{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreieh6um6kqbfoykxs62nwfxrbqloijx6bbzdcz5jzai2fbjtrx3eqm",
    "uri": "at://did:plc:haakkg7y3xdghcdmprxeexso/app.bsky.feed.post/3mizbalbvbnd2"
  },
  "path": "/t/microsoft-abruptly-terminates-veracrypt-account-halting-windows-updates/36979#post_13",
  "publishedAt": "2026-04-08T19:55:31.000Z",
  "site": "https://discuss.privacyguides.net",
  "textContent": "> Does this mean that before Windows 11, app developers didn’t need MS’ permission to create apps that run on their platform?\n\nThere is a whole bunch of stuff and it evolved with time, not like Windows 11 made a revolution.\n\nWhen SecureBoot is enabled UEFI will check whether your operating system bootloader is signed. Aka that it’s a valid bootloader for your system and not a possibly malicious one. It happened that default certificated in UEFI is Microsoft’s one. The bootloader signing affects both Windows and Linux. I believe that most of the Linux bootloaders now use small program called “shim” that is signed by Microsoft and passes UEFI check, then simply redirects loading process to an actual bootloader (e.g. GRUB2). I also believe that it is possible to install own certificate into UEFI and use it for Linux bootloader.\n\nAt some point of history Microsoft started to care about security a bit more. That’s when they started to enforce driver signing. Which makes sense - you don’t want the driver that runs in kernel to be a malicious app.\n\nThere is app signing. It has few use cases. It confirms that app developer is not a nobody and app deserves a bit of trust. Windows will bother you a bit less with SmartScreen (tho, you’ll still get it for just downloaded apps). UAC window will be less alarming (light blue rather than yellow, there will ba actual publisher stated in the windows (instead of Unknown)). In my experience - it reduces number of false positives antivirus-es give you on your app (sometimes AV marks trustworthy apps as malicious by mistake - false positive). Signed software has some use for system administration - you can apply Software Restriction Policies to allow or deny running apps signed by the specific signer.\n\nI believe apps in Microsoft Store shall be signed as well.\n\nI’m not sure how it is nowadays, but I believe that drivers and Windows Store apps are signed by Microsoft, standalone apps are signed by certificate you purchased from a certificate authority. Bootloaders should be signed by Microsoft (as Microsoft’s certificate the one stored in UEFI). Standalone apps could be signed by your own certificate. And in this case user has to install that certificate beforehand, or to live with “untrusted” app (you can install app regardless). It’s a rather bad practice to install third party certificates.\n\nIn Linux repos are usually signed. Apps installation packages (like .dep, .rpm) could also be signed with GPG. So signing is not something Windows specific. It also applies to Android and apps for Apple devices.",
  "title": "Microsoft Abruptly Terminates VeraCrypt Account, Halting Windows Updates"
}