Mastodawn

Deejacker Oct 15

Microsoft wants 2025 to be the "year of the Windows 11 PC refresh." They want up to 400 million perfectly good computers running Windows 10 to become e-waste. Why? So Microsoft can have their cake ($140-$200 for a Windows 11 license) and eat it (your data) too

It's time to switch sides, and break away from this cycle of endless upgrades. Our new guide walks you through installing a Linux-based operating system—keeping your computer secure long after Microsoft walks away

https://www.ifixit.com/Guide/How+to+Install+Linux+on+a+Windows+PC/196722

@iFixit You didn't need to write "a Linux-based operating system"

You could have just written " a based operating system"

Carbon Carrot Oct 15

@Jonas @iFixit But what if somebody accidentally installs Plan 9?

Mary Branscombe Oct 14

@iFixit I'm going to make myself unpopular because even though I don't *like* Windows 11, the reason you need a new PC is that your 'perfectly good' computer doesn't have enough hardware security features to keep you safe. Perhaps throw a little shade on PC makers who haven't been putting in the basic security hardware to run new features.

Xarizzar Phantasma (玄)Oct 14

@marypcbuk @iFixit If that were really the case, why would they be able to continue working with Linux operating systems, if I might ask? I have a Desktop from 2013. It used to be a gaming desktop, but now I'm pretty sure that it can fulfill some basic consumer or office needs. It cannot upgrade to Windows 11, obviously, but a Linux operating system will work on it. I'd imagine that's what a lot of people are after.

@Xarizzar Hell, I've got stuff older than that running on Linux, with no problems. Some of it's a bit slow, but not because of any security issues.

Mary Branscombe Oct 20

@Xarizzar @iFixit why aren't Linux distros making the same decisions for their users that Microsoft is making to protect consumers who buy PCs? I think you'd have to ask the Linux distros that, because their users are going to face the same threats although they probably don't get nearly as much information back about ongoing attacks that Microsoft does from telemetry (or from seeing all the attacks on their consumer services)

Xarizzar Phantasma (玄)Oct 20

@marypcbuk @iFixit You did not answer my question, I don't think.

"Why aren't Linux OSs making the same decisions?"

I'd think it's because they don't need to. Microsoft, in my eyes, decided to arbitrarily stop supporting certain old hardware that still works just fine. Why does having an old processor (that still works, mind you) have to mean that my system is unprotected?

For context, my old Desktop's processor was the Intel Core i7 4770, released in June 2013 (?), if I recall.

Mary Branscombe Oct 21

@Xarizzar @iFixit

it's not arbitrary and 'works just fine' is only one way to describe 'will be vulnerable to attacks newer hardware is protected against' or 'won't run fast enough when protected for anyone to be happy with'. maybe Linux distros don't think they need to protect their users as much; Windows *does*.

I wrote about this a lot when Windows 11 was first coming out, so these pieces don't even include newer features announced since then that rely on hardware security.

- here's the security features that are on by default in 11 but available in 10, so don't push the hardware spec
https://www.techrepublic.com/article/how-to-get-the-windows-11-security-protections-on-your-windows-10-pc/

- here's what 11 adds (so features that are missing in Windows 10 and why it needs new hardware to make all that security usable (if I can use the word of an OS with such a bad UI as 11)
https://www.techrepublic.com/article/windows-11-understanding-the-system-requirements-and-the-security-benefits/

- here are the new security things going into 11 that need the new hardware that started as features for enterprise but consumer apps will be able to use as well
https://www.techrepublic.com/article/why-windows-11s-security-is-such-a-big-deal/

How to get the Windows 11 security protections on an existing PC - TechRepublic

Windows 11 will turn on hardware security by default but only on new PCs or if you re-image from scratch. But there is a workaround.

TechRepublic

Xarizzar Phantasma (玄)Oct 21

@marypcbuk @iFixit How much of this is relevant to the average user though?

For example. My newer Desktop had Win 11 from the start, but things like Memory Integrity (which is something that is mentioned in the articles you posted), are turned off, and I had zero security issues, to my knowledge.

So I ask again, how is this relevant to an average user? Why must I buy new hardware every 6 years? I feel like common sense protects against a lot of these issues, and if not, someone's targeting you

@marypcbuk > the reason you need a new PC is that your 'perfectly good' computer doesn't have enough hardware security features to keep you safe

Incorrect. All these PCs more than likely have the hardware for Win 11s requirements. The problem/issue is/was that lot of them aren't turned on for one reason or another.

You can see this in action with bonEsAw asking for TPM and SecureBoot being on for BF6's beta and retail release and MS-ATVI doing the same with CoD. People complained endlessly -

@marypcbuk -but those PCs/hardware had them and they had to turn them on in UEFI/BIOS.

Mary Branscombe Oct 20

@nohhue some PCs have a TPM 2 that hasn't been configured and then you can turn it on and upgrade to Windows 11 and you don't have to replace the PC. Some of them only have TPM 1.2 and then you've only got SHA-1 and that isn't going to cut it.

Mary Branscombe Oct 20

@nohhue the TPM isn't the only security hardware issue BTW; older CPUs don't have the instructions that make some software security processes efficient and without them, you slow the system down so much by turning on the security protections that are *already in Windows* that users find their computer unusuable. Windwos 10 let you turn off those protections for performance, Windows 11 doesn't.

@marypcbuk @iFixit Frankly I'm dubious that a TPM is an absolutely necessary form of security on a consumer end-user's machine, but even if I agree to that I'm even less likely to subscribe to the idea that only PCs with a TPM 2.0 module are viable and everything beneath that bar is effectively e-waste.

Cameron Bosch Oct 15

@ceremus @marypcbuk @iFixit And some laptops do support TPM 2.0 but fail an arbitrary CPU check like this ThinkPad T25 from 2017.

Works just fine despite the dual core Intel 7th gen CPU, at least on Arch Linux for basic tasks.

Mary Branscombe Oct 20

@cameron_bosch @ceremus @iFixit a lot of OEMs have done a TERRIBLE job of supporting technology that's what, 12 years old at this point and almost certainly built in to the firmware of the motherboard that they should have configured for the user to keep them secure

Mary Branscombe Oct 20

@ceremus @iFixit you're dubious that consumers need to have their cryptographic keys stored securely in hardware where they can't be tampered with? and you don't think that they need SHA256 and ECC but should stick with the utterly inadequate SHA1, don't need their TPM to be upgradeable (the tradeoff with firmware TPM is that it uses the TEE rather than its own hardware for storage but it's way easier to add new functionality to)? honestly, it would be irresponsible of Microsoft NOT to be pushing users onto secure hardware that has a chance of protecting them from getting thoroughly owned - because running those protections with SHA-1 is barely better than not running them at all.

Rusty Corgi Oct 15

@marypcbuk @iFixit TPM 2.0 and Secure Boot are not enough threat mitigation to warrant potentially the biggest addition to the e-waste bin ever. TPM 2.0 has multiple well documented exploits, depending on the vendor, that can render it largely useless. Secure Boot is good in theory, but boot sector malware isn't a particularly common attack vector in modern times and the downsides to running Secure Boot can be massive. Users already struggle to install Linux so throwing up another barrier by requiring them to add and manage their own secure boot keys is pretty unreasonable. You then end up with a system where larger distros are the only ones that work out of the box because mother board manufacturers include Microsoft keys by default, so Ubuntu and Fedora have Microsoft-provided shims that allow them to boot that other distros simply cannot provide by default. That's to say your system even allows you to modify your secure boot keys, which is not a Microsoft requirement for Windows 11 on x86 system and has never been a requirement on ARM systems (hence why so many of them have a locked bootloader using Secure Boot as the mechanism for doing so).

People have different threat models and for some people, sure, preventing boot sector malware is important. That said, it's neither a common attack vector nor are TPM and Secure Boot the security panacea that Microsoft wants you to think they are, and they come with real downsides. Security uses the Swiss cheese model, and I find it impossible to believe that throwing down this particular slice is at all worth the cost in doing so.

Mary Branscombe Oct 20

@Rusty @iFixit Windows 11 consumers shouldn't get better security protections because it makes life harder for people who use a different operating system isn't an *enormously* compelling argument for leaving Windwos 11 users less protected than they could be when organised crime has moved in so completely on attacking computer users. I'm sorry it makes life harder for small distros but as I said, I'm happy to make myself unpopular by arguing about this one!

Rusty Corgi Oct 20

@marypcbuk @iFixit You literally disregarded my entire argument by only responding to one point I made. People on the Internet are allowed to defend their poorly reasoned opinions though, so have at it.

I'm sure Microsoft needs apologists just like every other billion dollar corporation. If there weren't a ton of consumers who are effectively slugs for salt, we wouldn't have app store walled gardens, hardware features that are locked behind subscriptions, devices lacking any kind of repairability, etc, so you're doing an important service to capitalism.

Mary Branscombe Oct 20

@Rusty @iFixit I think the rest of your argument was that you don't know the role of secure boot in the Windows ecosytem and that you don't think TPM 2 is secure enough for Microsoft to bother adding protections for their users but I see we're on to the FUD and shills stage of the argument, so you have a nice day!

Rusty Corgi Oct 20

@marypcbuk @iFixit I literally explained the role but okay, have a good one.

@marypcbuk @iFixit If security was really the motivation, they would have had literally decades to, for instance, make BitLocker available on all Windows versions. It still isn't on Windows 11, so your stolen Windows Home laptop still means the thief has all your data.

Carbon Carrot Oct 15

@menos @marypcbuk @iFixit Home supports disk enc, just without any configurability

Mary Branscombe Oct 20

@menos @iFixit you get 'BitLocker' on all versions of Windows and have done for years; it's just not called 'BitLocker' because that carries with it expectations of the kind of management that enterprises can do which consumers are not set up to do - few consumers would understand the configuration options and they certainly don't have their own secure location to back keys up to.

I spent *years* hounding Microsoft to add device encryption to Windows; in the beginning they were honestly surprised even enterprises were ready to adopt it, they were extremely cautious about putting tools that could block devices from booting on consumer systems and they did a pretty good job of rolling it out in a way that gives protection without screwing systems up. It's just that most people are still stuck on the name of the feature and miss that the protections are RIGHT THERE in Windows Home.

Carbon Carrot Oct 15

@marypcbuk @iFixit Attacks on unattended devices are rare, esp. on desktop systems

Mary Branscombe Oct 20

@CarbonCarrot @iFixit desktops are pretty rare among consumers; it's gamers and enterprises that keep the desktop market alive, consumers buy laptops even if they only carry them as far as the sofa.

Carbon Carrot Oct 20

@marypcbuk @iFixit Okay that's a good point - but if LUKS works on an old potato - albeit slowly, so perhaps you should only encrypt the home and configure your immutable distro to use dm-verity. Also, what do you mean by missing security features? Any computer with any form of bios protection can be highly secure using password-based disk encryption, apart from BIOS vulnerabilities, which are only helpful in highly targeted attacks, which isn't the average person's problem, at rest. -> habit

Mary Branscombe Oct 21

@CarbonCarrot @iFixit there is a really wide range of attacks that people need protection against that disk encryption does nothing to protect you from; attackers are way beyond just trying to get into your encrypted at rest files. Windows 11 adds new security.

I wrote about this a lot when Windows 11 was first coming out, so these pieces don't even include newer features announced since then that rely on hardware security.

- here's the security features that are on by default in 11 but available in 10, so don't push the hardware spec
https://www.techrepublic.com/article/how-to-get-the-windows-11-security-protections-on-your-windows-10-pc/

- here's what 11 adds (so features that are missing in Windows 10 and why it needs new hardware to make all that security usable (if I can use the word of an OS with such a bad UI as 11)
https://www.techrepublic.com/article/windows-11-understanding-the-system-requirements-and-the-security-benefits/

- here are the new security things going into 11 that need the new hardware that started as features for enterprise but consumer apps will be able to use as well
https://www.techrepublic.com/article/why-windows-11s-security-is-such-a-big-deal/

How to get the Windows 11 security protections on an existing PC - TechRepublic

Windows 11 will turn on hardware security by default but only on new PCs or if you re-image from scratch. But there is a workaround.

TechRepublic

Carbon Carrot Oct 21

@marypcbuk @iFixit I can only talk about the first two articles, as I was sick and tired of SEO & Marketing Talk by the third one, but you have a point, there's no magic fix for virtualization. But - long pause - as a Linux user, I'd like to mention that LXC is pretty lightweight and isolates sufficiently for most things, so I think as long as security issues are fixed rapidly on a distro kernel, it's nearly as good as full VMs. As long as data is only ever decrypted in RAM w/ a user secret…🧵

Carbon Carrot Oct 21

@marypcbuk @iFixit 🧵…a TPM can probably be avoided, at a mild cost to security in the sense of your DRAM being hijacked. But that's very obvious tamper.
Back at virtualizing, AppArmor is default on many distros, and should contain vulnerabilities in eg. browsers enough by itself.

Carbon Carrot Oct 21

@marypcbuk @iFixit I'd of course be open to discussion on more issues if you can find or compose a list of issues not buried deep in div soup

Yes! 👏

As Windows becomes more user-hostile with every release, Linux is more user-friendly.

Matt Norby Oct 14

@iFixit Let's call this #DefenestrationDay. Or maybe Reverse Defenestration Day. Instead of throwing things out windows, we're throwing out Windows.

Burning Joint USA Oct 14

Throwing windows out the window?

Henri Verwijmeren Oct 15

@grimacing @mnorby
It's Microsoft, so it doesn't hurt if it falls on your head.

@iFixit It is way past time for this to become a political issue. Tech companies, and appliance makers, should have to bank money as the product is sold to cover long term support. They should also have to escrow source code and design files. No escrow, no copyright.

If the company decides to abandon the product, then the money and the data become available to third parties to provide support.

Gustavo Rezende Oct 14

https://blog.zorin.com/2025/10/14/zorin-os-18-has-arrived/

Zorin OS 18 Has Arrived

We’re excited to launch Zorin OS 18 today. This major new release reimagines your PC experience with a fresh design, powerful new features, and …

@iFixit
I refused to upgrade my two laptops to Trash Spyware data collector windows 11. One migrated to Ubuntu. Next soon

@iFixit I thought the Windows 11 thing was part of the "Microsoft Loves Linux" marketing strategy...

Comfortably Numb Oct 15

@iFixit I would've switched to Ubuntu long time ago if I knew it could play all my Steam and GOG games.

@numb_comfortably @iFixit I agree that it isn't all, but most at this point

You can just install steam like always and run the games

And for gog, epic and Amazon just install Heroic Game Launcher. It even supports cloud sync on gog, if the game supports it, but it has to be enabled manually, and for epic you need to know the folder

The best way to know if your games will run are those two websites

https://www.protondb.com/

https://areweanticheatyet.com/

ProtonDB | Gaming know-how from the Linux and Steam Deck community

Game information for Proton, Linux, Steam Deck, and SteamOS

eLearningTechie Oct 15

@numb_comfortably just in case you are not familiar, https://www.protondb.com gives a good indication of what will run.

ProtonDB | Gaming know-how from the Linux and Steam Deck community

Game information for Proton, Linux, Steam Deck, and SteamOS

BoloMKXXVIII Oct 15

@iFixit TPM 2 gives your PC the equivalent of a phone's IMEI, a unique number for your PC. With that number, OneDrive, and Co-Pilot, Microsoft can see everything you do on your PC. NO THANKS.

ManniCalavera Oct 15

@BoloMKXXVIII @iFixit
A question rolling around in my head for some time now: are there any mainboards without tpm, or is it mandatory? Also, how is this (and imei) even legal?

BoloMKXXVIII Oct 15

@ManniCalavera @iFixit It can be turned off in BIOS (for now), but Windows won't install. Same with Secure Boot.

ManniCalavera Oct 15

@BoloMKXXVIII @iFixit
oh thanks, I will have a look at that. I am using linux anyway.

Bård H. (lvl 49 🇳🇴)Oct 15

@BoloMKXXVIII @iFixit

As far as I understand, tpm2 is less of a unique identifier, and more like securing your local crypto keys. If you wipe it and reinstall the os, you'll get a completely new key

So... It's the same as your existing tpm1x. But harder to crack

Sounds like you should be more worried about the serial number instead... It's directly readable for the os, and usually tied to the (first) buyer by the vendor

@iFixit You can get Win11 at: https://store.entrepreneur.com/sales/microsoft-windows-11-pro-7?utm_term=customdeal1&utm_source=StackSocial%20Deals%20Newsletter&utm_medium=email&utm_campaign=20251014_Tech_Sale_1pmPT_327609_MicrosoftWindows11Pro15_3Products_FullCreative_a0xRn000004l5Jh&cmp=15244652&tmpl=19846784

$14.97. Not a plug, just where I got a license for a new computer on the cheap

Microsoft Windows 11 Pro | Entrepreneur

<p>Microsoft-Verified Partner! Upgrade Your Windows OS and Enjoy Enhanced UI, Better Multitasking, and Improved Security</p>

Entrepreneur

@bpollen @iFixit So what do I do with that license if Microsoft denies setup on a system that's perfectly capable of running Win 11?

@a_lex_ander @iFixit I don't have the same issue, but this is "A" suggestion on how to bypass that restriction: https://techcommunity.microsoft.com/discussions/windows11/how-to-fix-or-bypass-this-pc-cant-run-windows-11-from-bootable-usb-disk/4041827

How to fix or bypass "This PC Can't run Windows 11" from bootable USB disk | Microsoft Community Hub

Hi community folks, I am new to Windows and want to test out Windows 11 on my spare PC before making a real switch to it. I made a Windows 11...

TECHCOMMUNITY.MICROSOFT.COM

@bpollen @iFixit Which basically boils down to: use an undocumented method to install an operating system on hardware the manufacturer explicitly excludes.

Why would one do that?

@a_lex_ander @iFixit Fairly obviously it would be so you can use Win11. If you want to wait for Microsoft to decide your hardware is compatible, feel free to wait. I just provided a workaround. That's what I thought your were asking for. Feel free to do without, or wait on the largesse of MS.

@bpollen @a_lex_ander @iFixit but then you only have security updates till the end of 2026, as support for 24h2 will end by then and you won't receive the update option to 25h2 or any future update

@FynnND @a_lex_ander @iFixit 25h2 is supposed to be a free upgrade. You can download the OEM version of 25h2 now.

@bpollen @a_lex_ander @iFixit the problem is when you just bypass minimum requirements that 25h2 won't show up in the update center and you will be stuck on the Windows version you use at the moment. Maybe there are some workarounds so you don't need to do a fresh install, but at that point you do stuff way more complex than you should

@a_lex_ander Manufacturers -- the folks who make the physical computer -- don't 'explicitly exclude' ANY OS; literally any OS that will run on the hardware is acceptable. That's like saying a road-maker might exclude certain brands of cars; they don't.

Mfrs commonly work with MS, to optimize configuration, but they don't work FOR MS, and MS does not own or control the hardware. As the hardware owner, you're free to run any OS you want on it.

@wesdym @wesdym I don't think you understood my reply referring to Microsoft not supporting hardware without TPM2 capabilities, which is in line with the original toot about Microsoft making millions of good devices obsolete.

But thank you for explaining operating systems to a software developer who's been using Linux for two decades now to earn a living.

@a_lex_ander Get over yourself.