There's a difference between stick in a usb key to fiddle with bios in vendor specific way and then stick a usb key in. It's an extra hurdle.
If your instructions read: "turn off secure boot", MS has already won. Some users will, most won't, and many company IT departments would not allow you to on principle (because it's company hardware and they want it secured because it is their problem if it isn't).
This is an extremely weird argument. So called Live CDs come from an era where CD drives were ubiquitous and even back then installing an OS (provided you did not want to install two OSes at the same time) was as simple as installing any other piece of software. If anything, with all these secure boot shenanigans it requires more skill to install an OS than when a smartphone was not even a thing. This argument advocates for walled-garden IT. This argument used in support of restrictions under the hood arguments for IT stuff to be hard in principle.
Yes, the removal of CD/DVD-drives is as much of an obstacle to installing Linux as having to toggle a setting on a Windows-preinstalled machine that someone bought. You are also free to buy a SKU that doesn't come with a Windows license and Windows preinstallation.
Also please keep in mind that it's not Secure Boot you have to disable, it's a CA you have to re-enable on machines that came with Device Guard pre-enabled.
You miss the entirety of the point. Today you have a USB drive, nothing stops SOHO routers by default starting PXE server with latest distros which would be even easier to use. This is an artificial obstacle.
You keep arguing all over the place that this is an insignificant obstacle, but do not address the very core of the debate: whether only MS keys being installed by default is for security purposes in the first place and whether it does actually increase security. We are not arguing how many hoops to install Linux (or whatever) is too much. we are arguing whether certain OSes should be easier to install at all.
Don't bring it up as an obstacle if it's not an obstacle, that you're instead concerned about Microsoft's keys.
In that case though, it's not "only MS keys" really, it's not enabling one CA. In the end if there's a strong need, Canonical, Red Hat or the likes could start building their own CA and negotiate it to be included, would be very fair and probably wouldn't be affected by this toggle. But they do not seem interested however in the much easier MS UEFI CA-signed Secure Boot, Ubuntu does it fine, but Fedora can't sign DKMS modules and the rest are even worse.
So the thing is, the problem of "trust" is very complex and putting in the work is very expensive. Microsoft has chosen to do this to improve their customers' security, they offer others the opportunity to participate and few are actually willing. That's not their fault really.
In the end they'd get slapped so hard by antitrust if they ever truly removed that toggle and the option to run other software. (Unlike Apple or other mobile vendors, who can do whatever they wish, with no such uproar over what is way worse than the toggle discussed here.)
> Hurdle that doesn't matter at all. If you have the skillset to install an OS, changing a setting in UEFI is nothing.
That assertion is a bit too absolute; I am comfortable installing an OS using the USB installer because I have done it many times. I haven't had to change UEFI settings yet and I'm worried that doing something wrong will lock me out (in case of a botched OS install, I can just start over).
If your instructions read: "turn off secure boot", MS has already won. Some users will, most won't, and many company IT departments would not allow you to on principle (because it's company hardware and they want it secured because it is their problem if it isn't).