I’ve ordered a refurbished, “renewed” mini-PC from Amazon. I plan to wipe the drive and install my favorite distro.
What are recommended actions for ensuring no potential malware persists on the device? (I mean besides replacing each and every component with brand new parts, which I don’t intend to do.)
Does installing a new OS cover all bases?
Thanks for any input (excluding stuff like “Don’t buy a refurbished computer.”) 
P.S. @Kyle_Rankin , are you still around?
No, there could potentially be persistent malware in the storage controller or other firmware. If you’re paranoid, consider updating the firmware on storage devices, reflash BIOS, etc. Then there’s the topic of supply-chain interdiction, which may or may not be a concern depending on how large of a target you or the prior owner(s) have been.
And everything changes the second the device is connected to a network. As of 2010, it took an average of approximately 8 seconds for a computer to become compromised when connected to the internet. I haven’t worked in the realm of security in several years, so I’m confident that this figure has changed.
My perspective of computer security is akin to breaking into someone’s car. If I really want to break into a vehicle, I most likely could… but how many obstacles is the target making me jump through, and is the risk worth the prize at the end?
It may help to provide more info e.g. make and model. How mini is “mini”? At the ultra-compact end: Intel NUC? ASUS? Zotac? Compulab? Purism?
The generic advice would be
No, because that doesn’t cover the firmware, which may be BIOS or UEFI or something else.
We don’t know whether you plan to replace the firmware with something open or something different or keep using whatever is pre-installed.
This advice could be considered paranoid - or it could be considered that compromised firmware is the ultimate rootkit. You have to decide. 
It is unclear whether this is “barebones” i.e. @amarok has to install a suitable drive (thereby avoiding this particular compromised firmware problem) or not. Even if not barebones, it is possible to replace the storage and on-sell the original storage - for the truly paranoid.
Edit: Adding:
As a general security comment, if you have a fully encrypted drive (that means boot and root, where applicable) then drive firmware compromise isn’t such a problem. I mean, sure, you can lose all your data if the firmware is malicious but your confidentiality need not be compromised.
Dell Optiplex 3060 Micro PC
Intel Core i3-8100T
16GB DDR4 RAM
256GB NVMe SSD
Win11Pro
(Renewed)
“Micro” = about 7" x 7" x 1.5"
Easy to open, according to reviews.
It’s a third-party seller, apparently a business entity, judging from the number of different computers in their (Amazon) catalog.
By the way, my threat model is just wanting to avoid being spied on by Big Tech 24/7. As far as I know, I’m nobody’s target. @JCS
Then probably just installing a new OS (getting rid of the Windows virus) will be sufficient.
As a matter of course (and unrelated to “general security and privacy”), you would have verified that Linux runs well on this device?
According to one reviewer, Linux Mint works fine.
I plan to use this as a streaming device mainly, if not exclusively, for my stored media, and also for at least one streaming service (via browser with as many privacy controls as possible, and routed through Pi-hole).
To reflash BIOS, I suppose I would need to download from Dell for the specific device, is that correct?
Actually, after I asked that, I had a look at the Dell web site and said web site explicitly notes (against the specific model there, which is slightly different from yours, apparently) that Linux is supported. Way to go, Dell!
I would think so. A visit to the Dell web site shows a critical update (September 2023) to the BIOS, which you might want anyway(!) and applying that update could have the effect of wiping out the hypothetically compromised existing BIOS.
The downside is you would probably need Windows in order to apply the update - or be in communication with Dell for how the update is installed from Linux.
Yes. In general, go to Dell Support: Drivers & Downloads and enter the service tag that’s on the Dell device. This helps remove some compatibility uncertainties.
I think Microsoft might now require creating an online account just to get into Windows 11, so I would probably have to go there anyway… with a one-time, expiring email address and fake name, of course. It may be that the firmware/BIOS can also be updated that way (if there are un-applied updates).
Unfortunately, I’ll either have to connect directly from my home IP (without VPN protection), or temporarily set up my VPN on the router prior to connecting.
What are recommended actions for ensuring no potential malware persists on the device? (I mean besides replacing each and every component with brand new parts, which I don’t intend to do.)
You should update the firmware.
There are really two situations … both of which are fixed if you reinstall the firmware.
After that a new install of whatever OS you want. Order matters.
Make sure that if there are “recovery partitions” that you wipe those and reformat the disk before you install the OS. Again, order matters.
Yes. If it’s a recent Dell machine (last 5 years), you can probably flash even without Windows installed. Update the Dell BIOS in a Linux or Ubuntu environment | Dell US
Not might, absolutely. You must be connected to the Internet in order to create a Microsoft account during the Windows 11 setup just so you can use the device. They do not blacklist any ephemeral email addresses as far as I know.
I got one of those without OS laptops for less than $99 on ebay about 5 years old, Insted of a hard drive it has an SSD half TB that I thought would make it faster, but it just acts about normal.
Perhaps they used one of those faulty half TB SSDs in the news a few months back?
Hmm. I feel the first thing the OP should do is a “threat assessment.” Decide what their risk is from?
Are you concerned with:
Surveillance Capitalism?
Someone stealing from you. (Not my problem. I am on Social Security, not enough money to steal. I have less than ten dollars left in my bank account now.) But my bank is really on top of where my money might go that they might have to replace, anyway.
Worry about the NSA watching me. I would feel so complimented. But that is the subject of my efforts to emulate what a journalist, or a good traveling business man should be doing.
This topic is often raised in several ways on the Qubes OS Forum. How to buy or modify a computer where one can trust the firmware. Qubes OS requires spending time learning some concept. Not sure I would encourage OP to do something that has taken up too much of my time.
Purism is offering to sell a more complete solution of hardware and software to handle some of the possible firmware corruption, and software.
Perhaps look at Tails OS, Whonix has a website with a lot of documentation on Security.
cheers.
Qubes, Tails, or new (expensive) hardware from Purism is probably overkill for my purposes. This (inexpensive) machine is going to be strictly a media device, and won’t contain any other types of personal files. I don’t plan to access any financial or email accounts from this device, and I probably won’t even set up ssh on it. I’ll copy my stored media files to the drive by usb, and will use at least one movie streaming service.
It will be connected to my network and the internet, but if it’s at risk there, then so are all my other devices. I think I’ve adequately secured my network, however.
Thanks for the tip and the Dell link.
I suspected as much… yet another anti-consumer move. I’ll try to create the account and do the updates behind a VPN, then nuke Windows Spyware 11.
As @Privacy2 points out, you can do the BIOS update using Linux but you will have to read the instructions on the Dell web site carefully. That may be simpler and faster than fighting with Microsoft Spyware. I recommend making a backup copy of the existing disk with Windows on it (just in case!) and then nuking it as fast as possible.
Update/Notes:
Was able to bypass MS account requirement by not connecting to the internet and selecting “I don’t have an internet connection” during setup.
Dell, by default, offers the boot settings menu after startup, with no special key presses, and before even loading Windows. [EDIT: This was only because the system flagged the power adapter, which apparently was the wrong one, and underpowerd, hence a warning screen that offered a link to the BIOS. The vendor is sending me a replacement.]
After Windows local setup, I connected through a shared connection with my laptop, behind a VPN, and downloaded all the available updates from Windows and Intel, just in case - what an ordeal!), and a Dell firmware update (which didn’t actually install).
Downloaded the same BIOS version (EDIT: as above) update from Dell’s website to a USB drive, restarted, hit F12 and entered a menu that included BIOS reflash option, which I did with no problem in about 5 minutes. (EDIT: This upgraded my existing BIOS version.)
Changed boot order, then booted into Linux Mint USB drive, opted not to backup the Windows install, and proceeded to install Mint, erasing all previous data.
Booted into my Minty-fresh distro and started customizing.
P.S. This machine is very quiet, and a lot faster with GNU+Linux, of course.
P.P.S. I found W11 very unintuitive and annoying as hell, not to mention slow… at everything. I never want to see it again.