Blog haltung
haltungapple-siliconwindowscopilot

Macs Are the Better PCs: on the Books and on Risk

· David Krcek · 19 min read
Macs Are the Better PCs: on the Books and on Risk

For decades, the “Mac or PC” debate in business was short and one-sided: PC. Windows. Office. Period. Macs were designer machines, hipster gear, something for the marketing department, but not for consultants, not for SAP contexts, not for serious work.

Those days are gone. The debate has flipped, thoroughly. Apple has delivered consistently over the past few years: a seamless ecosystem from iPhone to iPad to Mac, its own silicon architecture that, with the M series, has left everything else in the notebook segment behind, and a platform that fuses hardware, OS, and services into a stack that has no match on the market. In parallel, Microsoft has made a series of strategic decisions, each questionable on its own, that together are pushing the Windows ecosystem in a direction that is increasingly incompatible with serious business operations.

Three keywords are enough: Copilot. Recall. Cloud lock-in. Add a hardware stack that falls apart once someone sniffs the TPM on the LPC bus, an update monoculture that took down 8.5 million systems simultaneously in July 2024, and a software argument that simply no longer holds in 2026.

Microsoft’s Productivity Paradox

Let’s start with Copilot, because that’s where the current failure is most clearly visible.

Copilot was sold as an AI assistant: writes emails, summarizes meetings, researches in SharePoint. In theory, a productivity tool. In practice, a privacy nightmare with a fundamental problem that precedes any security issue.

That fundamental problem is banal and systematically glossed over in Microsoft’s marketing: Copilot cannot act. It can only explain how you would act. Ask Copilot to clean up your overflowing inbox, and you don’t get a cleaned-up inbox. You get instructions for setting up rules in Outlook yourself. Ask Copilot to remove duplicate entries from an Excel sheet, and you get a step-by-step description of the “Remove Duplicates” dialog. Ask Copilot to schedule a meeting with three colleagues, and it points you to the Scheduling Assistant. This is Clippy 2026, the same paperclip logic, just with a large language model instead of regex. An interface that explains instead of doing isn’t helpful in a productivity context. It’s overhead.

On top of this fundamental problem sits the privacy nightmare. And here it gets interesting, because the criticism of Copilot is often framed incorrectly: Copilot does not break permissions. On the contrary, Copilot strictly respects existing SharePoint, OneDrive, and Teams permissions. If an employee asks Copilot about a file they don’t have read access to, Copilot dutifully replies “no access” and shows nothing.

The problem sits one level deeper: those permissions, in many organizations, have been set far more broadly for years than anyone realizes. Not out of malice, but because of how Microsoft 365 gets used day to day. A few typical scenarios:

  • New Teams channels or M365 groups automatically create SharePoint sites with often generous default permissions. A quickly set up “Project XY” channel, later used for salary planning, passes that openness on to every document dropped into it.
  • The “Share” menu in Word, Excel, and OneDrive often defaults to “People in your organization with the link”. One click, and the strategy deck is readable across the entire tenant. Nobody revokes it later.
  • File-server migrations mapped historical NTFS ACLs like “Domain Users” to SharePoint groups like “Everyone except external users”. The old folder structures sit there with that wide permission still in place.
  • Guest access and external consultants who got broad access for a project and were never removed.
  • Inherited permissions: a sensitive document gets placed in a library originally intended for internal comms and open to the whole organization. The document inherits that openness without anyone actively deciding so.

Each of these mechanisms is harmless in isolation. Together, over years, they produce a substantial amount of content that is technically shared “with the entire organization” without anyone explicitly wanting that. As long as nobody searches for it, it stays inconsequential. The default SharePoint search is imprecise enough that oversharing rarely gets discovered in practice. It’s security by obscurity, and everyone knows it, it just doesn’t come up.

Copilot searches actively, in natural language, across all accessible content. Ask it “summarize the 2026 salary planning” and you don’t get “no access”, you get the summary. Because the technical access is there, even if nobody intended it. Varonis measured in 2024 that in an average M365 tenant, roughly ten percent of sensitive data is over-shared. Gartner estimated that year that up to 40 percent of planned Copilot rollouts are being delayed due to privacy and permission concerns. The problem isn’t Copilot. Copilot merely makes operationally visible what was technically already exposed.

This isn’t a bug, it’s a feature, worse: it’s design. Microsoft pushed a product into organizations that weren’t prepared for its presence, and Copilot acts like an X-ray that suddenly reveals every old sin.

Michael Bargury demonstrated at BlackHat 2024 under the title “Living off Microsoft Copilot” how to weaponize the assistant as an exfiltration channel via prompt injection. That is no longer theoretical research, that is practically exploitable in production environments.

And then the second issue: Copilot isn’t local, Copilot is Azure. Every document, every meeting transcript, every “summarize this internal presentation for me” runs through Microsoft’s cloud. And worse: by default, Windows doesn’t install the Business or Enterprise version of Copilot, it installs the Consumer version, the exact variant where inputs and content land at Microsoft without restriction and get used for model training and evaluation. So anyone who doesn’t actively switch to a Business or Enterprise license and check the relevant tenant settings is sending customer data, client materials, and internal presentations openly into Microsoft’s infrastructure by default. Even those who take that step and fully trust Microsoft’s enterprise data commitments, ignoring the well-known cooperations between U.S. hyperscalers and U.S. authorities, are still left with a residual problem: the data sits in the cloud, outside their own control. For chat histories that may be sensitive, that’s a strategic problem. For client data in a consulting context, a compliance problem. In many EU contexts, simply a GDPR problem nobody has cleanly solved.

Apple’s Intelligence stack, by contrast, runs on-device by default, on the Neural Engine, without the network. Private Cloud Compute exists for larger tasks but is architecturally isolated and designed with auditability in mind. You don’t have to like Apple’s execution, but the underlying architecture is fundamentally differently conceived from Microsoft’s cloud-first approach. For sensitive data, that architecture matters.

Recall: a Keylogger as a Feature

If Copilot is the strategic mistake, Recall is the technical capitulation.

Windows Recall, put simply, takes a screenshot of the entire desktop every few seconds, OCRs the text, and stores everything in a local SQLite database in the user profile. The idea: you can later ask “what was that price list I saw on Tuesday?” and Recall finds the spot.

In its original version, this database was unencrypted, readable without admin rights, and contained everything that had ever been on screen: passwords in cleartext, banking sessions, incognito tabs, private chats, confidential documents.

Kevin Beaumont summarized it publicly in May 2024: “Microsoft are about to ship a keylogger in every user profile.” Alexander Hagenah delivered the matching tool, TotalRecall on GitHub, which searches the database for credit card numbers and credentials in seconds. Infostealer malware merely had to pick up the data.

Microsoft backpedaled after the public outcry. Recall was delayed, then rebuilt as opt-in, with mandatory Windows Hello, VBS Enclaves, and decryption only during an active session. All of that is correct and necessary, but it doesn’t answer the fundamental question of why this feature was ever planned in this form. Whoever designs a screenshot-and-OCR history as a standard feature in an enterprise OS has a specific conception of what is acceptable for users. And that conception is troubling.

Germany’s BSI and several EU data protection authorities have continued to voice concerns even after the revisions. Rightly so. In a consulting context where you have access to customer systems, a device that stores your entire screen history locally, even if encrypted, is a problem the moment the device is stolen, the moment an attacker has session access, the moment the compliance team asks for an export.

macOS has no Recall. macOS has no comparable system-wide screenshot service. That isn’t a missing feature, that’s an architectural decision.

Hardware Security and the BitLocker Reality

Now to the hardware. Windows has been marketed for years as “secure by default” thanks to the TPM 2.0 requirement and BitLocker. The idea: the Trusted Platform Module stores cryptographic keys in a dedicated chip, BitLocker encrypts the disk, and the key never travels across the open system. In practice, the picture is considerably more complicated.

The best-known hardware problem is TPM sniffing on the LPC bus: in business laptops with a discrete TPM (dTPM), the TPM chip communicates with the CPU over an external bus whose signals can be picked off with a logic analyzer. The Dolos Group demonstrated this in 2021 on a ThinkPad; in early 2024, stacksmashing repeated it on a current ThinkPad X1 Carbon Gen 11 using a Raspberry Pi Pico costing less than ten dollars, in 43 seconds. The attack works, but only against devices with discrete TPM architecture. Current fleets with Intel PTT or AMD fTPM integrate the TPM into the CPU SoC; there is no external bus to tap. The sniffing argument in 2026 applies primarily to older hardware and to regulated environments where dTPM is still installed for certification reasons (FIPS 140).

That doesn’t change much about the underlying problem, because the attack vector has shifted. The practically more relevant BitLocker attack in 2025 is called Bitpixie (CVE-2023-21563). Software-based, no logic analyzer needed, just physical access and a PXE-capable network connection. Compass Security, ZENDATA, and others documented working proofs of concept in 2025, in minutes, not hours. A patched Windows helps only partly: as long as older, vulnerable boot managers aren’t revoked, downgrade attacks remain possible. On top come the BitLocker bypasses at the software level that appear with tiring regularity: CVE-2022-41099, CVE-2024-20666, CVE-2025-21210, all in a similar class, all eventually patched and replaced by the next bypass.

The more important and inconvenient statement for every Windows fleet in 2026: BitLocker in TPM-only mode is inadequate against physical attackers, regardless of whether dTPM or fTPM. The only robust mitigation is pre-boot authentication with a PIN or USB key, a configuration that in practice is implemented in very few organizations because helpdesk cost and user resistance would have to be priced in.

Apple’s Secure Enclave sits on-die, in the same silicon as the CPU. There is no external bus, no signals to tap, and FileVault keys never leave the enclave. More importantly: FileVault is coupled to login authentication by default. Anyone who opens the laptop needs the password. That is the pre-boot-authentication concept by default, not as an opt-in configuration for the brave admin. The practical difference between Mac and Windows in disk encryption in 2026 is less “TPM bus vs. enclave” and more “secure default vs. a configuration the admin has to actively make secure”. A laptop left behind at an airport is a smaller data-leak risk on a Mac than on Windows, not because the Mac chip is better, but because the default is better.

The Monoculture Question

On July 19, 2024, a faulty CrowdStrike update sent 8.5 million Windows systems into a boot loop simultaneously. Airports ground to a halt, hospitals postponed surgeries, Delta Airlines pegged its own damage at around 500 million dollars. Macs weren’t affected. Linux servers weren’t affected. What was affected was the dominant enterprise endpoint.

This wasn’t a Microsoft error in the narrow sense, CrowdStrike botched the update. But the incident illustrates something structural: monocultures are fragile. When 90 percent of enterprise endpoints run the same OS with the same two or three security agents, a single faulty push becomes a systemic crisis. AJ Grotto, formerly of the National Security Council, classified this the same year in a widely read Lawfare essay as a national security risk.

The other incident people keep coming back to in 2026 is Storm-0558. Disclosed in July 2023, with details still not fully clarified. A Chinese state-aligned group had obtained a Microsoft signing key and was able to forge valid authentication tokens for Exchange Online and Outlook.com. Around 25 organizations were affected, including the U.S. State Department, the U.S. Department of Commerce, and specifically the email account of Commerce Secretary Gina Raimondo. Reading along in government mailboxes on the basis of a stolen key, for months, without Microsoft noticing. The attack was ultimately discovered by the customer, not by Microsoft.

The second part of the scandal is the one actually worth telling: to determine whether you were affected at all, customers needed specific audit logs in Microsoft 365 (Purview Audit Premium), and these were available exclusively in the most expensive E5 license. Customers on cheaper licenses simply had no way to check whether the same forged tokens had appeared in their tenant. So Microsoft sold the storage for the emails, then the access model that got compromised, and finally charged extra for the forensic transparency made necessary by Microsoft’s own failure in the first place. Only after public pressure from CISA, Senator Ron Wyden, and the security community did Microsoft relent and make the relevant logs available for free across all tiers. The CSRB Report on the Storm-0558 incident, April 2024, consequently criticizes Microsoft with unusual sharpness: “preventable”, “cascade of security failures”, and a corporate culture that strategically underweights security.

The point isn’t that macOS is flawless. CVE-2024-44131 was a veritable TCC bypass, Jamf reports continually rising numbers of Mac-specific malware, and as the enterprise market share grows, so does attacker interest. But: the base stays small. AV-TEST Institute measurements for 2025 continue to show a factor of roughly seven between Windows and macOS malware detections. The Verizon Data Breach Investigations Report 2025 now attributes ransomware to 44 percent of all confirmed breaches, practically all in Windows networks, with the established families like LockBit, BlackCat, and Cl0p. The CrowdStrike Global Threat Report 2025 documents a mean eCrime breakout time of 48 minutes, with a peak of 51 seconds. That is the speed at which attackers in a compromised Windows domain spread from initial access to further systems.

Security work is rarely a question of absolute unbreakability. It is almost always a question of relative attractiveness. Those who build higher walls get attacked less often. Those who are a less rewarding target get attacked less often. Macs, simply because they are different and because Mac enterprise infrastructure looks different, are currently the less attractive target. That’s not a guarantee argument, it’s a probability argument. In security, probability isn’t everything, but it’s a very large share.

TCO: the Numbers No One Really Disputes Anymore

The most common pro-Windows argument has been the same for twenty years: “Macs are more expensive.” That simply no longer holds in 2026, not even at the point of acquisition. The MacBook Air outperforms most Windows business notebooks in its price class both on performance and battery life; the MacBook Pro sits roughly at parity with comparably equipped competitors; and at the top end, MacBook Pro with M5 Max, 64 GB unified memory, 2 TB SSD, the comparable Windows workstations with dedicated NVIDIA graphics are typically more expensive, with shorter battery life and noticeably louder cooling. The “Apple tax” no longer exists in this segment. It never was as pronounced as rumored even before the Apple Silicon era, but since the M series the price-performance debate has been settled. And on total cost of ownership, support, lifecycle, resale value, the gap widens significantly.

Forrester published an updated Total Economic Impact of Mac in Enterprise study in 2024, surveying 242 hardware decision makers from companies with Macs in production. The key figures: Mac users generate 60 percent fewer helpdesk tickets than PC users, and each individual ticket costs about 20 percent less time. In IT staffing, this translates concretely: one IT FTE manages about 600 devices in a Mac fleet vs. 300 in a PC fleet. Twice as many endpoints per IT employee, with better user experience. Add roughly five percent productivity gains per Mac user, about two and a half weeks per year, arithmetically. And up to 90 percent lower breach risk due to the architectural differences discussed above. An Apple-commissioned study, yes, but methodology documented, figures widely referenced.

And then there is the lifecycle. Apple typically supports macOS for seven years on a hardware generation. macOS 26 “Tahoe” runs in spring 2026 on M1 devices from 2020. After five and a half years, those Macs still receive security updates and the current OS. Windows laptops are practically out of the race after three to four years, not because they break, but because the hinges wobble, the fan whines, the battery life has halved, and Windows 11 feels sluggish on 2019-era CPUs. Consumer Reports placed Apple at number one in the 2026 laptop reliability rankings, with a dataset of nearly 76,000 laptops. That’s the most robust figure currently available for hardware reliability, and it has consistently favored Apple for years.

Resale value does the rest. MacBook Pros retain 40 to 60 percent of their new price on the used market after three years. A Lenovo ThinkPad in the same price range lands at 20 to 30 percent. Across a fleet of 500 devices, that adds up very quickly into six figures.

Performance You Can Feel

With Apple Silicon, the time of polite benchmark proximity is over. The current M5 generation has extended the gap to the x86 notebook segment even further, in single-core performance, efficiency, and especially in local AI workloads. The M5 tops the Geekbench 6 single-core chart in the notebook category, pulls noticeably ahead of the M4, and leaves Intel’s current Core Ultra generation and AMD’s Ryzen AI flagships far behind on perf-per-watt. More important than peak performance is the ratio: a current MacBook Pro with M5 gets through a full workday with visible buffer, with over twenty hours of video playback. Comparable x86 laptops land at eight to twelve hours, and those are already the optimistic vendor claims. For consultants working in hotels, on trains, at client sites, this is the most tangible difference: the Mac notebook lasts. The Windows notebook starts looking for a power outlet after four hours.

Then the smaller things that add up: fans that are simply silent in most load scenarios, on the M5 generation practically inaudible in typical office workloads. Reliable instant wake from sleep, unlike Windows where it feels like every third wake is a half-reboot. Hardware video encoders for H.265 and ProRes that noticeably reduce CPU load during video calls. Unified memory with the expanded bandwidth of the M5 architecture, enabling local AI workloads (Ollama, LM Studio, MLX) in scenarios that simply don’t work on x86 notebook platforms: 30B models at acceptable token rates, local image generation, language models without cloud dependency.

A Teams call on an M5 keeps the chip load in the single-digit percentage range. On many current x86 business laptops, the fans spin up and the device gets warm. That isn’t a benchmark detail. That’s the daily experience.

The Software Argument No Longer Holds in 2026

Now to the objection that has come up reflexively for twenty years: “But the software doesn’t exist for Mac.” That may have been an argument in 2005. In 2026 it isn’t one anymore, at least not in the classic business context.

Microsoft Office runs natively on Mac, Apple Silicon, as universal binaries, with feature parity to Windows in Word, Excel, PowerPoint, and Outlook. Power Query, Power Pivot, VBA, all there. Access is missing, true; but anyone who genuinely needs Access has other problems anyway.

Adobe Creative Cloud runs natively, since the Apple Silicon migration more performant than on comparably priced Windows hardware. For those looking to drop the Adobe CC subscription: Affinity Suite (with a free variant since the Canva acquisition in 2024), Pixelmator Pro, Final Cut instead of Premiere, Logic instead of Ableton. For 80 percent of use cases, the alternatives are not only available but often the better software.

SAP is the classic consulting objection. The situation in 2026: SAP GUI for Java runs natively on Mac, on Apple Silicon as well, officially supported by SAP. Anyone who truly needs the classic Windows GUI, older transactions, developer workbench, specific customer configurations, launches Parallels Desktop or VMware Fusion and has a functional Windows VM in under a minute. The new SAP world, Fiori, Build Apps, BTP Cockpit, is browser-based and OS-agnostic anyway. Notable aside: SAP itself has offered its employees in Walldorf Macs as an option for years.

Virtualization has evolved from a stopgap into a regular tool. Parallels 20 with native Apple Silicon support is faster for Windows-ARM workloads than the same Windows build on a mid-range x86 laptop. If you need Windows-specific legacy software once a quarter, you do it in a VM that takes 3 GB of RAM, launches in two seconds, and leaves the host untouched on close.

The only real software gap is industry-specific niche tooling: CAD suites with hard Windows binding, trading front-ends, certain tax or banking software. For those cases, the answer in 2026 is unchanged: those workstations continue to run on Windows. The rest of the organization has no reason to anymore.

The Uncomfortable Truth

Windows in business is no longer the rational choice. It is the usual choice. That is not the same.

The usual arguments for Windows are habit, institutional inertia, and sunk costs in Active Directory, Group Policy, and twenty years of onboarding processes. All legitimate reasons for organizations operating under pressure, but not arguments for a new-acquisition strategy in 2026.

Anyone doing the math honestly today, TCO, security risk, productivity costs, privacy exposure through Copilot and Recall, monoculture risk after CrowdStrike, has a hard time getting past Mac. This applies to the fleet of 500 laptops at the corporate level just as much as to smaller, clearly scoped groups: developer teams, where Apple Silicon alone justifies the acquisition cost through build speed, container performance, and local AI workloads. SAP administrators, DevOps engineers, and consultants working with servers and handling the few Windows-only transactions in a VM. Marketing and design teams, where Adobe workflows, video production, and display color accuracy have favored Mac for years anyway. In all three cases, the math is the same as for the big rollout, just at a smaller scale, and often even more decisively in favor of Mac because the requirements are more specific. That’s not a matter of taste, those are hard economic facts.

And anyone still consciously choosing Windows can do so. They should then also name the reasons openly: migration effort, AD binding, or simply the convenience of not having to change a habit. “Macs are too expensive” or “the software doesn’t run on them” no longer applies. The conversation has moved on, and it’s time IT strategies caught up.

Sources

  • Forrester Total Economic Impact of Mac in Enterprise, April 2024: 242 hardware decision makers surveyed, current TCO figures
  • Consumer Reports, Most Reliable Laptop Brands 2026: ~76,000 laptops, Apple ranked #1
  • Microsoft Digital Defense Report 2025: Identity attacks +32%, extortion/ransomware driving more than 50% of all attacks
  • CrowdStrike Global Threat Report 2025: eCrime breakout 48 min average, 79% malware-free attacks
  • Verizon Data Breach Investigations Report 2025: ransomware in 44% of all confirmed breaches
  • AV-TEST Statistics 2025: malware detections Windows vs. macOS (~7x)
  • Kevin Beaumont, doublepulsar.com, May 2024: “Recall is a keylogger”
  • Alexander Hagenah, TotalRecall (GitHub), May 2024
  • stacksmashing / Tom’s Hardware, February 2024: BitLocker key extraction in 43 seconds (ThinkPad X1 Carbon Gen 11)
  • SCRT Team Blog, October 2024: Privilege escalation via TPM sniffing despite BitLocker PIN
  • Compass Security / ZENDATA, 2025: Bitpixie (CVE-2023-21563), BitLocker bypass without hardware access
  • CrowdStrike Incident, July 19, 2024: impact on Windows endpoints
  • CSRB Report Storm-0558, April 2024
  • AJ Grotto, Lawfare, 2024: Microsoft monoculture as a security risk
  • Varonis State of Data Security Report, 2024: SharePoint/OneDrive oversharing
  • BlackHat 2024, Michael Bargury: “Living off Microsoft Copilot”

Translated from the German original with the help of Claude.

David
David
AI, Apple Silicon, coding experiments, SwiftUI, and attitude.
Read more