Can't see a thread about this, and I found this a rather interesting news, so here it is:
https://rol.im/securegoldenkeyboot/ (an example why noScripts can be good... music, design, yeah, not great)
https://www.phoronix.com/scan.php?page=news_item&px=Secure-Boot-Golden-Key
http://www.theregister.co.uk/2016/08/10/microsoft_secure_boot_ms16_100/

Essentially what this means, as far as I understand it, is that the Secure Boot system is busted -- ironically by Microsoft themselves. That of course, means that you can install other operating systems on locked down systems, such as Microsoft phones and tablets. Most likely good news for criminals and hackers too. Industry espionage and stuff like that.

And, as the researchers mention in the first link, it *should* be an excellent example to FBI, NSA and politicians hollowing out privacy laws, that such golden keys (and whatever they choose to call them, essentially backdoors), is a Really Bad Idea.

Secure boot is not "busted", one of the key used by Ms is leaked, it just mean they will have to change it and provide the new one to manufacturer to include in their next Bios upgrade.

For PC it doesn't really change anything, it's just for older, WinRT based, devices that it can be interesting as it could allow to install any OS on them.

From what I've been reading, it doesn't work quite like that. It's more like a "the cat is out of the bag and we can't put it back in" kind of situation. They've already put out two patches trying to sort it out, without success, and a third is on the way.

The short end of what I'm reading, is a debug code was added in a release which includes policies that don't check for signed code in the boot manager, which then lets you bypass secureboot. The debug code was intended for testing devices and probably accidentally got compiled in.

On one hand this is good and on one hand this is bad. The good being you can forcibly unlock and reinstall a new OS on devices that MS has obviously stopped supporting, and are otherwise unable to be changed/updated. The bad, well if you actually wanted secureboot (which is probably unlikely) then it doesn't work.

Secureboot is primarily used on handheld and mobile devices, microsoft phone and tablets and the like, while the PC has the capability it's probably turned off.

Accidentally.

Right.......

Reminds me... has the nagware MS put into Windows 7/8 updates been taken care of yet?

It's "hard" for device where it's not easy or even possible to update the bios.

In the end it's like if one of the root certificates from a trusted SA used for SSL was compromised, you have to revoke it, create a new one, then recreate a new certificate for all certificates created using it, etc... it's doable, it's made for that, but it's not something you want to do everyday.