Comment by Macha
14 hours ago
This was a constant problem with late Intel Macs where I was working at the time, to the point that people started explicitly using shut down enough to the point that security complained it was slowing down their patch rollouts.
Had some slack discussions with security about how their need for a green metric on patch deployment time doesn't entitle them to introduce a fire hazard to my personal residence...
Yeah, the problem is that on Windows 10/11, if you have modern standby enabled and have fast boot enabled, then shutdown puts the system into standby.
Do you have more info on this? It’s not at all the behavior I observe. After I shut down windows, which I do basically every time I use it since I usually use Linux on that machine, it is completely off. Turning the pc on boots Linux (it’s first in the boot order).
It has modern standby and most of its other defaults, which I know because if it goes to sleep it doesn’t: the fan stays on and it never gets cold to the touch despite the blinking power led. The other day it randomly installed the windows update and rebooted because I found it waiting for the LUKS pin.
It's usually referenced as "Hybrid Shutdown" in Microsoft documentation.
https://learn.microsoft.com/en-us/windows/win32/power/system...
> "Note: In Windows, fast startup is the default transition when a system shutdown is requested. A full shutdown (S5) occurs when a system restart is requested or when an application calls a shutdown API."
Technically it's entering a "hybrid" S4 Hibernation with S0 Standby after all users have been logged out. To bypass it you need to press Shift while clicking Shutdown, running the `shutdown /s /t 0` command, or else disabling Fast Startup. You can tell that you didn't do a true S5 shutdown because the system's uptime will not reset.
But disabling Modern Standby in your BIOS will also disable it because Window's power management logic is set during installation. With modern standby enabled, Windows tries to be always on and always connected. When you disable modern standby, Windows doesn't entirely change it's logic so much as it notices it can't send the same power state commands, so it reverts to S5 Shutdown.
I chose to disable it in BIOS because Microsoft can't really turn it back on when I do it that way. Because the thing is... I disabled Fast Startup after the second time it happened. But some Microsoft updates re-enable Fast Startup, and it's not hard to find forum posts complaining about that.
Look up 'Fast Startup'. It's a thing since Windows 8. It's a curse onto humanity.
> Had some slack discussions with security about how their need for a green metric on patch deployment time doesn't entitle them to introduce a fire hazard to my personal residence...
How did this part go down? I'm just curious because it reeks of entitlement and security theatre on their part.
It reminds me of an incident I had once at an old job, surprise surprise security related, where a moronic decision had been made by the combined DevOps and security team (putting aside how a separate DevOps team is a bad idea).
They had decided to use some "dependency security scanner" and if it found ANY, it would immediately disable the CI/CD build pipeline for that repository.
1) This could happen at any point within minutes/hours of some CVE being published. It would frequently block deployments.
2) It could not/would not take into account developer tooling vulnerabilities. Oh, your CSS library has a string DDOS vulnerability, where if someone makes a ginormous CSS file, the library will crash?
3) The CSS library does not reach a users machine, and is run once, at build time. Either it passes and deploys, or it fails and does not deploy. Therefore, it was probably not even justifiably a CVE to begin with, but more importantly, we now cannot deploy. https://old.reddit.com/r/cybersecurity/comments/1622xia/cve2...
4) The build pipeline would be disabled for ANY type of vulnerability regardless of impact. Even low ratings.
5) Because this security ~~scam~~software did not care about nuance like that, we could not even deploy hotfixes, critical production fixes, bug fixes, or anything.
6) Because it would disable the pipeline within minutes of a CVE, there was never a fix or a newer version to upgrade a dependency to. We had to wait days or sometimes weeks for a new version to be released.
This lasted a couple of months before they were forced to remove all this crap.
Did this software happen to rhyme with Veracode?
I won’t make the claim that it can’t be set up and configured in a way that’s useful, but I will make the claim that I’ve never run into an instance where it was and have wasted more time than I want to remember dealing with similar issues to what you described