Friday 28 July 2017

Pro Tip: Beware of the Aftermarket Video Cards with Secure Boot


If you have some older video cards in your environment, you might not realize until deployment time that some of your systems will fail to display video or Windows will simply not use the card at all. The root cause of the is due to older video cards not being Secure Boot compatible. To fix the issue, you have three paths that are all valid, but I believe have to be evaluated carefully.

The first option is to remove the video card that wasn't supplied by the hardware vendor of the motherboard and use the onboard video. In some cases, this might be satisfactory, but depending on your needs you may need to look at another option such as disabling Secure Boot in the BIOS. Disabling secure boot is cheap but will not protect your system against malware that infects the boot environment of your machine, so you have to question the value of such an approach in an enterprise environment.

A more expensive approach would be to modernize your hardware, this could be as simple as giving the user a new PC because at this point with Windows 10 most enterprise hardware that currently has Secure Boot capability. The other choice is to replace the display card, but before buying that display card, you should evaluate the cost of a new card on hardware with a limited remaining lifespan versus purchasing a new system.

If you need to upgrade many machines, it might make more long term value to get these systems out of your fleet rather than taking a reduced security posture or buying new hardware for a device that may only be in the fleet for another year. To make an informed decision use tools such as System Center Configuration Manager to determine the affected systems through hardware inventory data it can capture. To me, secure boot is a no brainer that enterprises should enable by default with Windows 10.