The problem is not that they exist or that Windows 11 supports them. It's that Microsoft pretends they are required, when they are not.
I think that's what "artificial limitations" mean. Microsoft pretending they are required when they are not.
If you want to add better security to a computer make it opt-in and not expect people to use it who don't need it.
But it's kind of MSFT's choice whether TPM and secure boot are requirements for their software. If their software makes security assumptions that the OS has access to trusted hardware then it's a requirement. One could argue that they should create secure and less secure versions of Windows, but I don't think anyone is really going to take that seriously beyond rhetoric.
There are a lot of advantages to assuming the hardware is mildly trustworthy. The downside is you may not want Microsoft to be controlling what counts as trusted on your machine. If so, then you probably don't want MSFT to have root in your machine either and you're better off with a different OS.
They can also often be used as a (slow) source of hardware randomness.
Most modern intel (seris 8 onwards) and AMD Zen onwards have fTPM too. Often these can be enabled in the bios during upgrade then disabled again.
Personally I upgraded to Win11 the moment it became available, but that's because I want to continue my run of free MS windows forever and I only ever boot into it to play games, with even that becoming less common.
Win11 is a hard no, I’m keeping a laptop with Win10 for the small amount of games I play. I will likely even try WINE for them soon but just haven’t got around to it.
I have a bog standard AMD graphics card that does not work in Linux. I've tried multiple distributions and version in those distributions and both the Linux and AMD drivers. It just randomly flashes. Where do I go to get help? Who knows?
I hear you though, I still have printing problems with my Epson WF printer.
AMD's kernel developers are incredibly responsive there, I've worked with them to fix a bunch of bugs I've run into.
Use-case is:
* Dual-boot where I choose in BIOS/UEFI to go to either the existing Win10 drive or new Linux drive.
* I don't need unattended boot at all, I'd rather enter a passphrase every time.
* Resistance to evil-maid attacks is nice but not top-priority compared to theft.
* I want to be able to take my drive out of a dead computer and access it elsewhere if something goes wrong, as opposed to needing to reformat and reload from backups.
* If I install a distro with secure-boot off, can I turn it on later for benefits, or vice-versa?
So for it to be effective against the evil maid, you really need to bind the LUKS key to it. But you can do that _and_ set a strong PIN for your LUKS key.
You can set HDD/SSD password via the BIOS/UEFI or (my preferred method) using HDPARM —SECURITY commands.
Then if you take the drive out you can unlock it from another computer so as long as you plug it in directly and the UEFI supports HDD/SSD unlocking during post; if not you can install a Pre-Boot authentication on the drive that runs Linux to unlock the drive and then once unlocked it with the PBA it re-boots and it works as a normal un-encrypted drive.
Look into HDPARM and OPAL standard for full disk encryption.
Other than that FDE and Secure Boot are unrelated.
The board's UEFI will boot the EFI binary that is either your kernel + initramfs (UKI binary), or a bootloader of your choice that then boots your kernel + initramfs. Depending on your distro, you may have a bootloader like grub or systemd-boot that is already signed by the MS third-party CA and your board may already allow the third-party CA, in which case you don't need to generate and sign with your own keys. Otherwise generate your own keys, set up Secure Boot with them, and then figure out how to sign your UKI binary / bootloader binary with those keys.
This initramfs will then be responsible for locating and mounting your root etc partitions. For a systemd distro using the UAPI Discoverable Partitions spec (here, using a specific for the root partition's type ID), systemd has a builtin cryptsetup target that will prompt you on tty to enter the LUKS password for that partition. Otherwise investigate your distro's initramfs options for doing that.
>* Dual-boot where I choose in BIOS/UEFI to go to either the existing Win10 drive or new Linux drive.
grub and systemd-boot both show menus to select one of the available EFI binaries to chain to.
>* I want to be able to take my drive out of a dead computer and access it elsewhere if something goes wrong, as opposed to needing to reformat and reload from backups.
Any other PC can mount and decrypt the drive with cryptsetup just like your original PC could, as long as you specify the same password.
>* If I install a distro with secure-boot off, can I turn it on later for benefits, or vice-versa?
Yes. You will launch board's UEFI, set the SB status to "Setup mode", boot your OS, then generate and enroll new keys which will set the SB to "User mode" and start enforcing signatures on next boot. And if it breaks you can set it back to "Setup mode" in board's UEFI, boot the OS and troubleshoot / re-enroll keys. The OS wouldn't care that you had previously enabled SB but are now booting with SB disabled.
Note that Secure Boot != Measured Boot. With a standard Measured Boot setup the disk encryption key is protected by secure element on the board (eg TPM) measuring the boot chain, so your disk will automatically decrypt when the boot chain matches the previous measurement and automatically fail to decrypt when it doesn't match. Your concerns about failing to decrypt the disk apply to this setup, not to SB. But also LUKS-encrypted partitions can have multiple keys to unlock them, so you can have both a Measured Boot-guarded encryption key and an emergency fallback password to unlock the disk manually.
Your drive does need to support OPAL though, check out sedcli for managing SEDs.
Try to identify the problems the customers have. If privacy isn't one of their concerns, convincing them to switch PC OS is not a great fit on that basis.
I feel like there needs to be some way to explain the changes to Windows 11 as hostile from a longevity perspective with the ads and the lock-in.. With one-drive being activated and moving customer data to the cloud without consent, the LLM that gets in the way of the user experience, recall, ect. It would still be their choice but at least they would know what they were getting into..
I feel like id be doing some justice by letting customers who qualify (who don't have use-cases that Linux cannot handle) know that its a better experience because Microsoft is creating friction in the desktop experience now..
Normies desperately want privacy, but think it is too hard to do, they're too dumb to figure it out, even if they figure it out it still won't really work, and that they won't be able to use stuff that they don't want to live without. They are often right, because they are smarter than they think and the industry is working against them full-time. A lot of people's incomes (on this very site) depend on keeping normies ignorant.
But of a bait and switch from that to the actual article title…
> Retiring Windows 10 and Microsoft's move towards a surveillance state
If nothing else adhering to HN’s guideline on titles would have saved me having to suffer through reading “recomming.”
https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/d...
There are several options for desktop environment, and you can select which ones to install when you boot that installer image (and also add/subtract more later, and change your preference at login time).
One of the nicest-looking ones that should be self-explanatory to use (for anyone who's used any version of Microsoft Windows since 95) is Cinnamon. Most of other desktop environments default to similar, except for the current default Gnome one, which is a bit more creative in a way that's not intuitive.
The Cinnamon desktop will use a lot of that Gnome stuff, but things like a start menu and task bar will be more familiar than the corresponding elements of the default Gnome desktop.
Things that intrigue me:
- For photos, darktable is surprisingly good. I think this was my biggest single surprise, being a Lightroom user.
- GIMP was always great and now it's even better.
- LibreOffice is good enough that I can live on it just fine. I do miss Keynote, but it's not a showstopper.
- Dia is good enough for diagrams, though I miss OmniGraffle.
- Notice how there aren't any Windows apps I miss. There are Mac apps I miss (Keynote and OmniGraffle).
- Anything involving the web just works.
- Suspend/resume on my Linux laptop works better than suspend/resume on Windows, but not as good as what you get on Apple M hardware.
- Battery life on my Linux laptop is better than on Windows, almost entirely because Windows wakes the laptop up while it's suspended, so if you close the Windows laptop and carry it around unplugged, you'll find that the battery is totally drained after some number of hours. Linux doesn't have this problem.
- Development workflow is amazing. I'd rather program on Linux than anything else.
- The lack of crapware and nagware is so amazing.
- Similarly for Photoshop users, Photopea might suit them better than GIMP. And there's also Photoshop Express/Online if they really want to stay in the Adobe ecosystem.
I like OmniGraffle but personally I didn't think it was worth it when draw.io was free anyway. Like I don't feel it was $150-$250 better than draw.io, especially since it's not cross platform.
We'll have a few macs and 2 win11 machines, but the rest are getting migrated.
We're in the Google ecosystem for email, docs, and drive so I'll just deploy Chrome instead of a Libre chromium. I'd rather not troubleshoot user profile issues, and they have access to all our data anyway. Honestly, I fully expect I'll have more than a few users that don't even notice the OS change.
After evaluating a lot of options, pyQT + nuitka gave a reliable cross-platform result (can target distros based on Debian and Enterprise Linux easily.) And we are still able to target Windows for the customers that remain there.
I would say that specifically with Secure Boot, Microsoft actually promoted user choice: A Windows Logo compliant PC needs to have Microsoft's root of trust installed by default. Microsoft could have stopped there, but they didn't. A Windows Logo compliant PC _also_ needs a way for users to install their own root of trust. Microsoft didn't need to add that requirement. Sure, there are large corporate and government buyers that would insist on that, but they could convince (without loss of generality) Dell to offer it to them. Instead, Microsoft said all PCs need it, and as a result, anybody who wants to take advantage of secure boot can do so if they go through the bother of installing their own root of trust and signing their boot image.
There's no issue booting a boot rootkit with the standard Windows bootloader unless you manually seal the image with command line or group policy, and even then it's possible to bypass by installing a fresh bootloader because the images are identical and will boot after a wipe.
This was not the case with the initial rollout of Secure Boot, it was combined with locked BIOS to lock PCs so that they could only boot Windows 8 on some devices. This was the case on Windows RT ARM machines from that era.
All that has to be done today for machines to be locked down again is to flip a bit or blow an e-fuse. It's already the case on phones and tablets.
There is also a real potential for abusing TPMs or cryptographic co-processors to enforce remote attestation.
I say this as someone who agrees with your first paragraph and uses Secure Boot + TPMs on all of my machines.
People here REALLY need to start understanding this issue. Remote Attestation is the kind of tech that if abused will end free computing over night.
Being able to install another OS isn't much good if critical applications and websites refuse to run on it.
The battle has already been lost on this. Just look at all the companies that are app-only and don't offer a web version.
This was my local gym which sacked their front desk staff and moved to app access only, and with an app infested with trackers at that. Needless to say I don't go to that gym anymore.
That said, for home use freecad has gotten a lot better after the ondsel changes were merged, I was using the free liscence of fusion360 for personal projects, and moved over to freecad 6 months ago. I'd originally tried it 7 or 8 years ago, and it was just absolutely awful to use, but modern versions are really very good. There wasn't a huge learning curve, and I haven't run into anything that the program can't do. For hobby CAD, I'm using it for 3d printing, a Cnc mill, and making prints for manual machining. Honestly, I've been less frustrated with freecad than fusion360, it does a better job of getting out of my way and letting me design things. That said, I'm a software dev and IT guy, I don't know if it would work for commercial use. I certainly didn't push for the engineers to change, but their workstations are already running win11 that I had to debloat.
I'm using Ubuntu as my daily driver for the first time since ~2010, and I'm solidly not hating it.
Thinking about other desktop environments and what not, but this was easy and familiar. Everything literally just worked... Which is the first for me with Linux.
One issue I've always had is when updating applications you use every day, one bad library could make the application unusable. Most are a dependency nightmares and there just aren't enough people paid to work on Linux apps to offer good support.
When I was young and poor, I had all the time in the world to tinker with my Linux machine to figure to get everything working again. I just want an operating system to work. If not Windows, I would recommend a Mac.
That's not really a problem anymore with immutable/atomic distros. Your entire system is upgraded in one go as a single image, any dependency issues are handled on the server (basically the image won't get built if there are issues). And most of your user apps will be installed via Flatpak or other means (homebrew/Nix etc) so you won't ever have to suffer from dependency issues unlike regular distros.
So if you want to get a distro that "just works", get an immutable+atomic distro (eg Aurora, Bazzite etc). Assuming of course, you've got compatible hardware.
Those who chose Linux were happy with the choice. But they were only a minority.
Now, Windows 11 requirements make a lot of PCs obsolete unless they install Linux on them.
20 years ago Ubuntu was the go-to for baby's first Linux. Is that still the case?
Unless you want to be the perpetual IT support for your parents, I would recommend getting a user-friendly immutable/atomic distro, like Aurora[1]. Aurora uses KDE, which most Windows users would find familiar. It is immutable, which makes it very hard to break, and it uses atomic updates (basically updates either apply or don't: there's no partial state which can break the system). And in the rare event that something does break, you can boot directly to the previous version right from the boot menu, no need to run any manual rollback commands. My 70yr old mother also uses Aurora and has zero issues.
This is why I recommend immutable/atomic distros for newbies, especially if the person installing it doesn't want to be a 24x7 tech support for that user.
Luckily OnlyOffice is a pretty decent alternative with excellent compatibility with MSO formats. And there's also the web versions of office, which is now a decent alternative (unless you're a power user who needs macros/VBA etc).
Linux users can install the free software suite LibreOffice, which not only replaces Office but reads and writes the same file formats. Many similar choices exist, this is just one.
Gamers can install the free Steam game compatibility layer on Linux, then play many of the same games they play on Windows.
Meanwhile, Redmond's recent requirement that everyone sign up for a Microsoft account, and its pushing the Recall eavesdropping-to-cloud feature with no user opt-out provisions, clearly signals Microsoft's belief that their customers should't be allowed to choose.
Here is a list of current Windows traits that should be options, but are out of an end-user's control:
* Required Microsoft account.
* User tracking and telemetry without knowledge or consent.
* OneDrive, which is cloud storage and tracking, requires technical skill to disable.
* Desktop-recall images to the cloud, essentially Microsoft mass surveillance.
* Edge browser, cannot disable or remove.
* Unintuitive user interface, out of user's control.
* Advertising everywhere.
All these frequently heard complaints are addressed by Linux, and Linux is free.
I've been a Linux user for 30 years. I maintain one Windows dual-boot system, partly to help friends deal with Windows issues, partly to entertain myself with what most people believe constitutes a normal end-user computer experience.
A bit of context -- my first computer was an Apple II in 1977, so my definition of personal computing might seem out of touch with modern times (https://www.atariarchives.org/deli/cottage_computer_programm...).
Can you fix?
There's no 'Recall'. Co-pilot isn't all over in your face so removing it isn't really a priority. Edge isn't forced on you, it's just part of the bundled software just like a bunch of other items as in every Windows for decades. Not saying it doesn't get hairy if you're going out of your way to remove them or not be in the ecosystem, but consumers don't care, and for the most part stuff isn't being forced in front of them.
If you’re measuring “Windows isn’t annoying” from the corporate perch, that’s not a fair comparison to what consumers and home users put up with.
Not to mention the forced upgrade and reboots that can’t easily be disabled for same.
Maybe because it's Windows Pro, not Home? Maybe because I have 2 profiles. The one I used to install it which required a microsoft account, and a separate, local only account which is the one I use always. I can't remember the last time I had to use the other account. Maybe when I upgraded to Windows 11. I don't remember.
I'm not trying to excuse Microsoft. I had to go into settings and turn off everything I could find. I had to futs around to get it to stop trying to get me to install Exchange every time I pressed Win-E (or was it Win-W) which I press often because I use the same keyboard on Mac and Win-W is Cmd-W (open new Window) (A: Powertoys). So yea, I cursed that. But, I found a solution.
Other than that, so far, it stays mostly out of my way and just works. I'm hard pressed to notice too many differences. Is it because I'm on Pro? Is it because it's a local account? Is it just luck? I don't know. It only suggests that it's at least possible, so far, to use it.
Windows 10 eventually breached my capacity due to the number of defaults I had to change post installation, and then often, again, post-patch/update. This was very soon after Windows 10 was released, and I already didn't like Windows 8's hybrid monstrosity following on from the sublime Windows 7, which I consider to be peak Windows.
I moved to Pop! OS and have been enjoying it on both desktop and laptop for over 5 years.
My mom got an automatic update to Windows 11, and it bricked her computer. It wouldn't boot; it would spin and then say it needed to go into repair mode, and then doing repair mode didn't do anything.
My initial thought was that the disk was hosed, but of course my parents had a bunch of priceless documents that were never backed up anywhere else, so I talked my dad through flashing a USB of Ubuntu so I could boot into it [1], mounted the NTFS partition, and ran smartctl and the disk wasn't reporting any errors. I found and ran a few other commands and again, no errors. I was able to rsync the files to my home server, so nothing was loss. My initial assumption is that the Windows Update team didn't properly check to see if the CPU was compatible, and that maybe they were calling a newer instruction that wasn't on my mom's relatively old laptop.
After unsuccessfully trying to convince my parents to move to Linux, I talked them through flashing a USB drive with Windows 11 with an official image from Microsoft and using Microsoft's official disk flashing software, and we were able to install Windows 11, and as far as we can tell, it worked completely fine.
My hypothesis now is that whomever built Windows Update fucked up some kind of boot key and it was failing as a result. That or they just decided my mom should buy a new computer.
I was actually more annoyed after Windows 11 worked perfectly fine, not just because that means my parents aren't going to move to Linux, but also because that means that there's no technical reason that the computer should have been bricked, it was just the utter incompetence of Windows Update. Just to reiterate, this wasn't some hacked version of Windows 11, this was directly downloaded from Microsoft, flashed with their tools, with no adulteration on our end, meaning regular Windows 11 works fine. I highly doubt that my mom is the only person who has gone through or will go through this, and a lot of the people that will go through this won't have kids who are software engineers and probably be forced to buy a new computer.
Genuinely, how much e-waste is going to be generated by this forced update?
[1] Why the hell isn't there any kind of "Live USB" version of Windows? I mean officially, not some hacked thing? Why is the best way to fix Windows to use Linux?
I say this as someone who uses Linux daily. It's simply not ready for mass exposure. The second a layman wants to do anything remotely custom with it, they are going to struggle.
trinsic2•2h ago
So I have to decided to promote Linux over Windows for computers I build for customers. If you have any suggestions on how I can make this promotion, better let me know.
potsandpans•2h ago
rolph•2h ago
if you promote, facillitate, provide resources for installation free of charge, thats probably fine. providing a system for sale, with linux pre-installed, may require, at least some attribution.
trinsic2•2h ago
gerdesj•1h ago
Linux - the kernel is GPL 2 - that means you can use it to your heart's content. If you make changes, it would be nice if you shared them, please do.
A Linux distro will generally have a similar license. Again the idea is that positive changes that you make are made available to everyone.
That is the idea of the GNU Public License: If you take our freely available stuff and add to it, you should make your changes public too.
Seems fair!
rolph•1h ago
the idea that positive changes are made available to everyone, is not yet broadly salient. at least now, poster is probably aware of that condition.
you seem to be up on GPL2 , what happens when someone packages distros on disk or stick, and sells them for profit ? thats something to be aware of as well.
bee_rider•20m ago
Loughla•2h ago
Ever.
Forever.
trinsic2•2h ago
gerdesj•1h ago
A device can be woken up at silly o'clock and "apt update && apt upgrade && apt autoremove && shutdown -r now" can be run via cron.
apt as deployed by Debian itself has options for automatic updates (via cron), which is the better option. Have a look under /etc/apt/apt.conf.d/
trinsic2•1h ago
d3Xt3r•1h ago
[1] https://getaurora.dev/
dralley•1h ago
PostOnce•2h ago
The business customers might want to know that databases are a lot cheaper on Linux, especially for small business.
Literally spoke to an automation company the other week that told me "we have to delete a bunch of stuff every time the database gets near 10GB or we'll have to pay Microsoft".
Plus there's no license cost for linux itself either.
This stuff might not be viable for hundreds of employees in a business where MS is already entrenched, but for a small business it absolutely is a better deal.
trinsic2•2h ago
gerdesj•2h ago
It's time for change. VMware have tossed themselves off into limbo and MS seem hell bent on alienating a vast swathe of humanity with W11's requirements - weirdest A/B test ever.
I'm working on some bigger clients ...
zrobotics•1h ago
I run firefox+UBO+privacy badger on my machines, and the only sites I've had to disable my privacy extensions in the last few years for were work related, B2B SaaS apps. A few years ago I pushed UBO to user machines (Chrome on win10) at work, and had a ton of user issues. I finally had to disable it, it wasn't a net benefit to us. It's not just a 'turn it on and leave it alone' thing, and people don't always think or remember to try toggling it off and reloading the page when they encounter issues.
That said, it's insane to me to be paying MS for a database with a 10GB limit, but I've seen their price lists. I've also worked with small businesses that don't have in-house IT, and they just end up overpaying for crappy service for many of those things.
I hope this win11 migration causes more MSPs and consultants to move small businesses over to linux though, MS has been predatory on pricing for business customers for far too long and with as much work has migrated to a browser there will be way less issues switching than there were years ago.
moduspol•1h ago
zrobotics•21m ago
harshreality•1h ago
zrobotics•42m ago
It's really easy to just say it's the LUsers fault and make pebkac jokes, and I definitely enjoy BOFH style humor, but honestly not everyone will remember the 30 seconds of training to go into this menu and toggle off an extension if netsuite throws a cryptic error or won't behave properly. I find it's better to have some empathy for other people, not everyone thinks like a computer and connecting 'I have this error message full of gibberish about API calls' and 'the IT guy mentioned 2 months ago that if a site isn't loading, I need to turn off this thing'.
firefax•1h ago
Aurornis•1h ago
Probably an unpopular thing to say here, but in my experience pushing non-tech people to use libreoffice as part of a Linux transition is a fast track to getting them to hate Linux.
Using Google Docs has been much more welcoming in my experience. Something about libreoffice doesn’t resonate with a lot of non-tech people.
d3Xt3r•1h ago
sitharus•55m ago
foxandmouse•1h ago
malcolmxxx•12m ago
heavyset_go•1h ago
IMO, if they need Office, they should just use Windows.
AlotOfReading•1h ago
As an example, I recently submitted a manuscript following standard format [0] with libreoffice. Nothing difficult, just basic professional functionality.
The only way to do it involved editing global default page styles (because custom page styles can't be used for title pages?) and other advanced features. Fair enough, at least it was possible. It's a shame the export process didn't preserve the formatting and screwed up page numbering.
I had to fix the manuscript in gdocs instead, where it was easy.
[0] https://www.shunn.net/format/story/1/
bee_rider•1h ago
koakuma-chan•39m ago
skopje•1h ago
Examples: [1] I selected a range of cells recently, by clicking and dragging, and when I let go of the mouse button, all of the selected cells shifted up and to the right by one cell, and CTRL-Z didn't undo it! [2] I have a workbook and when i duplicate a sheet with a chart, the chart is blank, so i have to delete it and re-insert a new one. [3] Sometimes the left-hand X-axis is cut in half, and I have no idea why, but if I create a new doc it goes away. I really, really want to promote LO, but it is very buggy. I can deal with it but I don't think others would.
blahedo•47m ago
bee_rider•26m ago
heavyset_go•2h ago
IMO, if a user's needs can be met with a Chromebook, Linux + a browser + email + Zoom/or whatever would suit them well.
I think you're going to have a hard sell if they rely on Office or other Windows-only software, and although well meaning, it might be doing them a disservice if they can't run the software they're accustomed to.
trinsic2•1h ago
tharmas•45m ago
heavyset_go•38m ago
weq•25m ago
Why wait for mass survellience and remote attesention when u can have it today!!! :D
jmholla•1h ago