Windows Hardware Compatibility Program Specification mandates that Secure Boot can be disabled and customized, by a physically present user, on non-ARM platforms, in early versions of the Windows 10 spec.

Disabling Secure Boot must not be possible on ARM systems. - WHCP-Systems-Specification-1511.pdf

However, looking at the -2004 spec, both customization and enable/disable sections are prefaced with (Optional for systems intended to be locked down) so it is no longer mandatory, even on x86_64 systems, to provide a physically present user with the ability to disable or customize UEFI Secure Boot. The same language is used in the -21H2 spec for Windows 11.

https://docs.microsoft.com/en-us/windows-hardware/design/com...

You can't score full marks on Android SafetyNet if you aren't using an unmodified stock ROM.

https://developer.android.com/training/safetynet/attestation

So yes, some apps will refuse to run and in theory some services could refuse to accept requests from devices that aren't running unmodified images.

I can definitely imagine something like Snapchat using this as they have actually been fairly aggressive at trying to prevent "unauthorized clients" that can save images without notification to the user.

Win11 requiring TPM2.0 feels like it's edging ever closer to such an age...

Can the latest iPhones boot unsigned OSs yet? I'm guessing the jailbreakers aren't _that_ fast.