Buying ex-business and ex-government PC/Laptop from auctions and resellers - an interesting problem

It appears that Microsoft has created a real problem with the resale of used PC/laptop equipment because of the hardware requirements of Windows 11. You could end up with purchasing a perfectly good PC but with an operating system that cannot be updated and is unsupported. Those that are not technical that could end up with device that’s unusable.

Every 5+ years businesses will refresh their PCs and laptops and they often end up in resellers and auctions. Some of these PC are good value for the home, Youtube has many videos on how to turn a recycled office PC into a gaming PC for those that are on a budget. The problem is in licensing.

A business/government PC would have come with a OEM license just like when you buy PC from a retailer but these PCs and laptops are under enterprise support contracts. When buy one these from a reseller or an auction if it has a Windows operating system it will not be supported and will not receive any updates, it will be fully functional. The business will more likely sell the PC or laptop as hardware only because all corporate data including the operating system will be removed.

Buying an ex-business/government PC as hardware only with no operating system creates real problem. You can’t install Windows 10 because you can’t buy it and you can’t install Windows 11 because the hardware it old. Some top of the range HP business desktop PCs produced in 2017 will not run Windows 11.

Windows 10 is still available at some PC specialty retailers and there are work arounds for those that are technical but it’s a real trap for the average person that wants to buy a reasonable PC/laptop for themselves or their children. Maybe it’s a good time to introduce the kiddies to Zorin Linux, an excellent replacement for Microsoft Windows.


This is not limited to used machines. There are millions of perfectly good PCs that are quite adequate for their current purpose with the original owner that are not within the Win 11 spec and (in theory) cannot be upgraded. I suggest these numbers are far greater than second hand ones. It will be interesting to see if MS relax the requirements and how long it will be before Win 11 is deprecated.

I guess there will be some ways around the MS limits that will allow you to coerce an upgrade in some cases but that isn’t the point is it.


There are a couple of registry alterations that allow some PCs to be upgraded to Win 11 and some are MS approved.

One allows the TPM status to be ignored, another allows earlier CPUs to be accepted.

The warning is given that as Win 11 evolves that the machines that have the registry alterations may no longer be supported.

If a machine is purchased that has been leased by Govt etc, while they may have been wiped does not mean that they are unable to be activated. The digital key for that machine may in all likelihood still be stored on MS servers and only requires that activation is attempted. As a result, many of these secondhand machines come with Win 10 reinstalled and activated. Windows 10 is fully supported until 2025. To say because it is Win 10 that it is unsupported is incorrect, it isn’t Win 11 but for some that is a preference and for others should have no impact until 2025 on their security or updates to their PCs.

The stated reasons for the upgraded requirements is that they help create a more secure OS environment to reduce risks from malware. Bypassing the requirements increases security risks, depending on a PC owners digital hygiene this may or may not be important.

Another thing to be aware of is that more modern PCs (most PCs manufactured in the last 5 years) with newer UEFI systems often have (AMD) fTPM (firmware or software TPM) or Intel’s PTT that may be enabled through the UEFI settings and avoids the need for a hardware TPM. Each manufacturer will have steps to use to enable the settings and may be under different sections of the UEFI.


I decided which versions of Windows I used over the years. Windows 11 is not even a consideration. It will never be installed on my laptop, as Win10 works well and will be fully supported for a few more years.

But seriously, I have only one Windows specific application, so why even bother persisting with this Microsoft operating system upgrade crap, when the desktop paradigm is pretty much dead (except for hard core gamers).

Get an old laptop or desktop and put Linux on it. I use Ubunto, and previously RedHat, but Zorin (based on Ubunto), and many others will provide all the apps you need. And for those Win32 apps, there is always Wine.

1 Like

OT and not applicable to many, but.

Not always the case. Quicken is a US centric financial app. There is nothing quite like it; gnucash is not comparable nor is Mint nor the plethora of published alternatives whether desktop or online that I tried over the years to escape it. Experience suggests to me the code is a ‘pile of [censored]’. Microsoft once had a better product called Money but abandoned it a decade ago because of its comparatively small user base to products like Office and others that were more profitable and probably less trouble. Microsoft released a ‘sunset version’ that still works excepting the reasons for using it, online services, do not.

Truth is I could get similar functionality from 3 web sites and 5 logins rather than a coherent desktop. It has become a masochistic exercise that uniquely does what ‘lazy me’ needs. There could be one more lurking in the shadows to surprise?


Those recipes for getting Win11 onto an unsupported system are alright until a problem occurs. Any problem resolution will be probably be outside the capabilities of the average home user that is following the installation steps without understanding what is going on.

The bottom line from Microsoft:
Installing Windows 11 on devices that don’t meet minimum system requirements
Key point : If you proceed with installing Windows 11, your PC will no longer be supported and won’t be entitled to receive updates.

Presumably Win11 checks that its on supported hardware when it attempts any updates.

Unlikely at auctions where ex-business/government desktops are resold, always check. With IT resellers best to inquire what the OS license and type is before any purchase. I’ve seen resellers attempt to sell used server kit as new, but that’s a different story.

  • Redhat is server Linux not suitable for desktops
  • Ubuntu as a desktop is not that suitable for Windows and Mac users that want to try Linux
  • Zorin is commercial Linux specifically targeting the Windows and Mac users by making the conversion as painless as possible, then there are users that want to work in way that is familiar to them. The Zorin business model seems to be based on Fedora/RedHat i.e free/paid (US$39) there’s not much difference between them - see Youtube for more info.
1 Like

This is a problem for me. I don’t want to spend hours reading up on how to fix issues nor do I want to change my OS. I want the OS to keep working and stay in the background so that I can run the apps I use. My desktop is only 5 years old and was fairly high spec then, it is perfectly acceptable for what I want to do and should last another few years before hardware problems require replacement.

Some people may like getting into the innards and upgrade regularly, I used to have to do that when I was in the business; now I am not, I don’t want to do it for fun as it ain’t fun. Playing with operating systems is like spending weekends covered in grease taking your car apart and reassembling it. I just want to ride where I need to go safely, at a reasonable speed and without fuss as I have better uses for my time.

As for desktops being old hat there are a few billion people still using them that disagree. Tiny screens and touch operation may be suitable for portable devices but I find them tedious and slow for the many of the jobs I want to do. In some cases, such as image processing, they are like using a line trimmer to mow acreage wearing a clown mask with very small eye-holes.

Before I am told I am a troglodyte, I do realise that equipment does need upgrading and replacement from time to time, the machine I had 20 years ago would not do what I want to do now. But I don’t want to be forced to upgrade by some decision made in Redmond and to have to send perfectly good equipment to the tip.


Well I must have been dreaming when I was running RHEL on my laptop with multiple instances of Windows in virtual machine environments to run Windows apps.
Now it was a work laptop, so what the licencing costs may have been were of no concern. For a home user, looking for free Linux, probably not an option.

1 Like

As it turns out, Quicken is the one Win specific app I use. But really old, and certainly out of support. But still doing what I want. And very much written for the Win32 API which Wine on Linux handles.

There was a product called CA simply money, that I used before Quicken. Tried MS money but it was hopeless.

Short digress OT.

For somebody that has purchased an older PC or laptop that does not have a operating system the following have the least learning curve and are free or cheap.

  • Zorin Linux free is the closest and the best version for MS Windows users. Zorin paid has desktop for Mac users. Zorin Windows and Mac desktops are not attempts to copy the originals but provide an experience that people are used to. You can flip between desktop style with a single click
  • Mint Linux (free) another excellent one for beginners.
  • Bliss OS could turn an old PC/laptop into a Chromebook experience Android-X86 may do the same, both are free. Bliss is probably the most mature product. Installation not trivial.

Turning old laptops and PCs into Chromebooks is getting more attention with the enthusiasts. I have never attempted a PC conversion into a Chromebook. Android emulation on Windows is completely different rabbit hole.


I think it is now fairly safe to say that Microsoft will not relax the requirements. While you can get around them to install Windows 11, there is a basic need for a Trusted Platform Module (TPM) in modern PCs for security purposes. This need is not going away, so while Microsoft has allowed systems that do not have TPMs to ‘upgrade’ to Windows 11 they do not have all of the operating system’s capabilities and are likely to become ‘unsupported’ sooner rather than later.

Linux developers also had to work out how to deal with TPMs (after screaming loudly about open source when they were first announced).

Of course you can still install Windows 10.


I have a machine that meets the general hardware speed and storage requirements and has TPM 2.0 but the particular CPU is not supported.

The motherboard’s chipset does not support later CPUs that would qualify and I am not going to do a motherboard plus CPU upgrade on a 5 YO machine so I am right out of luck on this one.

If support for win 10 ceases in 2025 it looks like this PC will have to be replaced or I take the risk of going without OS upgrades and so far nobody can explain why.

1 Like

Microsoft, like most other software suppliers, does not want to keep testing, and warranting, their software on a plethora of various hardware combinations.

You can install Win11 on a PC that does not meet the hardware minimums with a registry setting, but say goodbye to regular maintenance updates.

So why bother. Keep to Win10 until 2025 then consider what to do.

If only 5 years old and has the TPM then it is very likely only a simple reg change to allow Win 11 to be installed. I have created a reg file content for the MS change if anyone wants to use it. It can be saved by opening up a new txt document in notepad, copy the lines as is into the new file, when saving save with a name that makes sense, e.g. WindowsBypassTPMorCPU and save it with a .reg extension (make sure it does not end up with a .txt extension as this will not work) so it looks like this for the name WindowsBypassTPMorCPU.reg.

The lines needed are

Windows Registry Editor Version 5.00

To install once the reg file has been created, double click the file and accept the UAC warning. It will then place the needed info in the registry.

At this point in time there are no restrictions on receiving updates if this has been used, there is just a warning that at some point it may happen.


Thanks, I will and re-assess nearer the deadline and look at the consequences then.

The immense number of possible combinations of hardware and software that are possible for the platform has been known for some time. I am not suggesting they have to test my system or warrant it for win 11, just keep supporting the OS that works well with it for longer.

MS save money by no longer supporting that version but it costs me money and the environment resources to deal with the consequences. Given that hardware becomes obsolete so quickly it is galling that hardware can be made obsolete before the end of its life by corporate power, not because it is unable to provide good service.


Yes, keep using Win10, but I suggest not leaving it until the last minute to decide what to do when it runs out of support. You have 18+ months - use the time to check out the options, make an informed decision, and (if necessary) learn about how to use whatever you’ve chosen.

Options I know of at present include

  • Update to Windows 11 anyway. As others have pointed out earlier, one can bypass the hardware restrictions and install or update to Win11 on hardware that doesn’t meet the spec. It runs perfectly well on more limited hardware, just doesn’t have the advanced security measures - which are the reasons for the tightened hardware spec. Windows 11 should activate with the machine’s Win10 license, if it had one. If it doesn’t activate automatically, you can give it any valid Win10 or Win11 license key that’s not currently in use (new or from another machine). It does get routine security and bugfix updates - Windows Update doesn’t check that the hardware’s up to spec, except when applying a major update like 22H2 to an earlier version.
    A useful reference: How to install Windows 11 on almost any unsupported PC | XDA Developers
  • Keep using Windows 10 and don’t worry about updates. The system won’t continue to get security patches and bugfixes, but it will continue to work. Pros: you can keep using the interface and apps you’re accustomed to. Cons: security risks aren’t being addressed; the likelihood that future versions of your apps and new apps you want to adopt won’t be compatible with Win10.
  • Switch to Linux on the existing hardware. It takes a little courage and some technical skills (or a helpful techo friend) to install and configure Linux. Pros: Linux itself is free, and older and more limited hardware continue to be supported. Cons: learning your way around a different user interface; Windows apps you want to keep using but won’t run on or don’t have versions for Linux (Wine doesn’t work for every app) - you’ll have to find and adjust to alternatives; there might not be Linux drivers for all of the accessories you were using with Windows.
  • Acquire Windows 11-capable hardware. Pros: all your accessories and Windows apps should continue to work (I haven’t found any that worked with Win10 but not Win11); the interface is not that much different. Cons: Cost! You have to shell out for hardware.
  • Jump ship to Apple OSX. :wink: Pros: a lot of Windows apps come in Mac versions as well, and for paid ones the Mac version might have been included in the price, so there might be fewer app compromises needed than with Linux. Cons: Cost again! You have to buy an Apple device; the user interface is quite different from Windows, so could be a steep learning curve; existing accessories might not slot into the Apple environment.

Hope that helps …


With support there is generally three issues.

  1. Features. New features would cease to be rolled out. Possible already the case with Win10, as the preferred version is Win11 with the new features.
  2. Bug fixes. These would continue until end of life, and possibly after. But one may have to buy extended support.
  3. Security fixes. These should continue as a matter of practice, as older systems could well affect newer systems and should be fixed for free.

And environmental considerations.

Perfectly good hardware goes to “the tip”. It’s a waste of resources.

Like others, I accept that eventually old hardware becomes unusable. But none of the two implied issues here (Microsoft licensing; TPM 2.0) makes a compelling argument that the hardware being discussed here is unusable, and should be thrown out.

You can completely ignore the TPM. It can be there and not used. Yes, there is a small loss in functionality in doing that. (There was much more loud screaming about the fact that the BIOS/UEFI implementation doesn’t allow you to boot Linux / doesn’t allow you to boot Linux except when code signed by Microsoft is included in the system - but that is separate from TPM.)

You can also use a discrete TPM, as I do on one of my computers. So whether the computer itself comes with a built-in TPM is neither here nor there. That’s not going to catch on in the Wintel world though because the TPM is already there from Intel and Windows will use it.

As an aside, you can also use an external monitor (and/or keyboard and/or mouse) for when you need to do something like mowing acreage. :wink:

(Being able to connect an external monitor to e.g. a smartphone is relatively new e.g. last 5 years.)

As you say though … choose the type of hardware that works for what you need to do.

That may have been what I was misremembering.

Could that be considered somewhat misinformation?

As I understand it, this is only if Secure Boot is enabled and if disabled the distro can boot the machine. As for Linux Distros that want to use signing, MS almost freely ($99 for as many distros that you want signed) offer the signing service, there are just some non difficult steps to go through to prove they are official, that it is bug free. If no one likes using MS then they can always fork out the money and time to become a signing authority, Canonical also provide a dual signed shim that can be run using hardware certs from Canonical CA, and finally you can enroll your own key and use a self signed shim instead of the MS one.

From SecureBoot - Debian Wiki

What is UEFI Secure Boot NOT?

UEFI Secure Boot is not an attempt by Microsoft to lock Linux out of the PC market here; SB is a security measure to protect against malware during early system boot. Microsoft act as a Certification Authority (CA) for SB, and they will sign programs on behalf of other trusted organisations so that their programs will also run. There are certain identification requirements that organisations have to meet here, and code has to be audited for safety. But these are not too difficult to achieve.

SB is also not meant to lock users out of controlling their own systems. Users can enrol extra keys into the system, allowing them to sign programs for their own systems. Many SB-enabled systems also allow users to remove the platform-provided keys altogether, forcing the firmware to only trust user-signed binaries."


shim is a simple software package that is designed to work as a first-stage bootloader on UEFI systems.

It was developed by a group of Linux developers from various distros, working together to make SB work using Free Software. It is a common piece of code that is safe, well-understood and audited so that it can be trusted and signed using platform keys. This means that Microsoft (or other potential firmware CA providers) only have to worry about signing shim, and not all of the other programs that distro vendors might want to support.

Shim then becomes the root of trust for all the other distro-provided UEFI programs. It embeds a further distro-specific CA key that is itself used for as a trust root for signing further programs (e.g. Linux, GRUB, fwupdate). This allows for a clean delegation of trust - the distros are then responsible for signing the rest of their packages. Shim itself should ideally not need to be updated very often, reducing the workload on the central auditing and CA teams.

For extra trust and safety, from version 15 onwards the shim binary build is 100% reproducible - you can rebuild the Debian shim binary yourself to verify that no unexpected changes have been embedded in this key piece of security software.

MOK - Machine Owner Key


A key part of the shim design is to allow users to control their own systems. The distro CA key is built in to the shim binary itself, but there is also an extra database of keys that can be managed by the user, the so-called Machine Owner Key (MOK for short).

Keys can be added and removed in the MOK list by the user, entirely separate from the distro CA key. The mokutil utility can be used to help manage the keys here from Linux userland, but changes to the MOK keys may only be confirmed directly from the console at boot time. This removes the risk of userland malware potentially enrolling new keys and therefore bypassing the entire point of SB."

From a Fedora thread and written by a mod there AdamW

"From reading some posts elsewhere, there was commentary that Microsoft is putting constraints on what software Linux can install with Secure Boot active. Is there anyone who can comment on the restrictions.

You can already expect that Secure Boot support for Linux will not take place until after Christmas, as it is not in Microsoft’s interest to move more quickly.

I for one can’t understand the delay, apart from having to accomodate Linux as a competitive product. If MS is concerned about security, the W7 and W8 systems should have been installed with encrypted file systems.

Please… Comments… Thank you.

Summary: no, not really. All PCs bought before Windows 8 was preloaded don’t have to worry about SB at all. All SB-enabled PCs (Windows 8 preloads) should run Fedora 18 and other soon-to-be-released distros out of the box, and should have an option to disable Secure Boot in the firmware config if you want to install F17 (or other older distros) or not have the Secure Boot restrictions in place.

Long explanation:

So Secure Boot is a single optional feature of recent versions of the UEFI firmware specification.

UEFI - UEFI - Wikipedia

UEFI is an industry standard replacement for the BIOS firmware specification which has been under development for several years (maybe a decade at this point, I forget). Fedora has supported UEFI (to a degree, support for specific systems is often bugged) since Fedora 12. Many UEFI-capable systems have been released into the market with no Secure Boot feature, including all Intel Apple systems and many others. I am typing this on one - if you have an Asus P8P67 motherboard, you have one too. Please, please, please do not confuse UEFI with Secure Boot.

Secure Boot is a feature of the UEFI spec since version 2.2. I believe it’s not required by the UEFI spec; the UEFI spec really just describes all the various standardized elements, it doesn’t prescribe which must be implemented (I’m willing to be corrected on this), and you can implement a viable UEFI firmware without it.

What the Secure Boot section of the UEFI spec does is define a mechanism by which the firmware can maintain a store of cryptographic keys for code signing and verification purposes. It defines how code to be executed from the firmware environment - and code executed from the running system with the capability to affect the firmware - can be signed and how a firmware implementation can check that signature against the list of keys it maintains, and refuse to run the code if it is not signed by a key in the list. It defines the ways in which the key database can be changed, and describes a mechanism for enabling or disabling the function.

This is all it does. It does not prescribe any particular way in which this function might be used. It does not prescribe any particular keys which must or must not be on the list, or any system for anyone to determine what keys to put in their list. It just describes a code signing mechanism for the firmware environment.

Secure Boot is not just a Microsoft Evil Plot. Microsoft is one of the industry bodies that supported it, but it has much wider support. There is general agreement among those who spend a lot of time thinking about firmware that signing and verification of the firmware executed boot chain is a Good Thing to have in various circumstances, and that’s really all SB implements. SB does genuinely improve security against certain types of attacks - those that target the boot chain. Such attacks do exist in the wild and though there are not a lot of them, they’re a very dangerous class of attacks, because the booted OS is essentially at the mercy of the boot chain, it has no way to defend against attacks from that vector or verify its integrity. (As mentioned below, one use of this attack vector is actually to bypass some of Windows 7’s anti-piracy mechanisms…)

Now let’s switch focus to Microsoft. Microsoft considers secure boot a valuable mechanism and wishes to ensure it is used on Windows systems. They say this is for the purpose of securing deployments against malware. There are various conspiracy theories to the effect that that’s just a smokescreen and they’re really pushing Secure Boot as a way to inconvenience competing operating systems. My personal opinion is that the conspiracy theories are a load of bullcrap and the real reason is exactly what Microsoft says it is, plus a little anti-piracy (the most common techniques for pirating Windows 7 would be blocked by mandatory Secure Boot, though no doubt others would emerge). Microsoft has been making a genuine and enthusiastic effort to get less terrible at defending against malware in the last decade or so, they’ve done a not-bad job, and their interest in SB is a natural extension of that. They could have pushed SB in a way which would be much more inconvenient for other OSes, but - at least after some negotiation - they are not doing so.

So anyway. What is it that Microsoft is doing exactly? First off, Microsoft is acting as an SB signing authority. That’s nothing unusual - anyone can up and start signing code. mjg59 is working on utilities to let you self-sign your bootchain code with a key you self-enrol in your firmware, if you like to twiddle. Moving on.

Microsoft has these things called ‘hardware certification requirements’. They’re a long laundry list of requirements that, if you are a hardware manufacturer / distributor, you have to meet in order to slap those shiny Windows stickers on your machines and qualify for discount OEM pricing for your Windows preloads. If you don’t meet the requirements, no Microsoft certification, no OEM pricing. Microsoft can’t stop you buying truckloads of copies at retail and preloading those, but you won’t be officially certified, and that will of course be far more expensive. And you won’t get access to Microsoft’s testing programs, which are pretty useful for integrators. So, in practice, virtually everyone who builds and sells PC hardware - consumer or enterprise - follows the certification requirements for the machines they sell with Windows preloaded, which as we all know is ‘most of them’.

In the hardware certification requirements for Windows 8 and Windows RT (the correct name for ‘the ARM version of Windows 8’), Microsoft has included requirements relating to Secure Boot.

For Windows 8 - that’s x86(64) platforms, remember, the requirements can be stated thus:

  • Secure Boot must be enabled by default
  • The Microsoft key must be enrolled by default
  • It must be possible for the user to disable Secure Boot

For Windows RT - that’s only ARM, remember - the requirements can be stated thus:

  • Secure Boot must be enabled by default
  • The Microsoft key must be enrolled by default
  • It must not be possible for the user to disable Secure Boot or enrol their own keys

The Windows 8 requirements contain an obvious concession to non-Windows OSes: the mandated ability to disable SB. I believe this was added as a result of negotiations with other OS vendors, but I’m not a party to those so I can’t tell you for sure. Note also that it does not mandate, for instance, that no other keys be enrolled by default. A theoretical system with Microsoft’s key, a Red Hat key, a Novell key, and a Slackware key all enrolled in the default key list could happily pass Microsoft’s requirements. The way the requirements are worded intentionally left the door open for other SB signing authorities to be created, and for their keys to be enrolled on machines pre-installed with Windows.

The Windows RT requirements are significantly tighter and, in practice, boil down to ‘if you buy a Windows RT certified device, you’re probably only going to be able to run Windows RT on it, unless the hackers figure out how to break the locks’. Bear this in mind if you’re thinking of buying a Windows RT device. I know I’m not going to. It is worth pointing out that Microsoft is no kind of monopolist in the ARM device market - tablets, etc - and that competing devices tend to be similarly locked down (iDevices and most Android tablets come with locked bootloaders). You can certainly buy non-Windows RT ARM devices if that’s what you want.

So, back to our SB-on-Intel story. The ultimately agreed-upon arrangement for SB, as I noted above, intentionally left the door open for parties other than Microsoft to act as public signing authorities for Secure Boot. It’d be perfectly possible in theory for Red Hat or any other Linux vendor, or for a non-profit like the Linux Foundation, to step up and say they’ll be a public SB signing authority, that you can send your code to them for verification and signing, and ask (or try to require) hardware manufacturers to include their key in their firmware implementations - just what Microsoft has done.

In practice this has not happened. Basically, it’s a difficult job for no reward and no-one really wants to do it. By signing other people’s code you are taking on risk you don’t actually need to take on - you’re effectively staking your reputation on an assertion that that code is good code, you’re asserting to others that they can trust the code. Doing this kind of thing is a difficult and rather thankless job that no-one particularly wanted. When you’re doing it for, say, websites, you at least have volume on your side - companies that issue SSL certs for websites (which is a similar kind of job) make money by charging for each cert, and they need volumes in the hundreds of thousands, I guess, to make that worthwhile. There are, oh, let’s say, maybe 100? 500? entities in the world which might possibly be interested in getting the boot chain of their operating system signed by an SB signing authority, and only maybe 5-10 of them could afford to pay a realistic ‘market rate’ for that service. All the others can’t. What I’m saying, in a longwinded way, is there’s no money in being an SB signing authority, but it involves taking on an element of risk. It would have to be done essentially as a public service.

So what happened? Well, guess - no-one actually wants to be a public SB signing authority. Red Hat doesn’t - we really don’t need the organizational overhead, plus it would open us up to charges that we were trying to dominate the Linux world (even more than we already get accused of that anyway) by being the SB gatekeeper for all of Linux. The Linux Foundation thought about it, but demurred. No-one else wants to do it either.

So in reality, the only public SB signing authority is Microsoft. This isn’t something Microsoft cleverly engineered or maneuvered everyone else into, it’s just an upshot of the basic economics of the whole deal. Microsoft didn’t put any roadblocks in the way of RH or the Linux Foundation or anyone else being an SB signing authority. They would’ve let it happen. It just didn’t happen.

Microsoft (in partnership with Verisign, which is actually doing most of the heavy lifting) is acting as a public SB signing service. It’s not going to make any money on this, it will actually lose money, quite a lot of it. It’s charging some nominal fee - like $100, I think - to have your code vetted and signed with the Microsoft key; it’ll cost Microsoft/Verisign far more than $100 per applicant to actually do the work. Microsoft is doing this because it recognizes it kinda has to, for publicity and possible legal reasons. It’s at least arguable that if it doesn’t sign other people’s code, Microsoft is effectively abusing its monopoly position in the OS market - I’m sure Microsoft would disagree and would fight any such allegation, but I’m equally sure it would be much happier for it never to come to that. Even if there wasn’t a legal case, the publicity result of not acting as a signing authority would be pretty terrible - there would be far more and far worse publicity even than there is with the current situation. So Microsoft is taking a nominal fee to sign other vendors’ code with its key, to try and defuse allegations of unfair competition, monopoly abuse etc. It hasn’t actually been legally compelled to do so or anything, it just chose to do so, which was obviously a sensible decision.

Ultimately what is going to happen with Linux and SB is that the next generation of distros - Fedora 18 and so on - will be signed with the Microsoft key so they will run out of the box on Windows 8-certified machines. That’s the bottom line. The exact mechanism that will be used here is somewhat clever - mjg59 came up with most of the design, and SUSE contributed a rather neat refinement, though the Linux Foundation now appears to be rather loudly attempting to claim the credit - but it’s a technical detail, really. That’s all you need to know in a nutshell. Right now, RH, Microsoft, SUSE and Canonical are enriching a bunch of lawyers to hammer out the exact agreement by which Microsoft will sign all of our boot chains, and that ought to be in place for the final release of Fedora 18 (and the next releases of the other distros). We were rather hoping it would be done for Beta, but it isn’t.

If your system doesn’t support Secure Boot - if it’s not a box you bought very recently with Windows 8 on it, it almost certainly doesn’t - you don’t need to worry about any of this at all. If you buy a Windows 8 preloaded system in the near future, you won’t be able to install Fedora 17 or other contemporary distros on it unless you manually disable Secure Boot (which you should be able to do from the firmware config interface), but you ought to be able to install Fedora 18 Final OOTB when it’s released (and similar contemporary distros). You can also simply disable SB from the firmware config if you don’t want to bother with all this stuff at all, as mentioned above, the Microsoft certification requirements mandate that you be allowed to do this (if you buy a Win8 machine and find you can’t disable SB, complain loudly to Microsoft and the vendor, as this is a breach of the requirements). If you boot with SB enabled, certain operations from user space which could affect the boot chain will be restricted - kernel modules have to be signed in order to be loaded, for instance. To remove these restrictions you will have to boot with SB disabled.

Sorry for the essay, but I really hope that finally clears this up, for some people at least."