Mastodawn

Window Maker Live Oct 15

Microsoft wants 2025 to be the "year of the Windows 11 PC refresh." They want up to 400 million perfectly good computers running Windows 10 to become e-waste. Why? So Microsoft can have their cake ($140-$200 for a Windows 11 license) and eat it (your data) too

It's time to switch sides, and break away from this cycle of endless upgrades. Our new guide walks you through installing a Linux-based operating system—keeping your computer secure long after Microsoft walks away

https://www.ifixit.com/Guide/How+to+Install+Linux+on+a+Windows+PC/196722

@iFixit You didn't need to write "a Linux-based operating system"

You could have just written " a based operating system"

Carbon Carrot Oct 15

@Jonas @iFixit But what if somebody accidentally installs Plan 9?

Mary Branscombe Oct 14

@iFixit I'm going to make myself unpopular because even though I don't *like* Windows 11, the reason you need a new PC is that your 'perfectly good' computer doesn't have enough hardware security features to keep you safe. Perhaps throw a little shade on PC makers who haven't been putting in the basic security hardware to run new features.

Xarizzar Phantasma (玄)Oct 14

@marypcbuk @iFixit If that were really the case, why would they be able to continue working with Linux operating systems, if I might ask? I have a Desktop from 2013. It used to be a gaming desktop, but now I'm pretty sure that it can fulfill some basic consumer or office needs. It cannot upgrade to Windows 11, obviously, but a Linux operating system will work on it. I'd imagine that's what a lot of people are after.

@Xarizzar Hell, I've got stuff older than that running on Linux, with no problems. Some of it's a bit slow, but not because of any security issues.

Mary Branscombe Oct 20

@Xarizzar @iFixit why aren't Linux distros making the same decisions for their users that Microsoft is making to protect consumers who buy PCs? I think you'd have to ask the Linux distros that, because their users are going to face the same threats although they probably don't get nearly as much information back about ongoing attacks that Microsoft does from telemetry (or from seeing all the attacks on their consumer services)

Xarizzar Phantasma (玄)Oct 20

@marypcbuk @iFixit You did not answer my question, I don't think.

"Why aren't Linux OSs making the same decisions?"

I'd think it's because they don't need to. Microsoft, in my eyes, decided to arbitrarily stop supporting certain old hardware that still works just fine. Why does having an old processor (that still works, mind you) have to mean that my system is unprotected?

For context, my old Desktop's processor was the Intel Core i7 4770, released in June 2013 (?), if I recall.

Mary Branscombe Oct 21

@Xarizzar @iFixit

it's not arbitrary and 'works just fine' is only one way to describe 'will be vulnerable to attacks newer hardware is protected against' or 'won't run fast enough when protected for anyone to be happy with'. maybe Linux distros don't think they need to protect their users as much; Windows *does*.

I wrote about this a lot when Windows 11 was first coming out, so these pieces don't even include newer features announced since then that rely on hardware security.

- here's the security features that are on by default in 11 but available in 10, so don't push the hardware spec
https://www.techrepublic.com/article/how-to-get-the-windows-11-security-protections-on-your-windows-10-pc/

- here's what 11 adds (so features that are missing in Windows 10 and why it needs new hardware to make all that security usable (if I can use the word of an OS with such a bad UI as 11)
https://www.techrepublic.com/article/windows-11-understanding-the-system-requirements-and-the-security-benefits/

- here are the new security things going into 11 that need the new hardware that started as features for enterprise but consumer apps will be able to use as well
https://www.techrepublic.com/article/why-windows-11s-security-is-such-a-big-deal/

How to get the Windows 11 security protections on an existing PC - TechRepublic

Windows 11 will turn on hardware security by default but only on new PCs or if you re-image from scratch. But there is a workaround.

TechRepublic

Xarizzar Phantasma (玄)Oct 21

@marypcbuk @iFixit How much of this is relevant to the average user though?

For example. My newer Desktop had Win 11 from the start, but things like Memory Integrity (which is something that is mentioned in the articles you posted), are turned off, and I had zero security issues, to my knowledge.

So I ask again, how is this relevant to an average user? Why must I buy new hardware every 6 years? I feel like common sense protects against a lot of these issues, and if not, someone's targeting you

@marypcbuk > the reason you need a new PC is that your 'perfectly good' computer doesn't have enough hardware security features to keep you safe

Incorrect. All these PCs more than likely have the hardware for Win 11s requirements. The problem/issue is/was that lot of them aren't turned on for one reason or another.

You can see this in action with bonEsAw asking for TPM and SecureBoot being on for BF6's beta and retail release and MS-ATVI doing the same with CoD. People complained endlessly -

@marypcbuk -but those PCs/hardware had them and they had to turn them on in UEFI/BIOS.

Mary Branscombe Oct 20

@nohhue some PCs have a TPM 2 that hasn't been configured and then you can turn it on and upgrade to Windows 11 and you don't have to replace the PC. Some of them only have TPM 1.2 and then you've only got SHA-1 and that isn't going to cut it.

Mary Branscombe Oct 20

@nohhue the TPM isn't the only security hardware issue BTW; older CPUs don't have the instructions that make some software security processes efficient and without them, you slow the system down so much by turning on the security protections that are *already in Windows* that users find their computer unusuable. Windwos 10 let you turn off those protections for performance, Windows 11 doesn't.

@marypcbuk @iFixit Frankly I'm dubious that a TPM is an absolutely necessary form of security on a consumer end-user's machine, but even if I agree to that I'm even less likely to subscribe to the idea that only PCs with a TPM 2.0 module are viable and everything beneath that bar is effectively e-waste.

Cameron Bosch Oct 15

@ceremus @marypcbuk @iFixit And some laptops do support TPM 2.0 but fail an arbitrary CPU check like this ThinkPad T25 from 2017.

Works just fine despite the dual core Intel 7th gen CPU, at least on Arch Linux for basic tasks.

Mary Branscombe Oct 20

@cameron_bosch @ceremus @iFixit a lot of OEMs have done a TERRIBLE job of supporting technology that's what, 12 years old at this point and almost certainly built in to the firmware of the motherboard that they should have configured for the user to keep them secure

Mary Branscombe Oct 20

@ceremus @iFixit you're dubious that consumers need to have their cryptographic keys stored securely in hardware where they can't be tampered with? and you don't think that they need SHA256 and ECC but should stick with the utterly inadequate SHA1, don't need their TPM to be upgradeable (the tradeoff with firmware TPM is that it uses the TEE rather than its own hardware for storage but it's way easier to add new functionality to)? honestly, it would be irresponsible of Microsoft NOT to be pushing users onto secure hardware that has a chance of protecting them from getting thoroughly owned - because running those protections with SHA-1 is barely better than not running them at all.

Rusty Corgi Oct 15

@marypcbuk @iFixit TPM 2.0 and Secure Boot are not enough threat mitigation to warrant potentially the biggest addition to the e-waste bin ever. TPM 2.0 has multiple well documented exploits, depending on the vendor, that can render it largely useless. Secure Boot is good in theory, but boot sector malware isn't a particularly common attack vector in modern times and the downsides to running Secure Boot can be massive. Users already struggle to install Linux so throwing up another barrier by requiring them to add and manage their own secure boot keys is pretty unreasonable. You then end up with a system where larger distros are the only ones that work out of the box because mother board manufacturers include Microsoft keys by default, so Ubuntu and Fedora have Microsoft-provided shims that allow them to boot that other distros simply cannot provide by default. That's to say your system even allows you to modify your secure boot keys, which is not a Microsoft requirement for Windows 11 on x86 system and has never been a requirement on ARM systems (hence why so many of them have a locked bootloader using Secure Boot as the mechanism for doing so).

People have different threat models and for some people, sure, preventing boot sector malware is important. That said, it's neither a common attack vector nor are TPM and Secure Boot the security panacea that Microsoft wants you to think they are, and they come with real downsides. Security uses the Swiss cheese model, and I find it impossible to believe that throwing down this particular slice is at all worth the cost in doing so.

Mary Branscombe Oct 20

@Rusty @iFixit Windows 11 consumers shouldn't get better security protections because it makes life harder for people who use a different operating system isn't an *enormously* compelling argument for leaving Windwos 11 users less protected than they could be when organised crime has moved in so completely on attacking computer users. I'm sorry it makes life harder for small distros but as I said, I'm happy to make myself unpopular by arguing about this one!

Rusty Corgi Oct 20

@marypcbuk @iFixit You literally disregarded my entire argument by only responding to one point I made. People on the Internet are allowed to defend their poorly reasoned opinions though, so have at it.

I'm sure Microsoft needs apologists just like every other billion dollar corporation. If there weren't a ton of consumers who are effectively slugs for salt, we wouldn't have app store walled gardens, hardware features that are locked behind subscriptions, devices lacking any kind of repairability, etc, so you're doing an important service to capitalism.

Mary Branscombe Oct 20

@Rusty @iFixit I think the rest of your argument was that you don't know the role of secure boot in the Windows ecosytem and that you don't think TPM 2 is secure enough for Microsoft to bother adding protections for their users but I see we're on to the FUD and shills stage of the argument, so you have a nice day!

Rusty Corgi Oct 20

@marypcbuk @iFixit I literally explained the role but okay, have a good one.

Spooky Glen, as per usual Oct 15

@marypcbuk @iFixit I have some sympathy for that argument. However whilst Microsoft boots without HyperThreaded cores active and on CPUs with known hardware flaws then it's hard to make the case.

Even now, clearing the TPM won't unrecoverably brick the Windows operating system, which it absolutely should do.

The current behaviour is Microsoft cherry picking the 'uplift hardware for security' argument when it suits their business needs, but not when it does not.

Linux's philosophy is offering the maximum security the hardware offers. Which strikes me as a more reasonable approach.

Mary Branscombe Oct 20

@glent @iFixit no actual consumer ever wants to 'clear their TPM'; it's like 'oh, I read I'm supposed to turn off services and clean my registry and otherwise screw up my system'. If you want to throw away all the keys, Windows has a nice little tool built in to do that without messing around with TPM commands, at which point your account, files and apps are all blown away as well as the keys. No need to make anything unbootable. Like Linux, Windows has patches to handle the hyperthreading CVEs; the history of modern processor design introduces one side channel attack after another and every OS is just going to have to deal with that. None of this is cherrypicking; it's just about making an OS that's designed for people who don't want to be computer experts as secure as possible.

@marypcbuk @iFixit If security was really the motivation, they would have had literally decades to, for instance, make BitLocker available on all Windows versions. It still isn't on Windows 11, so your stolen Windows Home laptop still means the thief has all your data.

Carbon Carrot Oct 15

@menos @marypcbuk @iFixit Home supports disk enc, just without any configurability

Mary Branscombe Oct 20

@menos @iFixit you get 'BitLocker' on all versions of Windows and have done for years; it's just not called 'BitLocker' because that carries with it expectations of the kind of management that enterprises can do which consumers are not set up to do - few consumers would understand the configuration options and they certainly don't have their own secure location to back keys up to.

I spent *years* hounding Microsoft to add device encryption to Windows; in the beginning they were honestly surprised even enterprises were ready to adopt it, they were extremely cautious about putting tools that could block devices from booting on consumer systems and they did a pretty good job of rolling it out in a way that gives protection without screwing systems up. It's just that most people are still stuck on the name of the feature and miss that the protections are RIGHT THERE in Windows Home.

Carbon Carrot Oct 15

@marypcbuk @iFixit Attacks on unattended devices are rare, esp. on desktop systems

Mary Branscombe Oct 20

@CarbonCarrot @iFixit desktops are pretty rare among consumers; it's gamers and enterprises that keep the desktop market alive, consumers buy laptops even if they only carry them as far as the sofa.

Carbon Carrot Oct 20

@marypcbuk @iFixit Okay that's a good point - but if LUKS works on an old potato - albeit slowly, so perhaps you should only encrypt the home and configure your immutable distro to use dm-verity. Also, what do you mean by missing security features? Any computer with any form of bios protection can be highly secure using password-based disk encryption, apart from BIOS vulnerabilities, which are only helpful in highly targeted attacks, which isn't the average person's problem, at rest. -> habit

Mary Branscombe Oct 21

@CarbonCarrot @iFixit there is a really wide range of attacks that people need protection against that disk encryption does nothing to protect you from; attackers are way beyond just trying to get into your encrypted at rest files. Windows 11 adds new security.

I wrote about this a lot when Windows 11 was first coming out, so these pieces don't even include newer features announced since then that rely on hardware security.

- here's the security features that are on by default in 11 but available in 10, so don't push the hardware spec
https://www.techrepublic.com/article/how-to-get-the-windows-11-security-protections-on-your-windows-10-pc/

- here's what 11 adds (so features that are missing in Windows 10 and why it needs new hardware to make all that security usable (if I can use the word of an OS with such a bad UI as 11)
https://www.techrepublic.com/article/windows-11-understanding-the-system-requirements-and-the-security-benefits/

- here are the new security things going into 11 that need the new hardware that started as features for enterprise but consumer apps will be able to use as well
https://www.techrepublic.com/article/why-windows-11s-security-is-such-a-big-deal/

How to get the Windows 11 security protections on an existing PC - TechRepublic

Windows 11 will turn on hardware security by default but only on new PCs or if you re-image from scratch. But there is a workaround.

TechRepublic

Carbon Carrot Oct 21

@marypcbuk @iFixit I can only talk about the first two articles, as I was sick and tired of SEO & Marketing Talk by the third one, but you have a point, there's no magic fix for virtualization. But - long pause - as a Linux user, I'd like to mention that LXC is pretty lightweight and isolates sufficiently for most things, so I think as long as security issues are fixed rapidly on a distro kernel, it's nearly as good as full VMs. As long as data is only ever decrypted in RAM w/ a user secret…🧵

Carbon Carrot Oct 21

@marypcbuk @iFixit 🧵…a TPM can probably be avoided, at a mild cost to security in the sense of your DRAM being hijacked. But that's very obvious tamper.
Back at virtualizing, AppArmor is default on many distros, and should contain vulnerabilities in eg. browsers enough by itself.

Carbon Carrot Oct 21

@marypcbuk @iFixit I'd of course be open to discussion on more issues if you can find or compose a list of issues not buried deep in div soup

FediThing 🏳️‍🌈Oct 14

Yes! 👏

As Windows becomes more user-hostile with every release, Linux is more user-friendly.

Matt Norby Oct 14

@iFixit Let's call this #DefenestrationDay. Or maybe Reverse Defenestration Day. Instead of throwing things out windows, we're throwing out Windows.

Burning Joint USA Oct 14

Throwing windows out the window?

Henri Verwijmeren Oct 15

@grimacing @mnorby
It's Microsoft, so it doesn't hurt if it falls on your head.

@iFixit It is way past time for this to become a political issue. Tech companies, and appliance makers, should have to bank money as the product is sold to cover long term support. They should also have to escrow source code and design files. No escrow, no copyright.

If the company decides to abandon the product, then the money and the data become available to third parties to provide support.

Gustavo Rezende Oct 14

https://blog.zorin.com/2025/10/14/zorin-os-18-has-arrived/

Zorin OS 18 Has Arrived

We’re excited to launch Zorin OS 18 today. This major new release reimagines your PC experience with a fresh design, powerful new features, and …

@iFixit
I refused to upgrade my two laptops to Trash Spyware data collector windows 11. One migrated to Ubuntu. Next soon

@iFixit I thought the Windows 11 thing was part of the "Microsoft Loves Linux" marketing strategy...

Comfortably Numb Oct 15

@iFixit I would've switched to Ubuntu long time ago if I knew it could play all my Steam and GOG games.

canleaf08 ⌘ ✅Oct 15

@numb_comfortably @iFixit have you heard about lutris?

@numb_comfortably @iFixit I agree that it isn't all, but most at this point

You can just install steam like always and run the games

And for gog, epic and Amazon just install Heroic Game Launcher. It even supports cloud sync on gog, if the game supports it, but it has to be enabled manually, and for epic you need to know the folder

The best way to know if your games will run are those two websites

https://www.protondb.com/

https://areweanticheatyet.com/

ProtonDB | Gaming know-how from the Linux and Steam Deck community

Game information for Proton, Linux, Steam Deck, and SteamOS

eLearningTechie Oct 15

@numb_comfortably just in case you are not familiar, https://www.protondb.com gives a good indication of what will run.

ProtonDB | Gaming know-how from the Linux and Steam Deck community

Game information for Proton, Linux, Steam Deck, and SteamOS

BoloMKXXVIII Oct 15

@iFixit TPM 2 gives your PC the equivalent of a phone's IMEI, a unique number for your PC. With that number, OneDrive, and Co-Pilot, Microsoft can see everything you do on your PC. NO THANKS.

ManniCalavera Oct 15

@BoloMKXXVIII @iFixit
A question rolling around in my head for some time now: are there any mainboards without tpm, or is it mandatory? Also, how is this (and imei) even legal?

BoloMKXXVIII Oct 15

@ManniCalavera @iFixit It can be turned off in BIOS (for now), but Windows won't install. Same with Secure Boot.

ManniCalavera Oct 15

@BoloMKXXVIII @iFixit
oh thanks, I will have a look at that. I am using linux anyway.

Bård H. (lvl 48 🇳🇴)Oct 15

@BoloMKXXVIII @iFixit

As far as I understand, tpm2 is less of a unique identifier, and more like securing your local crypto keys. If you wipe it and reinstall the os, you'll get a completely new key

So... It's the same as your existing tpm1x. But harder to crack

Sounds like you should be more worried about the serial number instead... It's directly readable for the os, and usually tied to the (first) buyer by the vendor

@iFixit I have been wanting to switch to linux for a while. However, I have been unable to get the docking station that I use to work appropriately with linux installs on my laptop. This is my primary hurdle in leaving windows at the moment. If anyone is willing to help me troubleshoot that issue, I would appreciate it. Feel free to send a DM.

Uptime: ∞Oct 15

@rbmath @iFixit Posting here so others may benefit if we figure it out. What's the make and model of your laptop and docking station? What is the exact issue? What Linux distribution are you trying to use?

@chksome @iFixit It's a Dell 16inch laptop from a couple years back. I don't have the exact model off the top of my head.

Last time I tried to do a dual boot with PopOS. From what I recall, I couldn't get the laptop to recognize the monitors through the dock while the laptop lid was closed. The main way that I currently use that laptop.

H.Lunke & Socke Oct 15

@rbmath @iFixit
If your Dock is a display-link Dock try https://github.com/AdnanHodzic/displaylink-debian

GitHub - AdnanHodzic/displaylink-debian: DisplayLink driver installer for Debian and Ubuntu based Linux distributions.

DisplayLink driver installer for Debian and Ubuntu based Linux distributions. - AdnanHodzic/displaylink-debian

GitHub

@iFixit You can get Win11 at: https://store.entrepreneur.com/sales/microsoft-windows-11-pro-7?utm_term=customdeal1&utm_source=StackSocial%20Deals%20Newsletter&utm_medium=email&utm_campaign=20251014_Tech_Sale_1pmPT_327609_MicrosoftWindows11Pro15_3Products_FullCreative_a0xRn000004l5Jh&cmp=15244652&tmpl=19846784

$14.97. Not a plug, just where I got a license for a new computer on the cheap

Microsoft Windows 11 Pro | Entrepreneur

<p>Microsoft-Verified Partner! Upgrade Your Windows OS and Enjoy Enhanced UI, Better Multitasking, and Improved Security</p>

Entrepreneur

@bpollen @iFixit So what do I do with that license if Microsoft denies setup on a system that's perfectly capable of running Win 11?

@a_lex_ander @iFixit I don't have the same issue, but this is "A" suggestion on how to bypass that restriction: https://techcommunity.microsoft.com/discussions/windows11/how-to-fix-or-bypass-this-pc-cant-run-windows-11-from-bootable-usb-disk/4041827

How to fix or bypass "This PC Can't run Windows 11" from bootable USB disk | Microsoft Community Hub

Hi community folks, I am new to Windows and want to test out Windows 11 on my spare PC before making a real switch to it. I made a Windows 11...

TECHCOMMUNITY.MICROSOFT.COM

@bpollen @iFixit Which basically boils down to: use an undocumented method to install an operating system on hardware the manufacturer explicitly excludes.

Why would one do that?