Hi,
After installing Windows, without my approval, secure boot keys are sent to a remote. They are then accessible from the well known /myrecoverykey url.
I find this not only inadvisable, but believe that the PKI involved in the process is anything but secure, and wish to stop it.
In fact, this is one of the reasons why I would have appreciated that BD has an option to install its EDR while offline, because as soon as I connect my newly installed machine to the internet, it does a crazy ammount of shady stuff, among which:
- sends secure boot keys to microsoft (??)
- updating windows apps despite having updates paused or disabled
- blocks you from using Windows until it fetches updates, and the only way to disable it is by modifying the image or doing weird registry hacks
- essentially forces (me) to log into my microsoft account and validate my 2fa on a newly installed machine which isn't even secured yet
- at first, booting the device into Microsoft Defender Offline Scan immediately asks for my secure boot key again, as if somehow Microsoft Defender is a product made by people inside Microsoft who have no authorization to install modules that run below user level in the first place, even though it's advertised as being a built in, strong security product
- Many Microsoft defender flags are disabled on the first boot, before it begins updating, such as memory randomization
Actual question:
Is there a way to install BEST without a connection to the internet? Maybe passing the installer some flags? How do I exit the interface which asks me to update and sign in after install? (excuse me for not being an IT System Administrator and paying virtuously senseless ammounts for products that allow me to do this, but doesn't this sound like common sense to allow a user to do it without corporate hacks?)
Is there a planned date when such a thing will be available? This way, I can let the EDR do introspection on the shady PKI handshakes after booting from stick.
Do you have any tips for people like me wanting to begin securing the Windows installation straight after install, without being forced into some corporate gatekept ponzi scheme of updates and forced policy?
I hope my expressive language didn't upset anyone 😄
And best regards
