Secure boot is a feature supported by the use of special UEFI (Unified Extensible Firmware Interface) firmware. It prevents malware attacks which occur between a computer's initial boot process and the operating system taking control. Support for UEFI has been in Windows for a while.
In Windows 8 Microsoft decided to go a step further, at least with their OEM partners. Computers sold with Windows 8 must have UEFI firmware to pass Windows Certification, and it must be enabled by default. All of that seems fine. Secure boot is good, and turning it on by default makes sense.
What's confusing is why you would forbid the tablet's owner from disabling it. Sometimes you may want to run software, like an operating system installer or antivirus scanner, without secure boot getting in the way. In fact, when Microsoft first announced the secure boot requirement, it caused enough of an uproar for Steven Sinofsky, head of the Windows division, to address it personally:
There have been some comments about how Microsoft implemented secure boot and unfortunately these seemed to synthesize scenarios that are not the case so we are going to use this post as a chance to further describe how UEFI enables secure boot and the options available to PC manufacturers. The most important thing to understand is that we are introducing capabilities that provide a no-compromise approach to security to customers that seek this out while at the same time full and complete control over the PC continues to be available.
Tony Mangefeste of the Ecosystem team provided more details, and his denial seemed even clearer:
At the end of the day, the customer is in control of their PC. Microsoft's philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks. For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision.
There was also a screenshot from the tablet Microsoft gave away to developers at the BUILD conference last year, however that tablet has an Intel processor. Even under their recently released guidelines that would be allowed. It looks like Mangefeste may have pulled a fast one. He only mentioned PCs, and depending on your definition that may not include ARM powered tablets, or in fact any tablets at all.
So was this intentional deception? Is it an underhanded tactic to prevent your from installing another operating system? Microsoft isn't saying, but if you step back and look at the big picture, all the way from Windows 8 on a traditional PC to Windows Phone, maybe the answer is more obvious than it looks at first glance.
Comparing Windows Phone to Android last year, Steve Ballmer said, "You don't need to be a computer scientist to use a Windows phone." Initially his reaction to the iPhone wasn't nearly that polite. In fact, he famously laughed at the $500 phone with no keyboard.
Fast forward to last October, during the same interview where he called Android too complicated and the phones too cheap, he said the the iPhone was. What changed in those 4 years?
As turns out, you can trace Ballmer's love for Apple to the development of the Windows Phone Marketplace. In fact, just days before the Windows Phone Marketplace was unveiled at a developer conference, Ballmer shocked the world by paying the iTunes store a major compliment. He told an audience at the University of Washington, "Apple's done a very nice job that allows people to monetize and commercialize their intellectual property."
At the time it seemed like he was trying to get into Steve Jobs' good graces so Bing could replace Google Search on the iPhone. But looking back it seems clear that was a sign of Microsoft's plan to copy the Apple online store ecosystem, even down to using the Zune software for apps, just like Apple does with iTunes.
So what does that have to do with a tablet running Windows 8? The problem with Windows Phone is it's not well suited for tablets. It was cobbled together primarily from code Microsoft already had as a time saving measure. They had already wasted a lot of time trying to develop a competitive smartphone and had almost nothing to show for it. In fact, the underlying OS dates all the way back to 2006.
iOS, on the other hand, is a stripped down version of OS X, so it has much greater capabilities than Windows Phone. Essentially Windows 8 is Microsoft copying Apple's approach, except that the stripped down mobile version and full blown desktop interface can co-exist in a single installation.
But what if the ARM version only had the Metro UI and was only sold directly to tablet manufacturers. In other words, what if the plan was always to make it a stripped down version of Windows 8 It would seem to fit the general pattern of following Apple's lead.
That would seem to answer at least one of those questions. The secure boot requirement probably has nothing to do with installing other operating systems and everything to do with creating an Apple-style walled garden to sell apps and content.
And why would Microsoft be worried about users installing another OS? Windows 8 tablets are likely to be more expensive than normal. At the least you will be paying for a Windows license. And then you would want an OS with support for the extra buttons. Unless you planned to dual boot, it doesn't really make much sense.
As to whether Microsoft had this planned when they said users would be able to turn secure boot off, the answer is probably yes. Why would they ever plan to sell retail copies of the ARM version? You can't use it without a tablet designed for Windows 8, and those will already come with an OEM version installed.
Combine that with the lack of an ARM developer preview and carefully worded statement above, and it looks like Microsoft has played a lot of people for suckers.