37
votes
Computer savvy people of Tildes, do you have any advice re setting up a new MS Windows personal computer?
Any advice should be suitable for a non tech person who knows how to google and follow instructions but not code in any way.
Can anyone suggest which firewall and or antivirus might be best? All suggestions for making life easier while dealing with a new machine are welcome.
Hey, the built in firewall and AV shipped with Windows will be enough.
Personal opinion, often times AVs are useless at best or give you a false sense of security.
EDR, like SentinelOne for instance, is significantly better than traditional AV and uses fewer resources. Behavioral actions are a lot more effective at stopping bad actors and will catch things like supply chain attacks pretty effectively.
A quick search online tells me that SentinelOne is a security platform aimed squarely at enterprise users. Probably not best to recommend it in such a thread.
OH yes, I thought they had a home product but they don’t. BitDefender and Sophos both do, probably better choices.
Seconding BitDefender. It works well, uses low system resources and has none of the false positives I've gotten in the past from things like Avast (bleh).
Can you please elaborate on what you mean by a supply chain attack in this context? Would that be related to, say, clicking on harmful link when trying to access free streams/pirated content? (Just a guess, I'm admittedly uninformed on this topic) thanks
Supply chain attack is when a hacker hacks the company that makes the software and then sends out a legitimate update and infects all their customers.
https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/
https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise
In these cases the software is completely valid - it’s signed by the company, it’s probably an expected update and you just click”update” without thinking like you do hundreds of times a year. Only it’s compromised, so you need software that says, “Look I know you trust this fellow but he’s doing suspicious stuff. I’m gonna block him until you say it’s cool.”
Makes sense, thanks!
This is definitely what I see recommended everywhere else and how I recommend friends and family go (though a few I can't talk out of their subscription to Norton). I tend to add Malwarebytes to this recommendation as well, just for instances in which you suspect you might have something on your machine and want to manually scan just to double-check. I think it's only helped once or twice ever and you could probably just download it later when you need it, but it's been solid as a back-up.
That said, I haven't used Windows personally in years, so please correct me if this is outdated.
The built in windows defender is a good enough antivirus and fire wall by default.
Make sure you have adblock installed to your browser, don't download anything strange, avoid getting phished via an email, and always check the web address you are on is a legit site and not something cooked up to look like a site but really a scam. For adblock i use ublock origin and privacy badger, for sites you trust its fine to turn privacy badger off since it can sometimes stop useful things from working.
As for a fresh install:
For all media playing you cant go wrong with VLC.
For generally cleaning out junk, bleachbit or the free version of cccleaner is enough.
You can use ninite https://ninite.com/ to bulk download and install some key things.
Mostly keep your machine up to date with security updates and don't do anything stupid like typing your details into a phishing scam and you will be fine.
Honestly since the casual internet turned into like 10 sites that 95% of the world goes on for socials and shopping, viruses are not nearly as much of an issue, the bigger issue by far is people falling for phishing.
uBlock Origin, to provide a more exact recommendation. Most people will inadvertently install some less-trusted extension that has "adblock" in the name.
Pretty much the exact advice I give to everyone.
What do you mean by this sorry?
After a while your machine will have several GB of temp files, cached data, and other stuff that is not needed. So periodically running these will free up some space.
I generally run these regularly on my windows machines, I haven’t bothered on my MacBook but no doubt I could save a few GB if I ran it on there as well.
windows has built in tools for cleaning up this junk
i wouldn't recommend ccleaner anymore, since most of the extra stuff it does is cleaning your registry. registry cleaning is largely a placebo these days, and there is always a risk that you will end up "cleaning" some important keys.
Registry cleaning is a separate tab, you can clean the temp files and caches of your apps without ever touching the registry. I cant believe im defending ccleaner but this isnt true and not a valid reason not to use the tool.
Some things can be cleaned with disk cleanup in windows but not everything.
my reason for not recommending the tool isn't specifically the registry cleaner, it's the fact that the disk cleanup utility built into windows covers 95% of the non-registry related cleaning ccleaner does.
Can you elaborate on this? I've been using PB for years, and not one single site has ever had an issue caused by PB. The only thing I can think of is wanting to use some cross-site comment/discussion system, which I almost never do.
Some things like banking apps and payment processors can get stuck if privacy badger is turned on
Doesn’t happen often but one thing to check if your page crashes.
You can disable it on a page by page basis for sites you know and trust.
A better reason is that Privacy Badger no longer does the thing it was known for (local tracker learning) as it was found that that itself could be used as a vector for fingerprinting. So these days it's basically an inferior, redundant version of uBlock Origin.
Could you share any online reading regarding this?
https://www.eff.org/deeplinks/2020/10/privacy-badger-changing-protect-you-better
As for what's a good firewall - something most people don't think about is how their router could be a security risk. Routers themselves are a physical network firewall, but most router manufacturers don't have high standards and will leave in backdoors that hackers discover. They also tend to not have their products automatically download updates even if they're for critical issues because users don't want to deal with their router restarting or getting fucked after an update (Edit: Just tried this myself and the first time it failed and I needed to hard reboot the router and try again, so I understand why they don't do it automatically)
The process for finding what routers have CVEs would involve searching using the model number here (the actual model number not the fancy consumer name), but the answer is pretty much "yes" for all of them. Basically what I'm saying is you should update your router's firmware if you can, that's the easiest thing to do and could improve security on your home network. Because your Windows PC has a good software firewall built in it's not the device most at risk. Cheap networked devices are the main risk factor, like smart TVs, WiFi security cameras, etc. They often get broken into and turned into botnets.
Thank you for posting that NIST vuln search link, that is a very useful tool to have.
First I would advocate trying out Linux Mint, but I don't want to obnoxiously evangelize my position on Linux, so I'll leave it at this single sentence - Mint is very windows-transition friendly and easy to use.
For a fresh Windows install, my procedure (for installing client computers and computers I'm posting for sale) is thus:
Install not-connected to the internet - allow no internet access during setup. Choose 'I don't have internet' and to 'continue with limited setup' and on the page that has all those 'please let us spy on you in all these ways' slider checkboxes (which MS helpfully opted you into ALL OF THEM), proceed to de-select them all. Choose not to set up any online / microsoft account and set the comptuer up with a local account only.
After install, connect to the internet and do windows update. Then restart and do windows update. Then restart and do windows update. Do this about 3 to 5 more times and it should finally be done getting them all (I hate MS for this clunkiness).
Open microsoft Edge for the first and only time. Go to Ninite.com and check the checkboxes for: Chrome, Firefox, CCleaner, Foxit Reader, 7-Zip, VLC, K-Lite Codecs, Malwarebytes. Additional optionals that I would choose but you may not need or want: Blender, GIMP, TeamViewer, WinDirStat, Zoom, Discord, Skype, qBittorrent, FileZilla, Notepad++, PuTTY. Click on download and Ninite will build a single install file that will install all of your chosen programs at once saving you a ton of time.
One item I would advocate for that is not included on Ninite.com is the Vivaldi browser (I use this) - it is Chromium based and is really excellent in my opinion. Tons of great little quality-of-life improvements integrated by default instead of needing to download extensions.
Speaking of extensions, download AdBlockPlus and UBlock Origin for whatever browser(s) you use.
Done, you have a clean, base install now. Unless you installed from a vendor specific install / restore file (Dell, Lenovo, HP or whatever) in which case there is probably an enraging amount of bloatware, crapware, and corporate spyware pre-loaded that needs to be removed.
I tried Linux a few years ago but was defeated by the need to colloborate with coworkers. Many things are more cloud based now, but I am not going to risk it right now as it is a busy time for me. I already resent and am frustrated by the time needed for the basic setup without changing anything major. I also have programs I am required to use that may not be compatible with linux. I know virtual machines exist, but again, not much time available right now to fuss with it.
Thank you for the advice.
Honestly, if you aren't in the mood to tinker then I would say just run it default with whatever install preferences you want. Win 10/11 are perfectly fine out of the box and don't NEED further tweaking unless there's something you find particularly bothersome.
AdBlockPlus AND uBlock Origin? Just do uBlock Origin
CCleaner is an old product, Windows built-in tools handle everything you need.
I honestly did not know people still use KLite Codec Pack in 2023. Its like having a headache so you take every pill in the medicine cabinet. Just install the codecs you need OR just use VLC player.
If you're against the privacy invasion of Microsoft, why recommend Chrome at all?
Valid question.
Plenty of not-me people won't care and just want the simple/known off-the-shelf option so to speak. It's what I'll still install for client computers or for-sale computers just so people don't have the 'what is this, I don't know what it is and don't want it' reaction.
I do advocate for either FireFox or a Chromium-based (only the open-source portion of Chrome) browser, just not to the point were I annoy my customers.
Google recently baked user ad tracking stuff into Chromium (not just Chrome.) Basically we're left with Firefox, Vivaldi and Brave (which forked chromium and is removing any tracking Google adds but I personally avoid it due to it being run by a bigot)
Yeah I heard about that. I'm hoping for either enough public backlash that they consider walking it back (unlikely, it's a direct profit motive) or for enough public sentiment to translate into legislation aimed at them for what they are doing.
The vast majority of people don't know or care about it. In the same week they released the user tracking feature they also announced their "enhanced" privacy feature to muddle the waters around what they were doing. They just released a nag screen about ad-blockers on YouTube. This is a Alphabet wide strategy to aggressively ramp up user tracking and ads.
They will not care about public backlash until they lose a significant amount of users and those that care about privacy already got out. The enshittification will continue for the foreseeable future. I'm expecting IE5/6/7/8 time spans of Chrome's demise at the minimum.
Why would you recommend people to use a local account? Using a Microsoft account is actually really useful. It will save all documents / desktop items to OneDrive. If anything ever goes wrong you don't have to spend hours on file recovery.
Honestly?
Personal prejudice against MS combined with a dislike for the ever-further-encroachment of privacy that has become the accepted norm.
I've been a tech of various fields for a long time, with some involvement in IT probably accounting for the most years, and something that I've taken personal offense to is the device and OS integration of required or hard to get around submission of personal information which then gets used for marketing profit. I see this theme in how MS prefers and steers users in to initial setup.
I concede that others will have a different view, and the utility offered by going the normal setup route can be attractive and useful to some users.
I would not trust OneDrive to be sole backup solution regardless from all the other privacy issues I have with MS. And file recovery is no backup either.
But I personally don't want my pc to save everything (except if I exclude it) to the cloud or have it a local machine be dependent on their systems.
What happens if for some reason your account gets blocked/deleted on their end?
Will the machine still function? And will this keep working in 2, 3 or 10 year from now?
Don't get me wrong, I use OneDrive as an second backup solution so it's not all bad.B
But I send my stuff there packaged in a big encrypted tar file.
I also wouldn't trust OneDrive to be my only backup solution (and I use Linux nowadays myself) but afaik it's not particularly difficult or effortful to save files locally even if you use a Microsoft account to sign into Windows. Unless things have gotten a lot worse since Windows 10 on that front very fast.
Fair enough, I haven't used windows outside of work since a loooong time.
And I can't change jack on those Windows machines outside of my WSL2 config. so I assumed the worst.
Thanks for clearing that up
I'm not them but I'm not trusting MS with a bloody thing if I can help it...
If I may make an alternate recommendation, Okular or SumatraPDF would likely be better ; Foxit in my experience takes a while to open and feels very bloated. Sumatra is very stripped down and very light while Okular has more features and better usability (it does rely on Kirigami I think, which may be a problem to some, but if you like KDE apps that's hardly a issue).
Years-long KDE user here. Never had a problem with Okular, other than, perhaps, inability to process the most complicated PDFs that might use some really obscure Adobe feature. I can't even remember the last time that happened to me, because almost every PDF is just a simple read-only document, either with selectable text, or embedded images.
It's worth mentioning that this is not available on Windows 11 Home by default, only Windows 11 Pro. If you install Windows 10 or older, then you can be offline during setup of Home as well.
There are workarounds for this on 11 Home. Install without an ethernet cable and when you get to the "Let's connect you to a network" screen, you need to press Shift+F10 to open command prompt and type OOBE\BYPASSNRO followed by enter. Your computer will restart and then you can continue setup without connecting to the internet. This workaround may be removed at some point in the future, or it may not, I honestly don't know.
Ah, yeah, I remember having to do that recently too. Yet another thing that annoys me about Windows / MS.
Is CCleaner safe to use these days? After Avast bought there were some security breaches in 5.x version and forced bundled antivirus installation.
Spend some time turning off app access to things in the privacy settings - there's a ton of things nothing has any business accessing that is on by default.
The things to pay the most attention to are camera and microphone. If you don't plan to video conference, you can just turn these off these as well. But if you do, you will want to leave them enabled and remove access to from apps individually.
There are a few settings that can cause annoying issues though, like securing access to your documents folder. I eventually had to disable that as it constantly caused apps to break since they were not typically built with the concept that they couldn't access the documents areas.
If the OS comes pre-installed I can recommend to wipe the hard drive and use a fresh Microsoft ISO to install windows. Too many companies trying to push whatever shitty bloatware/spyware they can get money for.
You might want to check out some of the debloat/tweak collections out there like Sophia (GUI).
Omnibars like Flow are great. Primarily useful for finding files (VoidTool's Everything / Windows Indexing supported), but there's also a bunch of other plugins.
Ninite can be useful for getting your basics but you might want a package manager like Chocolatey (WinGet has become more viable). That will let you manage update/installs/uninstalls and, if you ever need to set up a computer again, you can just export the list of stuff you want on it and have a batch install script, ala:
ShareX is great for screen capture/recording. It also handles uploads, markup, and has other tools like OCR/eyedroppers.
Paperless-Ngx depending on your habits is a mature document management system. Scan your stuff and pitch it, or give it an archive number so you know where to find it.
I use SyncThing for sharing files across devices and Duplicati for backups.
QtTabbar is a little iffy with its development but I find it useful for adding browser-like functionality to the file explorer with tabs, shortcuts, and other stuff.
If you ever do try your hand at scripting, Autohotkey is fairly accessible for beginners. At it's simplest you might just use it for string replacements, like
]d
for typing the current date:I agree with others about Windows Defender being the best choice for AV, but I prefer a different choice for a firewall.
Simplewall lets you block network access by application. I set it to block by default, so I have to manually approve any new application. It's great for stopping any potential malware from phoning home, but also to reign in undesirable features of programs you otherwise need (e.g. telemetry/ads).
Some of my favorite apps for Windows:
KDE connect has a windows port now?
Damn, that was one of my top three '*nix Exclusives'. Right up there with Minder and sshfs.
Installing it on the multiplayer gaming rig as we speak now though.
Why qView over Irfanview? I'd suggest Signal over Telegram as well for messaging.
It works exactly how I like, and my usual DE is Plasma, so it fits well there. I haven't tried Irfan in over a decade.
Ditto on Ditto
I recommend Windows Power toys which is a suite of utilities made by Microsoft that should probably ship with Windows.
I really like the launcher app (forgot the name now, but you'll find it on the Powertoys interface).
I don't understand the putty recommendation. How often are regular people using ssh?
I was just giving my opinion that, if you need to use ssh, plain openssh in wsl is what I personally prefer to putty. Putty was included in @l_one's list.
It's used more frequently than you might guess; a lot of places that used ftp in the past use SFTP or scp (ie, ssh) these days.
This whole thread has turned into a rather useful refresher for best-current-practices on setting up a clean install.
I've been a tech for decades and either didn't know (or possibly had forgotten about) verbose startup. That looks quite useful. Thank you for the knowledge.
Will it be on Windows Home or Pro?
It's not out of the box yet. Likely home, is there a reason to choose pro?
The biggest advantage of Pro is the group policy editor, which Home doesn't have. If you're not a power user, it's of little value.
I'd stick with Home unless you feel compelled to spend extra money for little reason.
There's no reason not to choose pro. It doesn't make the Windows experience anymore complicated, all it does is install a few extra features that you might find useful in the future. The pro distinction barely exists anymore these days.
Depends on your region, I guess. It's usually €100 extra if bundled with your computer, or €200 to upgrade after the fact in my region. That's a lot of extra expense for a non-techy user as described in the topic.
From their response I assumed they've already bought a pro license.
Remote desktop and virtualization come to mind.
If the person has had a Pro license in the past, you should be able to contact MS and request a key for win11. Alternatively you could just install whatever OS they were using before, since windows 11 is terrible. You could also dual boot an easy linux distro like mint or ubuntu.
I will never use non-Pro Windows for exactly one reason: it lets me use the group policy editor to control updates.
On Home, your updates will install when they want to and make you reboot when they want to. Through local group policy on Pro (settings that are very easy to change, if you know where to look) you can do a lot of configuration, including disabling automatic reboot with logged-on users. The way I have it configured updates will still automatically download and install, but my machine won't reboot until I tell it to.
Pro gives you some nice features like the group policy editor and bitlocker. Home does have device encryption which is basically bitlocker tied to a Microsoft account, but enabling it without being logged in has issues.
Anyways, if you do choose to bypass the MS account requirement make sure to go to System > Settings > Notifications > Additional Settings and untick all the checkboxes there. Since OEMs generally bundle in tons of nonsense on their installs you might wanna do a clean install to make sure you only have to put up with Microsoft nonsense.
Security wise, default Defender and firewall are ok enough. Don't forget to enable memory integrity in Windows Security settings (under core isolation) if it's not on already. Consider turning on Smart App Control if it doesn't break any apps you use. IMO it's a fairly good mitigation and cuts off a good chunk of the low hanging fruit with regards to malware.
For debloating/installing/upgrading apps winget is pretty handy, and it comes preinstalled on Windows 11 so no need to download anything extra.
Backblaze
SentinelOne or Bitdefender - S1 is enterprise only so nevermind. Sophos as an alternative then or Microsoft Defender for Individuals.
Privacy.sexy
Firefox with Ublock origin
Mullvad VPN if you need such a thing
1Password
Cloudfare for DNS, 1.1.1.1
That’s a pretty good start for a safe computing experience.
I've been preferring Quad9 and OpenDNS for my DNS needs. I don't like having Cloudflare becoming just as dominant as Google for DNS.
https://www.quad9.net/service/service-addresses-and-features
https://www.opendns.com/
OpenDNS is owned by cisco now so that’s more or less that same fear as cloudflare. Quad9 looks interesting though!
Eh my networking gear is Cisco too...at least they're a hardware-first kinda operation.
For now…
https://newsroom.cisco.com/c/r/newsroom/en/us/a/y2023/m09/cisco-to-acquire-splunk-to-help-make-organizations-more-secure-and-resilient-in-an-ai-powered-world.html
another thing that fixes W11 is StartAllBack. I was using OpenShell but the taskbar also needed some tweaking.
I find O&O ShutUp10++ to do absolutely essential to establishing a baseline privacy configuration.
Windows Defender, uBlock Origin, scan EVERYTHING you download on virustotal.com and don't visit shady websites.
That's actually all you need.