> I would say that specifically with Secure Boot, Microsoft actually promoted user choice: A Windows Logo compliant PC needs to have Microsoft's root of trust installed by default. Microsoft could have stopped there, but they didn't.

This was not the case with the initial rollout of Secure Boot, it was combined with locked BIOS to lock PCs so that they could only boot Windows 8 on some devices. This was the case on Windows RT ARM machines from that era.

All that has to be done today for machines to be locked down again is to flip a bit or blow an e-fuse. It's already the case on phones and tablets.

There is also a real potential for abusing TPMs or cryptographic co-processors to enforce remote attestation.

I say this as someone who agrees with your first paragraph and uses Secure Boot + TPMs on all of my machines.

> if you want to store secrets that don't need a user password to unlock and can't be stolen by taking apart the computer, you need a TPM

I had a Win 7 system and just entered a password on boot, this decrypted the disk. It was supported without mods or TPM (maybe some registry tweaks though). On Ubuntu I do the same, no need for TPM. Am I missing something? My disk is encrypted. If they take it apart, they need my password to crack the encryption.

TPM and Secure Boot would be good things if there were no way to prove to third parties that you're using them, or have them configured a certain way (i.e., remote attestation). It's the fact that that is possible that makes them reduce user choice and promote state and corporate surveillance.

On the face of it they're just security features, and I don't deny they are, but the industry as a whole are using those features to implement device verification systems that are being used to lock down their platforms and centralize control over their software ecosystems.

Being able to install another OS isn't much good if critical applications and websites refuse to run on it.

Thing is, because the whole design is closed as well as firmware, the security of it is near zero, even for sealing firmware device images (e.g. option ROM), much less bootloaders. Multiple security holes have been found.

There's no issue booting a boot rootkit with the standard Windows bootloader unless you manually seal the image with command line or group policy, and even then it's possible to bypass by installing a fresh bootloader because the images are identical and will boot after a wipe.

> Microsoft actually promoted user choice

Let’s not give Microsoft too much credit here…

Between 2011 and 2013, multiple Linux / free software organisations raised the issue with the EC. There was an actual antitrust investigation which at the time was seen as what motivated Microsoft to open the solution to third parties by 2013.

So in a way, thank you EU for making it so we have choices at all.

With that said, I think the technology still does more to promote vendor lock-in and as other said, it’s one windows update away from a dystopian hellscape where all your bits have been pre-approved by someone else.

I think it has the potential to create that situation if those features ever change. I should probably update that language, but I still feel from a consumer choice perspective, those solutions seem vendor specific and not governed by an open organization.

https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bo...

> TPM and Secure Boot do not reduce user choice or promote state or corporate surveillance

Now with remote attestation they do.

> installing their own root of trust and signing their boot image

Won't matter. They can tell we did this. They won't trust our keys. Only their own.

You are 100% correct and we can see the situation on phones where you can't boot anything not approved by the vendor.

These are old counterproductive FSF memes that should be retired, but stick around anyway.

Make sure libreoffice is included, and ublock origin. Show them how much faster it is, with fewer ads, and no subscription to Microsoft required just to write a document.

The business customers might want to know that databases are a lot cheaper on Linux, especially for small business.

Literally spoke to an automation company the other week that told me "we have to delete a bunch of stuff every time the database gets near 10GB or we'll have to pay Microsoft".

Plus there's no license cost for linux itself either.

This stuff might not be viable for hundreds of employees in a business where MS is already entrenched, but for a small business it absolutely is a better deal.

If you're going to do this, set them up with something they can get commercial support for.

IMO, if a user's needs can be met with a Chromebook, Linux + a browser + email + Zoom/or whatever would suit them well.

I think you're going to have a hard sell if they rely on Office or other Windows-only software, and although well meaning, it might be doing them a disservice if they can't run the software they're accustomed to.

Choose the right distro and automate updates of possible. Mint is the softest landing for Windows users. But they never ever ever ever update anything on their own.

Ever.

Forever.

I thought I heard that TurboTax is moving to web only, but maybe that's only for personal use and not corporate?

How could they create something that already exists?

you should look into the idea that you are a business, using linux installs in a way that may be subject to license.

if you promote, facillitate, provide resources for installation free of charge, thats probably fine. providing a system for sale, with linux pre-installed, may require, at least some attribution.

Some things that any semi-power user will notice and get angry at:

* Needing internet and a microsoft account to install the OS

* Start menu now requiring two clicks to get to programs list

* Right-click requiring two clicks to get to the options you most likely want to use (e.g. 7z unzip or opening in a specific program)

* Task manager being slow and laggy

* Random ads asking you to install a game pop up in the notification area

* ...

And then there's little bugs everywhere that just grind away at you on a daily basis:

* A tab in explorer will sometimes randomly stop accepting clicks (keyboard select works). So I have to close the tab and re-open

* The keyboard layout setting gets corrupted and there's no proper way to reset it (nevermind the fact tha this setting is now burried twenty levels deep in the new settings app)

* The settings app search does not work

* ...

It is by far the worst Windows version (beating Vista and ME to that title) in my opinion. I use linux as my daily but am forced to use Windows at work and they have of course been forced to upgrade us to Windows 11...

It just sounds as if you haven't reached whatever your capacity is for "having to setup the OS to get out of your way". And that's a personal choice for everyone.

Windows 10 eventually breached my capacity due to the number of defaults I had to change post installation, and then often, again, post-patch/update. This was very soon after Windows 10 was released, and I already didn't like Windows 8's hybrid monstrosity following on from the sublime Windows 7, which I consider to be peak Windows.

I moved to Pop! OS and have been enjoying it on both desktop and laptop for over 5 years.

- For diagrams, draw.io is a decent alternative

- Similarly for Photoshop users, Photopea might suit them better than GIMP. And there's also Photoshop Express/Online if they really want to stay in the Adobe ecosystem.

I use Debian Stable + Gnome as my main PC. I use a handful of native apps which are all available on Linux, and most other apps are web-based. I never used to like the Gnome desktop, but modern Gnome is fast, unbloated, and it gets out of your way.

sorry about that. was trying to clarify the reason for the switch for hacker-news audience.

> It's that Microsoft pretends they are required

I think that's what "artificial limitations" mean. Microsoft pretending they are required when they are not.

I don't use Windows and actually find it kind of insane when I use someone else's computer to see what Windows is like...

But it's kind of MSFT's choice whether TPM and secure boot are requirements for their software. If their software makes security assumptions that the OS has access to trusted hardware then it's a requirement. One could argue that they should create secure and less secure versions of Windows, but I don't think anyone is really going to take that seriously beyond rhetoric.

There are a lot of advantages to assuming the hardware is mildly trustworthy. The downside is you may not want Microsoft to be controlling what counts as trusted on your machine. If so, then you probably don't want MSFT to have root in your machine either and you're better off with a different OS.

I hear you, but I don't really think its needed. IMHO, those features are being used to take away control of hardware you bought and paid for.

If you want to add better security to a computer make it opt-in and not expect people to use it who don't need it.

Yup, they can give you a secure boot chain that's otherwise hard to prove, and I've worked at places where (for example) disk encryption keys were protected by TPM encryption, using TrouSrS.

They can also often be used as a (slow) source of hardware randomness.

Most modern intel (seris 8 onwards) and AMD Zen onwards have fTPM too. Often these can be enabled in the bios during upgrade then disabled again.

Personally I upgraded to Win11 the moment it became available, but that's because I want to continue my run of free MS windows forever and I only ever boot into it to play games, with even that becoming less common.

I second slicktux's suggestion: look into OPAL, it's much more easier to setup and use compared to LUKS. The best part is, the encryption is transparent to the OS, so you could multi-boot between multiple OSes and not worry about encryption or compatibility with partitioning tools etc.

Your drive does need to support OPAL though, check out sedcli for managing SEDs.

Being that it’s an SSD it’s already encrypting by default. You just have to set the User and Admin password and you’ll have full disk encryption!

You can set HDD/SSD password via the BIOS/UEFI or (my preferred method) using HDPARM —SECURITY commands.

Then if you take the drive out you can unlock it from another computer so as long as you plug it in directly and the UEFI supports HDD/SSD unlocking during post; if not you can install a Pre-Boot authentication on the drive that runs Linux to unlock the drive and then once unlocked it with the PBA it re-boots and it works as a normal un-encrypted drive.

Look into HDPARM and OPAL standard for full disk encryption.

I can't say anything about dual-booting Windows. I have heard that Windows Updates will frequently overwrite your custom EFI vars setup and reinstate the Windows bootloader etc.

Other than that, FDE and Secure Boot are unrelated.

The board's UEFI will boot the EFI binary that is either your kernel + initramfs (UKI binary), or a bootloader of your choice that then boots your kernel + initramfs. Depending on your distro, you may have a bootloader like grub or systemd-boot that is already signed by the MS third-party CA and your board may already allow the third-party CA, in which case you don't need to generate and sign with your own keys. Otherwise generate your own keys, set up Secure Boot with them, and then figure out how to sign your UKI binary / bootloader binary with those keys.

This initramfs will then be responsible for locating and mounting your root etc partitions. For a systemd distro using the UAPI Discoverable Partitions spec (use a specific type ID for the root partition), systemd has a builtin cryptsetup target that will prompt you on tty to enter the LUKS password for that partition. Otherwise investigate your distro's initramfs options for doing that.

>* Dual-boot where I choose in BIOS/UEFI to go to either the existing Win10 drive or new Linux drive.

grub and systemd-boot both show menus to select one of the available EFI binaries to chain to. Otherwise your UEFI might give you a similar menu.

>* I want to be able to take my drive out of a dead computer and access it elsewhere if something goes wrong, as opposed to needing to reformat and reload from backups.

Any other PC can mount and decrypt the drive with cryptsetup just like your original PC could, as long as you specify the same password.

>* If I install a distro with secure-boot off, can I turn it on later for benefits, or vice-versa?

Yes. You will launch board's UEFI, set the SB status to "Setup mode", boot your OS, then generate and enroll new keys which will set the SB to "User mode" and start enforcing signatures on next boot. And if it breaks you can set it back to "Setup mode" in board's UEFI, boot the OS and troubleshoot / re-enroll keys. The OS wouldn't care that you had previously enabled SB but are now booting with SB disabled.

Note that Secure Boot != Measured Boot. With a standard Measured Boot setup the disk encryption key is protected by secure element on the board (eg TPM) measuring the boot chain, so your disk will automatically decrypt when the boot chain matches the previous measurement and automatically fail to decrypt when it doesn't match. Your concerns about failing to decrypt the disk apply to this setup, not to SB. But also LUKS-encrypted partitions can have multiple keys to unlock them, so you can have both a Measured Boot-guarded encryption key and an emergency fallback password to unlock the disk manually.

You can turn the secure boot on/off at any time. The only effect from this is the loss of encryption keys that you might have bound to the measured values.

So for it to be effective against the evil maid, you really need to bind the LUKS key to it. But you can do that _and_ set a strong PIN for your LUKS key.

It's kind of primitive but AisleRiot is my favorite solitaire application. It's simple, it's lightweight, it's either included with or easy to install into any distro. I play FreeCell on there all the time.

CAD machines are some of the few in our company that are staying windows instead of going to Linux. We're an autodesk shop, I tested fusion under Debian 6 months ago and it didn't work very well. I tried proton and wine, couldn't get either to work great and had issues. It would launch, but opening a medium complexity assembly was laggy, and the CAM module would crash fairly often. I can't speak for other programs from personal experience though.

That said, for home use freecad has gotten a lot better after the ondsel changes were merged, I was using the free liscence of fusion360 for personal projects, and moved over to freecad 6 months ago. I'd originally tried it 7 or 8 years ago, and it was just absolutely awful to use, but modern versions are really very good. There wasn't a huge learning curve, and I haven't run into anything that the program can't do. For hobby CAD, I'm using it for 3d printing, a Cnc mill, and making prints for manual machining. Honestly, I've been less frustrated with freecad than fusion360, it does a better job of getting out of my way and letting me design things. That said, I'm a software dev and IT guy, I don't know if it would work for commercial use. I certainly didn't push for the engineers to change, but their workstations are already running win11 that I had to debloat.

Just run it in a windows vm for just that use, there's great ways to make this almost seamless in linux. works better than win/etc.

Here's a list of CAD application and their ratings on AppDB: https://appdb.winehq.org/objectManager.php?sClass=category&i...

It’s often more a question of “will the vendor support it” than “can it run.”

I wouldn't expect users to do this, but have you filed a bug on kernel.org for the amdgpu driver?

AMD's kernel developers are incredibly responsive there, I've worked with them to fix a bunch of bugs I've run into.

This happened with a new AMD chipset with a Framework. One firmware update improved it and then kernel 6.8? I think fixed it. Was about perfect, then kernel 6.13 AMD driver broke it again. ;-)

What card is it? If it's older than Volcanic Islands (2015), yeah, those old cards aren't well supported by the current amdgpu driver, so you'd need to use a distribution that still supports the old ati driver. The linked article recommends MX Linux for old machines. I think you can get it working with Arch Linux but that would require a higher level of effort.

I'd be curious how well it runs NetBSD or OpenBSD.. have you checked?

Try the forums or Discord chat for the distro you're trying. LinuxQuestions.org and the "Linux for All" discord are good places to ask distro-agnostic questions.

upgrade your graphics card or try another? is it old with limited support?

I hear you though, I still have printing problems with my Epson WF printer.

Install Linux or BSD on that thinkpad and you're good to go. I still use ThinkPad X230's and T480/A485's every day, with Linux and BSD.

go for it (upgrade to linux). My T480s is still my goto laptop when I'm travelling (if I lose it, no biggie - encrypted home dir, meanwhile it can last for 5-7 hours playing videos, running webapps etc), versus my work laptop on windows 11 dying after 2+ hours.

I think the vast majority of people use a PC for only basic functionality, like browsing the web and editing documents/spreadsheets, and for these users, Linux works fine. My 70yr old mum is a classic example of this - she used all versions of Windows from 3.1 to 7, and she switched to Linux about a decade ago and has zero issues. If my mum can use Linux, so can the average Joe.

It's the power users, or users who've got specific proprietary software/hardware requirements that usually run into issues: gamers who play games with kernel-level anti-cheat, professionals who're dependent on Adobe/AutoCAD etc.

I will hazard that the modal computer user in 2025 has never installed anything on their desktop computer. Almost everything is done through the browser these days - unfortunately.

Ubuntu has unfortunately become the Windows of the Linux world - and I don't mean that in a good way.

Unless you want to be the perpetual IT support for your parents, I would recommend getting a user-friendly immutable/atomic distro, like Aurora[1]. Aurora uses KDE, which most Windows users would find familiar. It is immutable, which makes it very hard to break, and it uses atomic updates (basically updates either apply or don't: there's no partial state which can break the system). And in the rare event that something does break, you can boot directly to the previous version right from the boot menu, no need to run any manual rollback commands. My 70yr old mother also uses Aurora and has zero issues.

[1] https://getaurora.dev/

Probably Linux Mint these days.

I wouldn't rule out a distro like Rocky Linux or AlmaLinux (or anything else based on RHEL) with Gnome or KDE installed. They will receive 10 years of kernel and OS security updates, and you can either use Firefox from their repos or use something like Flatpak or Snap to get newer software packages if necessary.

Canonical keeps packaging things like Firefox as Snaps and that leads to weird issues sometimes. If it were up to me, I'd avoid anything using Snap because of the potential for headaches.

> One issue I've always had is when updating applications you use every day, one bad library could make the application unusable. Most are a dependency nightmares and there just aren't enough people paid to work on Linux apps to offer good support.

That's not really a problem anymore with immutable/atomic distros. Your entire system is upgraded in one go as a single image, any dependency issues are handled on the server (basically the image won't get built if there are issues). And most of your user apps will be installed via Flatpak or other means (homebrew/Nix etc) so you won't ever have to suffer from dependency issues unlike regular distros.

So if you want to get a distro that "just works", get an immutable+atomic distro (eg Aurora, Bazzite etc). Assuming of course, you've got compatible hardware.

If the issue is the OS vendor having too much say in what hardware you can use, it's hard to understand what the opportunity is for Apple.

Apple has never really tried to compete for the corporate desktop. It’s too low margin for them.

If you’re not on the corporate managed version of Windows 11, Microsoft frequently resets the default apps related to browsing, svg, pdf etc. I had it done twice in a week recently. That’s what flipped the trigger for me and I finally abandoned Microsoft.

If you’re measuring “Windows isn’t annoying” from the corporate perch, that’s not a fair comparison to what consumers and home users put up with.

Not to mention the forced upgrade and reboots that can’t easily be disabled for same.

Every other OS from MS is garbage. XP good, Vista bad, 7 good, 8 so bad no one remembers it, 10 goodish, 11 horrific.

The hate is hardly unprecedented and indeed well-deserved. MS has shown in the past that they’ll respond to poor OS reception with attempts to win back customers and that’s what I’m hoping for in this case.

Good point. Thanks. Your right I think I will create some eval questions and make sure I am putting the customers needs first.

I feel like there needs to be some way to explain the changes to Windows 11 as hostile from a longevity perspective with the ads and the lock-in.. With one-drive being activated and moving customer data to the cloud without consent, the LLM that gets in the way of the user experience, recall, ect. It would still be their choice but at least they would know what they were getting into..

I feel like id be doing some justice by letting customers who qualify (who don't have use-cases that Linux cannot handle) know that its a better experience because Microsoft is creating friction in the desktop experience now..

Normies don't think privacy is for crackpots, that's a meme among techies who are trying to justify surveilling their users.

Normies desperately want privacy, but think it is too hard to do, they're too dumb to figure it out, even if they figure it out it still won't really work, and that they won't be able to use stuff that they don't want to live without. They are often right, because they are smarter than they think and the industry is working against them full-time. A lot of people's incomes (on this very site) depend on keeping normies ignorant.

You can still run older versions, but anything from 2019 onwards will struggle - and you can completely forget about the latest M365 versions.

Luckily OnlyOffice is a pretty decent alternative with excellent compatibility with MSO formats. And there's also the web versions of office, which is now a decent alternative (unless you're a power user who needs macros/VBA etc).

Try proton from valve. Every game that's not bound by kernel level anticheat pretty much works. ProtonDB is the place to get the required magic incantations for edge cases.

Steam Flatpak works great if your games are on Steam.