Microsoft uses TPM PCRs 7+11 for BitLocker which is more secure than the Linux implementations mentioned in the article.

PCR 7 is the Secure Boot measurement which means it can’t be unlocked unless every signed boot component has not been tampered with up to the point of unlock by the EFI bootloader. PCR 11 is simply flipped from a 0 to a 1 by the bootloader to protect the keys from being extracted in user land from an already booted system.

The article is correct that most Linux implementations blindly following these kinds of “guides” are not secure. Without additional PCRs, specifically 8 and 9 measuring the grub commands (no single-user bypass) and initrd (which is usually on an unencrypted partition), it is trivial to bypass. But the downside of using these additional PCRs is that you need to manually unlock with a LUKS2 password and reseal the keys in TPM whenever the kernel and or initrd updates.

Of course to be really secure, you want to require a PIN in addition to TPM to unlock the disk under any OS. But Microsoft’s TPM-only implementation is fairly secure with only a few advanced vulnerabilities such as LogoFAIL and cold boot attacks.

Linux on enterprise user endpoints is an insane proposition for most organizations.

You clearly have no experience managing thousands of endpoints securely.

Looks like they found someone.

No, it’s amazing. Especially on the Steam Deck.

This is like the epitome of the XY Problem.

https://xyproblem.info/

If you’re willing to wait 2 weeks for shipping (with an added shipping cost of $0.40) you can just order that stuff directly from Aliexpress and cut out the middle man.

I’d be careful about completely trusting any AV to give you any certainty that you aren’t infected.

As I mentioned in another comment, Pegasus is comprised of many different exploits. So just because Bitdefender can detect some older Pegasus variants, doesn’t mean it can detect all of them.

In fact it’s quite unlikely they can detect the latest variants.

I don’t know the full answer, but Pegasus isn’t one single piece of spyware, but rather a toolkit of many, many zero-day exploits.

A lot of them (the majority maybe?) are non-persistent meaning that they don’t survive a reboot.

That said, aside from keeping your phone up to date with security patches and rebooting frequently, I’m not sure there’s much the average person can do if you’re actively being targeted.

Same. I think Civ 5 was my gateway game.

This was an amazing and informative answer. Thank you.

Yeah Win11 will probably be a noticeable performance hit on that. Especially Explorer which they made dog slow when adding tabs and the new context menu.

The Office apps and browser will probably be about the same.

I’m running Windows 11 on a 12 year old X79 platform. Runs just fine.

But it was definitely top of the line in its day and 48GB of RAM keeps any system relatively snappy.

Yes! Basic Training in 3-2-1 Contact.

Look man, this is just exhausting. I’m well aware of that security policy. I have enabled it at some of my clients. But it’s not a default setting and would never be on a random non-enterprise PC. This is what I mean when I say the only people who are getting locked out this way were screwing with their computers in ways they don’t understand, installing random garbage and following bad advice on the internet.

From your link:

If you set the value to 0, or leave blank, the computer or device will never be locked as a result of this policy setting.

I don’t care what you think. I’m playing chess with a pigeon here. Test it yourself.

Edit: And sorry for being a jerk. Back to my original point, I’m pretty much fed up with the “technical” communities of Lemmy where correct information is downvote to oblivion and blatantly wrong information is lionized as absolute truth. And when I have tried to actually help and provide useful information I get met with the hordes of confidently incorrect people trying to discredit me.

That’s the BitLocker PIN, not the OS PIN. Go away.

Bitlocker activates when you enter an incorrect OS password too many times.

This is completely false. Please stop spreading misinformation. You clearly have no idea how BitLocker works, nor Secure Boot, BCD, TPM, or PCRs. Or anything really.

Maybe you should stick to an iPad. I’m done replying to this blithering nonsense.

I’m actually 46.

Here’s a cookie:

Bitlocker activated because of an OS update

This did not happen. You did something to enable it.

I don’t have an MS account, because I have no need to give MS all of my data

If you had one, all of your data would have been safe in OneDrive and easily recoverable. But I’m sure the irony is completely lost on all the anti-MS people here. Nah, it must be Microsoft’s fault you didn’t have backups when you broke your tablet.