Windows 11 Home - First Real One
- Thread starter Sky-Knight
- Start date
Sky-Knight
Well-Known Member
- Reaction score
- 5,175
- Location
- Arizona
@britechguy Excuse me? Doesn't happen?
It's HAPPENED TO ME! This isn't some fictitious BS I'm blowing about some theoretical maybe situation. It's something that SHUT DOWN BY BUSINESS FOR FOUR HOURS!
Do the words never again mean anything to you? It only has to happen once.
It was a very bad day for COX, and I wasn't the only one hit, several of my clients were too. We all had to collectively wait for COX to fix whatever the heck was busted, because our internet wasn't down, it was... broken. I still don't know exactly what connection was toast because my troubleshooting tools were inaccessible.
When things came back up I unlinked my login and never looked back.
That local password cache can become corrupt in rare circumstances, I lived it... and I repeat, never again. But I use PRO so local accounts are fine. Anyone on Home deserves to be a beta tester.
It's HAPPENED TO ME! This isn't some fictitious BS I'm blowing about some theoretical maybe situation. It's something that SHUT DOWN BY BUSINESS FOR FOUR HOURS!
Do the words never again mean anything to you? It only has to happen once.
It was a very bad day for COX, and I wasn't the only one hit, several of my clients were too. We all had to collectively wait for COX to fix whatever the heck was busted, because our internet wasn't down, it was... broken. I still don't know exactly what connection was toast because my troubleshooting tools were inaccessible.
When things came back up I unlinked my login and never looked back.
That local password cache can become corrupt in rare circumstances, I lived it... and I repeat, never again. But I use PRO so local accounts are fine. Anyone on Home deserves to be a beta tester.
Last edited:
britechguy
Well-Known Member
- Reaction score
- 4,097
- Location
- Staunton, VA
Then, sir, you f-ed up.
You can always log in to Windows 10, with a local or Microsoft Account linked account, whether or not you have an internet connection.
I have way, way, way more than just an anecdotal number of experiences with this. Microsoft did not, and absolutely would not, have designed any login for Windows such that it could not be used because the internet connection is not present.
And I've already given the very simple steps necessary to prove that. Any reader here can disconnect their internet connection, log out of a Microsoft Account linked Windows 10 account, and successfully log back in again if they are using a password or pin. And, yes, that is how the vast majority log in to Windows 10.
If your much touted 2FA caused the problem, well, that's something to think about, because neither password nor PIN based login does.
Sky-Knight
Well-Known Member
- Reaction score
- 5,175
- Location
- Arizona
@britechguy My M365 backed MFA and associated Windows Hello for business has NEVER failed me.
Windows Hello has, and just because you cannot imagine an edge case doesn't mean it doesn't exist. I lived it. Admittedly that was in the early days of this junk on Windows 8, but that risk is present and here to stay. The way Microsoft handles profile loading is incompatible with continuous cloud authentication. Locally cached credentials are a massive security risk, and every time MS locks this space down bad things happen.
I use the above for my end users, but when there's a problem I have to bypass the system to break the glass to enter the system. That's how this process works, but I don't expect you to understand this. You're a residential service tech, I'm a network engineer for businesses. You're in my space now, and you're woefully ignorant. It's also not my job to educate you. I've illustrated a real risk, and why cloud signon isn't for everyone. That's the only thing you asked for before, now you magically want more. Move the goalpost on your own time.
P.S. MFA via M365 has little to do with any of this, it's only one of many authentication options.
Windows Hello has, and just because you cannot imagine an edge case doesn't mean it doesn't exist. I lived it. Admittedly that was in the early days of this junk on Windows 8, but that risk is present and here to stay. The way Microsoft handles profile loading is incompatible with continuous cloud authentication. Locally cached credentials are a massive security risk, and every time MS locks this space down bad things happen.
I use the above for my end users, but when there's a problem I have to bypass the system to break the glass to enter the system. That's how this process works, but I don't expect you to understand this. You're a residential service tech, I'm a network engineer for businesses. You're in my space now, and you're woefully ignorant. It's also not my job to educate you. I've illustrated a real risk, and why cloud signon isn't for everyone. That's the only thing you asked for before, now you magically want more. Move the goalpost on your own time.
P.S. MFA via M365 has little to do with any of this, it's only one of many authentication options.
britechguy
Well-Known Member
- Reaction score
- 4,097
- Location
- Staunton, VA
It is not me who's moving the goalpost.
And I'm not about to declare, every time I write something, that it's with the residential and small business market, and their typical setups in mind. That's a given, and I've stated it on many occasions.
And if you want to use an edge case, which you admit is an edge case, to rule out something that works 99.99999% of the time, that is your call. Some of us don't use edge cases to form our normal practices because they are edge cases, and we know it. Using them as guides is akin to not taking aspirin because the 35th side effect is seizures (that's an example pulled out of my behind, but in drug research pretty much anything beyond the first 5 side effects is so incredibly rare as to be a footnote rather than a probable risk). Realistic risk assessment, rather than remote possibility that's occurred once, and probably never will again, makes more sense as a guide.
Sky-Knight
Well-Known Member
- Reaction score
- 5,175
- Location
- Arizona
@britechguy I'm simply pointing out that while end users could and should, their service providers might want to not. Because well, it's my job to get the broken system back online and I cannot very well do that if I cannot access my web browser! And depending on policy, might be limited to access from a device from a specified location only. Worse if mTLS is involved and I need an authentication certificate.
Also, if you're in an extremely rural area where satellite internet is all you've got, you're better off using local accounts because the caching corruption issue that caused my equipment to fail way back then, is very likely to be a problem in those circumstances.
The same holds true of any microwave or RF based connectivity during a storm.
If you're on Hello for Business via M365 you can control all this via Conditional Access Policy.
If you're on Hello, you're stuck with the defaults which have more than enough wiggle room for intermittent problems. Not so much if your connectivity is good, but the more rural you get, the worse that gets and the larger the potential issue is.
It doesn't really matter though, because for my clients I insist on Pro, it affords a clean solution to the problem all on its own.
Also, if you're in an extremely rural area where satellite internet is all you've got, you're better off using local accounts because the caching corruption issue that caused my equipment to fail way back then, is very likely to be a problem in those circumstances.
The same holds true of any microwave or RF based connectivity during a storm.
If you're on Hello for Business via M365 you can control all this via Conditional Access Policy.
If you're on Hello, you're stuck with the defaults which have more than enough wiggle room for intermittent problems. Not so much if your connectivity is good, but the more rural you get, the worse that gets and the larger the potential issue is.
It doesn't really matter though, because for my clients I insist on Pro, it affords a clean solution to the problem all on its own.
Blues
Well-Known Member
- Reaction score
- 450
- Location
- Tennessee, US
There is a big key difference #1 since inception nearly all smart phones have had an account "requirement" and #2 to get and install apps you are nearly required to use the built in platform which requires an account for "purchasing" any app.
This greatly contrast with Microsoft and computer use where most applications are purchased, or can be purchased, outside of any digital purchase platform free of any login requirement. Now Apple may require logins to their system but considering how they have devices beyond computers where the need for a login is required this requirement and unification of their systems does not present itself the same as with MS where it is 99% unnecessary and does not provide the same level of benefit, if any, to the end user.
britechguy
Well-Known Member
- Reaction score
- 4,097
- Location
- Staunton, VA
Hence my comment about Microsoft being very late to the party in this regard.
But the concerns about a Microsoft Account being in some onerous class of its own are entirely misplaced. These accounts are coming about as cloud computing comes to dominate the scene.
I have no opinion, really, one way or another as to whether one chooses to use a Microsoft Account linked Windows 10 user account or a local one. What I do have an opinion about is the rationales presented for and against both options. And it's been my observation that, generally speaking, the rationales for local accounts just don't hold water in the vast majority of circumstances, and those accounts deprive both the owner and the tech of some significant advantages associated with a MS Account linked Win10 user account. I see even less reason to avoid it if you're using a local account then logging in to a Microsoft Account to use various cloud-based apps such as OneDrive.
But, in the end, if you want a local account because its your preference, or because it's how you've always done things before, or any one of a number of rationales that don't misrepresent anything, then have at it. Personal choice is, to me, sacrosanct even on those occasions where I believe the choice being made, being fully informed beforehand, is just plain stupid. Adults get to make choices for themselves.
Blues
Well-Known Member
- Reaction score
- 450
- Location
- Tennessee, US
For myself I see no benefits to using a MS Account as the only thing I have using one is my XBOX ONE and right now there is still a gap in the links between XBOX and PC on what it can do. I really don't see any benefits to using a MS Account in Windows even if you use many of the other services as in my experience the majority will keep you logged in or auto log you in on a reboot even if you are using a Local Windows Account. But because my personal use case is limited I honestly haven't gone down the rabbit hole of what the ups and downs are over all myself. I tend to run all my own systems and and "cloud" type systems I run an inhouse solution for which mostly run on some type of Linux device so for me its just a matter of time for a more complete transition to Linux.
Sky-Knight
Well-Known Member
- Reaction score
- 5,175
- Location
- Arizona
For a home user? The only benefits lie in convenience. For business users the game is utterly rewritten.
The largest feature is the automatic backup of the bitlocker recovery key. Which is going to be crucial all on its own. But that only requires an account on the unit with admin rights be created and linked to a Microsoft account. It doesn't require that account to be actively used!
Everything else is just more convenience, as you don't have to sign into every app that wants to use the account individually.
There is a bit of a security improvement since you can assign a pin to the account that's only valid on that specific box, which is in effect a 2nd password. The problem I have with this is most people use a 4 digit code of all numbers, which is hilariously easy to brute force. Now the mechanism only gives you 3 attempts before it forces you to use the proper password. But 3 attempts is more than enough if you already know a few of the digits from other means.
Full Windows Hello for Business integration unlocks standard M365 MFA processes on the Windows login event itself. This unifies the M365 login and the on premise login. This fusion of Azure AD and AD along with Federation possibilities opens the door for that single set of authentication tokens to be used not only for the machine login and all related Microsoft services, but for supporting 3rd party services as well. The admin gains a single authentication system log to monitor for improper logins for all attached systems, and the related access mechanism is not only easy to use, but very hard to break. In the end it reduces account breaches to the population of people that can physically steal something from the target. Which is a much smaller group of people relative to the Internet connected population at large.
BUT... if you're an admin things change. Now you have break the glass concerns. How do you get back into a tenant when the admin credentials are tied to a device that's lost or stolen? Admins have to plan for this. Now, admins shouldn't be using Home edition so this limitation shouldn't be much of a concern.
But for home users? Again they need that bitlocker key backed up or they will lose data. That's a simple fact we're all stuck with.
But if you're a business owner, you should want all your people using SSO for everything they can, with appropriate monitoring of the associated logs. In this way we can automate the process of identifying an account that's at risk, and appropriate mitigating actions can be taken. This one set of keys to the castle while a larger target, is far easier to limit access with. The only real problem is propagation delay, which brings me back to why I don't use a fully integrated account myself. Within that delay if a mistake is made, an admin can lock himself out of his everything potentially permanently.
Break the glass, it's a big deal and it's a huge part of any DR plan.
P.S. On three of my devices right now, I've updated Windows 10's store app to the Windows 11 version. Once I did this I can no longer use the store app, it simply closes seconds after launch with no error. If I login with a linked account, the app works. Now either I've got some sort of profile corruption going on, or MS is moving to require this full integration going forward.
The largest feature is the automatic backup of the bitlocker recovery key. Which is going to be crucial all on its own. But that only requires an account on the unit with admin rights be created and linked to a Microsoft account. It doesn't require that account to be actively used!
Everything else is just more convenience, as you don't have to sign into every app that wants to use the account individually.
There is a bit of a security improvement since you can assign a pin to the account that's only valid on that specific box, which is in effect a 2nd password. The problem I have with this is most people use a 4 digit code of all numbers, which is hilariously easy to brute force. Now the mechanism only gives you 3 attempts before it forces you to use the proper password. But 3 attempts is more than enough if you already know a few of the digits from other means.
Full Windows Hello for Business integration unlocks standard M365 MFA processes on the Windows login event itself. This unifies the M365 login and the on premise login. This fusion of Azure AD and AD along with Federation possibilities opens the door for that single set of authentication tokens to be used not only for the machine login and all related Microsoft services, but for supporting 3rd party services as well. The admin gains a single authentication system log to monitor for improper logins for all attached systems, and the related access mechanism is not only easy to use, but very hard to break. In the end it reduces account breaches to the population of people that can physically steal something from the target. Which is a much smaller group of people relative to the Internet connected population at large.
BUT... if you're an admin things change. Now you have break the glass concerns. How do you get back into a tenant when the admin credentials are tied to a device that's lost or stolen? Admins have to plan for this. Now, admins shouldn't be using Home edition so this limitation shouldn't be much of a concern.
But for home users? Again they need that bitlocker key backed up or they will lose data. That's a simple fact we're all stuck with.
But if you're a business owner, you should want all your people using SSO for everything they can, with appropriate monitoring of the associated logs. In this way we can automate the process of identifying an account that's at risk, and appropriate mitigating actions can be taken. This one set of keys to the castle while a larger target, is far easier to limit access with. The only real problem is propagation delay, which brings me back to why I don't use a fully integrated account myself. Within that delay if a mistake is made, an admin can lock himself out of his everything potentially permanently.
Break the glass, it's a big deal and it's a huge part of any DR plan.
P.S. On three of my devices right now, I've updated Windows 10's store app to the Windows 11 version. Once I did this I can no longer use the store app, it simply closes seconds after launch with no error. If I login with a linked account, the app works. Now either I've got some sort of profile corruption going on, or MS is moving to require this full integration going forward.
britechguy
Well-Known Member
- Reaction score
- 4,097
- Location
- Staunton, VA
Well, if someone has physical possession of the box, that's the major breach right there. And if that someone knows a few of the digits, then it's an "inside job." There is no security system in the world that is meant to prevent this kind of breach.
It's another reason that I prefer the password, which if done correctly, is way, way harder to guess or brute force.
Sky-Knight
Well-Known Member
- Reaction score
- 5,175
- Location
- Arizona
And with account lockout policies is fairly effective all on its own, especially with the 2nd factor of unit ownership. The only real issue here is the number of things a user has to login to creates an untenable amount of things to remember. Even with creative memory keys. Not to mention all those separate things need separate logging and monitoring. If you SSO through your Google or Microsoft account, your security section on either will tell you who is trying to muck with what, and you have a single account recovery process to manage.
The larger problem is, how do you secure a device that's no longer in your care? The entire point of Bitlocker is to solve this via whole disk encryption, but that's not actually happening with Device Encryption at present. Not to mention the decryption keys themselves are stored in the TPM module on the mainboard, so the lock and the key are right there for anyone with the tools to access them. Meanwhile, we don't have those tools, but the bad guys certainly do!
britechguy
Well-Known Member
- Reaction score
- 4,097
- Location
- Staunton, VA
And we're right back to one of my base assertions, not limited to this example or instance: Computer security is a never-ending game of cat and mouse or spy versus spy.
No matter what you do technologically, there will be someone who develops a way around it. Now, mind you, I'm not so foolish as to think that these deterrents serve no purpose. Even if they stop 90% of the sorts of "casual data theft" that was once easily possible they're well worth it. But for a dedicated nefarious actor zeroing in on a juicy target, where there's a will, there will be a way even if it does not, as yet, exist.
Just as its the human factor that's the weakest link in the security chain, it's mainly through the strenghening of that link that breaches can be avoided. Most breaches are the direct result of either not doing something that should have been done, or doing something that shouldn't have been done, by some human.
As terrible as it is to think about the fact that it boils down to people, it still boils down to people. If they won't do what they should or do what they shouldn't then nothing is ever going to work on a permanent basis. And even if they're perfect, sometimes what has worked will cease working when that really sharp nefarious actor gets one step ahead in the game of cat and mouse.
timeshifter
Well-Known Member
- Reaction score
- 2,177
- Location
- USA
That's not 100% correct. You don't need to use an Apple ID to sign in to a Mac computer. It's highly encouraged, but is not required. Just like you can't use OneDrive without a Microsoft account, you can't wireless sync photos, contacts, etc. without an Apple ID.
You're yet to respond to any of my perceived benefits of local accounts posted earlier, except to say you haven't personally seen someone locked out of their PC. I see that you're a fan of good-old-fashioned passwords, well that's what local accounts give you. They allow you to choose your own level of password complexity/simplicity. So less likely to be locked out due to forgotten passwords. The security benefits of Microsoft Account logins are perhaps arguable, but I prefer end users being able to choose their own level of security (also with Windows 11, but that's another subject). Onerous security requirements diminish the (residential) user experience in many cases.
That's where your argument is weak. It's been pointed out numerous times that local account login and MS Accounts for apps work very well together, even in Windows 11. I'm not aware of any significant advantage to MS Account login. You're welcome to point out any significant advantages I'm unaware of.
britechguy
Well-Known Member
- Reaction score
- 4,097
- Location
- Staunton, VA
@fincoder
You've actually unintentionally hit upon one of the reasons I do really prefer MS-Account linked Win10 user accounts: Ease of resetting passwords.
The PIN option really makes a second login option easy. I also say, and others will disagree, that I don't find the Windows-required password features in any way onerous. The method I teach, The Portmanteau Method of Creating Passwords, results in passwords far longer, and far more memorable for the individual, than any built-in password requirements I'm aware of, including Microsofts. Length is king when it comes to password strength if someone doesn't pick something that's simple for someone with nothing but cursory information about you to reconstruct. I want people to use long passwords that are simple for them to remember, but very difficult indeed for anyone else to guess. And a consistent construction method, or several variants, do just that.
The ability to easily reset forgotten passwords via the "forgot password" process on the Microsoft Account, and have that propagate down to the linked Windows user account, has saved several of my clients' bacon on several occasions. I also find the linking of licenses to a Microsoft Account, which is for the most part fully automatic when using a MS-Account-linked Win10 user account to be invaluable. Again, I've had clients lose these, but not need them for a later reinstall, because they're a part of their account.
I consider the Microsoft Account itself a sort of license and password manager in the cloud. And given how often I've had clients need to recover one, the other, or both, it's well worth linking together their Windows user account and their Microsoft Account. All the more so since you can do everything a local account can when there is no internet connectivity.
As the old saying goes, your mileage may vary. What I consider to be of great advantage you may not.
You've actually unintentionally hit upon one of the reasons I do really prefer MS-Account linked Win10 user accounts: Ease of resetting passwords.
The PIN option really makes a second login option easy. I also say, and others will disagree, that I don't find the Windows-required password features in any way onerous. The method I teach, The Portmanteau Method of Creating Passwords, results in passwords far longer, and far more memorable for the individual, than any built-in password requirements I'm aware of, including Microsofts. Length is king when it comes to password strength if someone doesn't pick something that's simple for someone with nothing but cursory information about you to reconstruct. I want people to use long passwords that are simple for them to remember, but very difficult indeed for anyone else to guess. And a consistent construction method, or several variants, do just that.
The ability to easily reset forgotten passwords via the "forgot password" process on the Microsoft Account, and have that propagate down to the linked Windows user account, has saved several of my clients' bacon on several occasions. I also find the linking of licenses to a Microsoft Account, which is for the most part fully automatic when using a MS-Account-linked Win10 user account to be invaluable. Again, I've had clients lose these, but not need them for a later reinstall, because they're a part of their account.
I consider the Microsoft Account itself a sort of license and password manager in the cloud. And given how often I've had clients need to recover one, the other, or both, it's well worth linking together their Windows user account and their Microsoft Account. All the more so since you can do everything a local account can when there is no internet connectivity.
As the old saying goes, your mileage may vary. What I consider to be of great advantage you may not.
timeshifter
Well-Known Member
- Reaction score
- 2,177
- Location
- USA
Forgetting a PC account login password is a pretty rare occurrence in my experience.
nlinecomputers
Well-Known Member
- Reaction score
- 8,530
- Location
- Midland TX
Not if they have turned the pin login on. They forget the password and you have to use a password in Safe Mode.
britechguy
Well-Known Member
- Reaction score
- 4,097
- Location
- Staunton, VA
Yup. And that's why, when I can, I discourage the use of PIN.
It's also not uncommon if the machine has a fingerprint scanner and that's what's been used for logging in for ages. Now with facial recognition, we can add that one in to the list of things that allows memory of a password to disappear easily.
The easiest way to get both muscle and recall memory of a password is to use it. But I do agree that forgetting a password is rare if it is constantly used. One of the reasons I hate browser "password memory" is it causes people to completely forget passwords on a constant basis, and if they're not good about using something, be it a notebook or password manager, to keep an up-to-date record of their passwords problems almost always ensue.
Last edited:
Similar threads
