I have a refurbished HP EliteBook laptop with Windows 11 Pro and I was able to retrieve the activation key so that I can do a fresh factory install, and I am thinking about my configuration as a learning opportunity. I am ready to begin fresh with a new online identity as an experiment in privacy.
I completed a threat model and would like to proceed with the highest level of security just to practice what that might be like, and I can rollback later depending on what my needs will be in a real world application.
I have been reading best practices for installation and hardening in the wiki and knowledge base, so I will be moving forward with those recommendations. I have been learning advanced windows admin functions and will practice before I reinstall windows and wipe my drive. The content posted here has been invaluable, thanks to everyone who is a contributor!!!
My objectives:
Create separation between personal and work/online life
My “work” is mostly online and requires the use of Google and Meta
To learn how to configure my computer with the highest level of privacy and develop safer online habits
My limitations:
I am working with a refurbished HP840 G8 11th gen intel core i6 with 16GB DDR4, 256GB NVMe SSD, and Windows 11 Pro (I may upgrade the harddrive in future)
I have no experience with non-Windows OS other than expensive macs
I don’t have the budget for subscriptions to additional software or privacy tools
My strategy:
reinstall Windows 11 Pro as per Knowledge base recommendations
harden and secure host as per Community wiki posts for Windows 11
set up a standard local user account for personal tasks with hardened Firefox and Bitwarden for day-to-day browsing
set up a separate user account to install VMware Workstation Player that will run Linux OS with ProtonVPN
restrict use of data-tracking apps to the account with VM and VPN setup
My questions:
Does this plan seem reasonable??? Would you suggest an alternative approach or different apps? Does a fresh new re-install of Windows completely wipe whatever was on this computer including any potential personal information?
I have a refurbished HP EliteBook, should I avoid using HP Support Assistant to update my firmware? I can’t remember if it wanted me to create a HP account?
How do I update my TPM chip? There was no TPM package that I could find on HP’s website and there was no option to update, only to clear. Is that the same thing? I did trip up on some of the instructions for Windows Post-Install Hardening Guide but I think that was because it was covering previous versions and multiple editions of Windows that refer to depreciated functionality and I think it was first written three years ago. The newer Minimizing Windows 11 Data Collection was very helpful to resolve my other issues.
What is recommended for running a virtual machine? I did not see any suggestions listed, is VMware Workstation Player suitable?
How hard is it to figure out Linux? It took me about a week to become proficient in Windows and I have a web development background so I think I can figure it out. (The reason I am considering Linux is because I only have one activation of Windows 11 Pro and I am assuming I can’t install another version of it within the VM player???)
If my experiment is successful on this laptop, I may setup my desktop PC for personal use and use this laptop for “online” tasks to create a physical separation. For the time being, I will try to sandbox any data-tracking apps I might use on the new laptop through a VM running a VPN. My mobile phone is an entirely other situation that I will post a separate question about…
Thank you to everyone who contributes and shares their wisdom with me! Much appreciated!!!
Does the VM run the same OS as host or does it require its own OS? If it requires a separate OS, I wasn’t sure if Windows would allow multiple installations and I only have a license for one. That’s the only reason I thought I might have to go with an alternate like Linux being that it’s free. If I can still run windows in the VM that would be ideal.
Excellent thank you! Would this run within the VM or host?
Thanks I will investigate VirtualBox.
If I’m starting with a factory fresh install of windows, why do you think it’s necessary to use a bulk uninstaller? I don’t think there will be that many apps to remove, but maybe I’m wrong? Or perhaps is it because it removes hidden data from apps?
Thanks so much for all your suggestions, very helpful!
There’s pros and cons to every option. VirtualBox is at least sort of open source which is one of the main reasons it’s recommended, but they don’t have a great track record when it comes to security. I’ve heard some people claim Hyper-V is much more secure so you can look into that as well, but I’m not sure if it’s as intuitive as VMware or VirtualBox.
It’s easy enough for people who aren’t tech savvy so you should be just fine. The main issues people run into are related to running Linux on hardware which doesn’t fully support it or trying to use software which wasn’t made for (or tries to prohibit) use on Linux. There’s sometimes workarounds to these issues and your mileage may vary depending on what hardware/software you use.
If your laptop wasn’t made to run Linux, don’t be shocked if something doesn’t work. You can safely test most Linux distros without actually installing them on your computer to make sure everything works fine. If something doesn’t work, contact community support forums to see if anyone can find a fix. Also be prepared to switch away from any Windows-specific apps you use. Most desktop apps these days are cross-platform and most games can be ran through compatibility layers like Proton. Any Windows-specific app which can’t run on Linux likely has a Linux-compatible alternative you can switch to.
Thanks, I will read up about the security concerns for VirtualBox and look into Hyper-V as an option.
I hadn’t considered that, I will do some research to see if my hardware is compatible.
If I were to use Linux, it would primarily be to run Zoom meetings or Google or Meta through Chrome browser. I’m not a gamer.
I have one license to use Windows 11 Pro and if that is activated on my host computer, would I need to purchase a new copy of Windows to run it in the VM? I was under the assumption it would require an additional activation key which is why I opted for a free version of of Linux. If I can get away with using the same OS as host, then I would prefer to stick to Windows just for compatibility reasons you mentioned.
In that case you shouldn’t have any application incompatibilities. Chrome (or better yet, Brave) and Zoom both support Linux.
I believe so but I’m not 100% sure.
Earlier you mentioned you wanted to configure your computer for “the highest level of privacy” which generally isn’t something you should expect to achieve while using Windows 11 as stated in the introduction and disclaimer portions of the Minimizing Windows 11 Data Collection guide. Trying to switch to a recommended Linux distribution is very much worthwhile as part of achieving your stated goals. Fedora Workstation should be easy enough for many people, but if you want something even easier and with a much larger community, I’d recommend Ubuntu instead.
Well… what I meant is the highest level possible, I don’t expect total privacy. I am just experimenting with what is possible. Would you recommend Linux as the host and Windows 11 inside the VM?
Any progress is progress so feel free to stick with what you feel is practical. If you test out Linux on a live USB and have no hardware issues, it sounds like you should be able to easily switch to Linux since everything you do is done within a browser.
Running Linux as the host and Windows 11 in a VM would be better in regards to privacy since at least Windows is contained, but if all the apps you use run on Linux there shouldn’t be any need for a Windows VM.