to disable Secure Boot.

Thanks for any help

 

[das_stig]

Secure boot is more for consumers, as it works with pre-installed OS images by the OEM's like Del, to protect against malware infections.

Businesses, normally switch it off and put the PC's in to legacy mode, so they can use their own pre-built custom images.

Saying that, there is northing to stop, a consumer or a business that don't use images, to switch to legacy mode and simply reinstall the OS, using the OEM version of Home/Pro/Enterprise that you can download from Microsoft using the media creation tool.

Benefit of this, you get latest version of the OS, you get to install latest version of drivers direct from website, even the BIOS image, you reduce the amount of bloatware pre-installed and if you wanted to, you can remove the recovery partition off the HDD to get space back, of course it is wise to ensure you have an optional backup of this image on DVD/USB if you eve want to put it back.

My personal choice, backup OEM recovery partition and zap the disk with a clean install. 😀

 

[ohiou_grad_2006]

Honestly, at work when we get new Dell systems in, lately I've just kept a copy of the most recent windows 10 installer on USB, then when I pull the system out of the box, plug things in, and just nuke and pave. That way I get a clean install and most updates are already done except for just a few, which are fairly quick, then continue from that point

 

[velocityg4]

As stated secure boot is not necessary. Although if they have Windows 10 Pro. I would consider turning on Bitlocker to encrypt your storage. In case your computers are stolen. No one will have access to the files stored on the computer. Without encryption user passwords are worthless at protecting files.

Secure boot is more for consumers, as it works with pre-installed OS images by the OEM's like Del, to protect against malware infections.

Businesses, normally switch it off and put the PC's in to legacy mode, so they can use their own pre-built custom images.

Saying that, there is northing to stop, a consumer or a business that don't use images, to switch to legacy mode and simply reinstall the OS, using the OEM version of Home/Pro/Enterprise that you can download from Microsoft using the media creation tool.

Benefit of this, you get latest version of the OS, you get to install latest version of drivers direct from website, even the BIOS image, you reduce the amount of bloatware pre-installed and if you wanted to, you can remove the recovery partition off the HDD to get space back, of course it is wise to ensure you have an optional backup of this image on DVD/USB if you eve want to put it back.

My personal choice, backup OEM recovery partition and zap the disk with a clean install. 😀

You don't need legacy mode to perform a clean install with a vanilla ISO from MS. UEFI and Secure Boot are separate BIOS settings. At least in every computer I've ever worked on.

You just need to use a tool like RUFUS to make a UEFI bootable installer Flash Drive from the MS ISO. DVD installation should be UEFI bootable without the need for RUFUS. Legacy mode is only needed for OS or installation media which don't support UEFI and still need BIOS support.

While I haven't tried it for deploying system images. The articles I've read indicate you can deploy system images just fine using UEFI. You just want to disable Secure Boot.

 

[sthcm]

Honestly, at work when we get new Dell systems in, lately I've just kept a copy of the most recent windows 10 installer on USB, then when I pull the system out of the box, plug things in, and just nuke and pave. That way I get a clean install and most updates are already done except for just a few, which are fairly quick, then continue from that point

I think we have a couple of USBs for Win 7 pro which I'm leaning towards anyway as 10 just seems so unfinished. When doing this for 10 how is this affected by Secure Boot?

 

[sthcm]

Secure boot is more for consumers, as it works with pre-installed OS images by the OEM's like Del, to protect against malware infections.

Businesses, normally switch it off and put the PC's in to legacy mode, so they can use their own pre-built custom images.

Saying that, there is northing to stop, a consumer or a business that don't use images, to switch to legacy mode and simply reinstall the OS, using the OEM version of Home/Pro/Enterprise that you can download from Microsoft using the media creation tool.

Benefit of this, you get latest version of the OS, you get to install latest version of drivers direct from website, even the BIOS image, you reduce the amount of bloatware pre-installed and if you wanted to, you can remove the recovery partition off the HDD to get space back, of course it is wise to ensure you have an optional backup of this image on DVD/USB if you eve want to put it back.

My personal choice, backup OEM recovery partition and zap the disk with a clean install. 😀

We are only a small business so our setup is probably somewhat similar to that of a consumer, compared with a larger enterprise. Unfortunately I don't know what legacy mode is but I'm fairly certain we have never used it.

I just don't get why Dell would design their computers around Win 10 OS for it to not work with something the manufacturer of the OS suggests to keep enabled.

 

[sthcm]

As stated secure boot is not necessary. Although if they have Windows 10 Pro. I would consider turning on Bitlocker to encrypt your storage. In case your computers are stolen. No one will have access to the files stored on the computer. Without encryption user passwords are worthless at protecting files.

Secure boot is more for consumers, as it works with pre-installed OS images by the OEM's like Del, to protect against malware infections.

Businesses, normally switch it off and put the PC's in to legacy mode, so they can use their own pre-built custom images.

Saying that, there is northing to stop, a consumer or a business that don't use images, to switch to legacy mode and simply reinstall the OS, using the OEM version of Home/Pro/Enterprise that you can download from Microsoft using the media creation tool.

Benefit of this, you get latest version of the OS, you get to install latest version of drivers direct from website, even the BIOS image, you reduce the amount of bloatware pre-installed and if you wanted to, you can remove the recovery partition off the HDD to get space back, of course it is wise to ensure you have an optional backup of this image on DVD/USB if you eve want to put it back.

My personal choice, backup OEM recovery partition and zap the disk with a clean install. 😀

You don't need legacy mode to perform a clean install with a vanilla ISO from MS. UEFI and Secure Boot are separate BIOS settings. At least in every computer I've ever worked on.

You just need to use a tool like RUFUS to make a UEFI bootable installer Flash Drive from the MS ISO. DVD installation should be UEFI bootable without the need for RUFUS. Legacy mode is only needed for OS or installation media which don't support UEFI and still need BIOS support.

While I haven't tried it for deploying system images. The articles I've read indicate you can deploy system images just fine using UEFI. You just want to disable Secure Boot.

So will this work with Secure Boot enabled? If so then great but if not it would be a lot easier to just disabled Secure Boot. I'm still unsure whether this poses a security risk to our machines as they're all linked to our server where all work is stored.

 

[ohiou_grad_2006]

Telling you right now you might as well stop bothering with Windows 7 unless there is some specific application that will not run on 10. Windows 7 support ends sometime in 2020, so could be a lot of deployments. Not only that, but a lot of the newer chips and chipsets don't properly support Windows 7, at least not without some persuading.

You'd be better off to just go with 10. It's been out there a couple of years and will be what is used going forward for a good while it appears. Going back to Windows 7 or even 8 is creating more headaches for yourself unless some specialized app will absolutely not run on 10.

Plus, when you realize you can use the Windows 10 media creation tool directly from Microsoft and create a usb using that with the latest version, it makes it very easy. I can usually have a system up and patched completely in an hour or 2 now. Whereas Windows 7 could take hours just to run updates. Seems like much of the time the systems for the most part do pretty good about picking up the drivers on their own too.