[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 12/07/2021 17:05, fraser kendall wrote:
I have to set systems up the other way, although dual boot machines are pretty uncommon these days at least among my clients so it's not something I need to do very often. When I do, I make sure to go through the admittedly annoying checklist to make sure that all of the important stuff can stay set = ON (you want UEFI and Secure Boot enabled for both operating systems) to keep Win10 Pro happy and then Linux is predictably much easier to deal with and most sane distros won't have any problem installing and running alongside it.
This, I have saved for future reference. Thanks
Do you want any further advice/instructions on this or are you happy to leave things as they are? It sounds like you don't particularly care about the Windows bit at all which is fair enough - on a laptop with presumably a single 512Gb space limited drive I wouldn't either. In fact I'd go further and trash the Windows install entirely to free up the entire disk for Linux and have a cleaner system without the dualboot headaches.
Tips from the trenches of IT support:1: The Win10 Pro image Lenovo dropped on your system is as good as useless to be honest and should be considered unusable. It might not have superfish on it any more but Lenovo have a terrible and deserved reputation - even more so than most OEMS - of bundling so much crapware and security liabilities that you should consider the default install as rooted*.
2: The only thing you want from that Win10 image is the Pro license key. Because of the way things work in the modern world you almost certainly won't have the actual key accessible to you in any normal form (like on shrink wrapped packaging with the bundled install media for example - those days are gone). So to get the key you'll need to extract it from the Windows install itself, by booting it or accessing it from Linux...
3: ...but it's questionable if that is even worth it. A Win10 Pro license key is available for £10-£15 easily and when I'm faced with this issue it would cost the user considerably more to pay for the hour or two of my time required to do this vs just buying a new key and abandoning the old one. You may feel differently as I'm offering you free advice rather than billing you per hour to fix your stuff! For a home user it's often worth the hassle to DIY, even for just a few quids.
4: However, you don't need to bother: Lenovo embedded the Win10 key into your firmware for you. Specifically, they embedded it into the UEFI which of course you have disabled, making it inaccessible. To make this clearer: if you wiped your internal drive completely or installed a new fresh one, re-enabled the UEFI in firmware (which you really, really should NOT have disabled) and then run a generic Win10 installer on it your system will automatically re-register and license itself using the embedded license key. Make sense?
* Here's a super fun fact for everyone: preinstalled Win10 images, even Pro ones like this are backdoored for you, straight out of the box. This is because the entire secure chain is on by default and BitLocker is already activated and running even from the first boot. Win10 Pro will transmit your Bitlocker recovery key to Microsoft for escrow purposes! Needless to say I personally don't have any faith that Lenovo haven't also helped themselves to a copy as well. You can - and should - verify this for yourselves though, don't take my word for it. Us sysadmins have a fun job working around this which at scale is managed for bigger organisations with AD infrastructure, sysprep images and so on. For smaller units or individuals there is a simple but extremely annoying and quite time consuming fix that you MUST implement before putting a OEM install into production. Entirely disable all Windows Cloud integration stuff, completely unencrypt and disable the existing Bitlocker encryption (the keys are escrowed with other parties behind your back remember) and then carefully re-activate Bitlocker and re-encrypt the entire drive again, this time making sure the recovery keys remain in your control. Implications for GDPR are profound otherwise: your "secured" Win10 fleet is using encryption that is easily defeatable by parties with access to the escrowed key and that's going to include Microsoft and your OEM at a minimum.
For this reason primarily - and because OEM bloatware can die in a fire - I nuke all OEM preinstalled images and reinstall a clean default image from scratch. ALWAYS, no exceptions ever. Just grab the key first if you need it or don't want to have to extract it from the firmware.
This is all technically [OT] of course but to be fair dual booting in the specific context of Linux usage was the trigger for this and I know plenty of LUG users do use more than just one operating system on a daily basis so this stuff is good to know. And you did ask :]
After all that I didn't really give you much practical advice though, so here it is:
1: Leave things as they are for now: if you're happy that way don't bother changing anything for the sake of it
2: Wait patiently and prepare for a complete rebuild in a few months when... Win11 & Debian11 both come out
3: When they drop, backup your system fully. Change firmware back, get back into your old Win10 install. Grab the license key anyway while you're there and flash all updated firmware (there will be a lot by then). You'll be needing the updated firmware for proper support.
4: Wipe the entire system. Setup firmware correctly with all the modern stuff ON and leave it that way, this isn't 1995 any more and BIOS, MBR, and non-secure boot are dead. UEFI, GPT, Secure Boot all belong ON.
5: Install Win11 from a clean ISO downloaded direct from Microsoft - it'll automatically register and activate itself using the valid keys in the UEFI. There are some tricks to this at the time to avoid it escrowing keys or forcing you into signing up/into Microsoft cloud nonsense but that's trivial to avoid at the time. Ask then.
6: Debian 11 needs to be installed second: it should have even better support by then for the UEFI/Secure Boot/etc stuff and should get you around the issue you mentioned that drove you to Sid this time as well. Presumably you'll encrypt that as well on disk.
7: Post install if you want you can configure both operating systems to easily access the on-disk contents of the other, encrypted or not.
Apologies to all for another [OT] Wall of Text, they seem to be my speciality for some reason ¯\_(ツ)_/¯
I'm going to weigh in on the other current Lenovo buying discussion as well in a bit which I'm sure you all can't wait for. Predictably I disagree with everyone so far...
-- The Mailing List for the Devon & Cornwall LUG https://mailman.dcglug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq