This is almost too sick to be true: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0295
Summary: windows server 2016 allows any user to pre-seed the template for new user profiles with malware in the autostart folder, all due to firstname.lastname@example.org - Incredible. Think of terminal servers!
Small hint: if you are planning to upgrade to Windows 11 and setup claims that, although the rest is compatible, you need a TPM 2.0: you will not need to buy one.
If your CPU is compatible, you can be almost perfectly sure that there is a firmware TPM ready and waiting to be enabled in your UEFI firmware (formerly known as "BIOS"), since computers that work with modern CPUs have these.
Just saying, because I wondered what makes TPM sellers raise their prices and attach marketing slogans like "make it windows 11 ready". They just use the fact that people don't know about firmware TPMS ("fTPM") to make money.
There's a false positive around. Using Office Applications (for example Word) might trigger Windows defender warnings about an infection with "PowEmotet.SB". This is a false positive. Microsoft has updated the definitions to 1.353.1888.0 and past that update, there should be no more findings.