Windows 11 Pro will require Microsoft Account.

[nlinecomputers]

…and how many people have the phone setup at the store are given their new gmail account and promptly forget it. Then they drop the phone in the pool and lose everything because they don’t know the gmail address of the phone nevermind the password so they get a new phone and start all over. Yes there’s money for us techs trying to fix this but there also has to be a better way.

 

[Metanis]

I've been in both camps, and I'm reminded of Murphy's corollary, if you make something idiot-proof, they'll make a better idiot.

 

[Sky-Knight]

…and how many people have the phone setup at the store are given their new gmail account and promptly forget it. Then they drop the phone in the pool and lose everything because they don’t know the gmail address of the phone nevermind the password so they get a new phone and start all over. Yes there’s money for us techs trying to fix this but there also has to be a better way.

And they lose everything, why should their desktop be any different? We must stop saving people from some kinds of stupid if we're going to move on.

@Metanis This is very true! But in Microsoft's case they really have given the user all the tools in the world to save themselves. Much more so than Google or Apple anyway. Which is why personal Microsoft accounts all but force you to stuff in a cell phone number now. Which makes me feel dirty, but ultimate recovery is often an SMS message to a mobile number. Now the people that refuse to KEEP their mobile numbers... they're in trouble.

 

[HCHTech]

Ok - I'd like to nudge this thread in the 'helpful' direction a bit.

@Sky-Knight - Your responses make me wish I'd signed up for that webinar - haha.

I'm less concerned with the edge-cases and more concerned with establishing a workable, scalable, SOP for new setups, targeted at individuals (residential customers) or SMB w/o the necessary M365 licenses for AzureAD. I'm in an area where internet is going to be available for 99.99% of setups, so we don't have that issue.

Your recommendation is:

If the company doesn't have AAD or AD, then the machine will still need to be joined to an AAD, this is the PERSONAL Microsoft login, which will simply collect machines. And the only reason you're doing it is again to get that computer account that has the recovery key stored in it. You don't actually have to use those accounts for day to day, you just need one on the box to link the device to the directory.

and

If you make a user on a machine, the local admin user during initial setup, YOU LINK THAT ACCOUNT to a personal Microsoft account, and then make a NEW LOCAL ONLY ACCOUNT for the end user.

Is this just the only remaining way to prevent requiring that the daily-used user account be a Microsoft account? Frankly, I'm thinking it's easier to just give up and make their daily-used user account a Microsoft account in the first place. That's obviously what MS wants anyway - maybe it's time to just let them win this one and get on with our lives (for customer computers at least). We stopped trying to persuade users to use local accounts a long time ago, we prefer instead to explain the pros and cons of both choices as we understand them and let them make the choice. We also stopped using their actual email addresses for the MS accounts as well, preferring instead to setup a new Outlook.com addresses - people always confuse the two otherwise, and we got tired of those phone calls. So I guess we're 80% of the way there anyway.

 

[Sky-Knight]

@HCHTech You're not wrong, because there's a bucket of user specific integrations that don't work without a Microsoft Account under the hood. Even if you use a local account integrated with Azure, but only at the level provided by Standard and Basic there's stuff you need that MS account for.

I'm maintaining Personal accounts for my clients in this space only to keep that recovery key available. I won't rely on users for that, because well... that doesn't end well!

If the local user is an admin, they'll get a copy of that recovery key too if the account is merged. My SOP orbits around ensuring I have access to that key when I need it, nothing else really matters to me because the rest is user preference.

Microsoft's reckless price hikes on M365 this year have ensured zero of my clients will ever be on Premium. So there is that too.

 

[fincoder]

more concerned with establishing a workable, scalable, SOP for new setups, targeted at individuals (residential customers) or SMB w/o the necessary M365 licenses for AzureAD.

That's what I'm interested in as well. I make a living out of break-fix and a small store because I keep things simple. So for me the solution is local account on setup (and still doing it with Win11 by ending the Network Connection Flow task during setup). The customer can (and often does unconsciously) link their login to a Microsoft account at a later time, or I can help them with that if needed. Device encryption hasn't been much of an issue... yet.

I have plenty of customers using LibreOffice and they don't need to provide a Microsoft account for me to setup their computer. I also setup refurb PCs ready to buy, easy to demo when already booting into a local account. I don't subject my customers to the OOBE unless (on rare occasion) they want a new PC sealed in the manufacturer's box (e.g. tech savvy customer that likes to do the setup themselves).

 

[YeOldeStonecat]

Our standard used to be E3....so when M365BizPremium came out....pretty much a no brainer for 95% of 'em.
Pretty each push once you add up all the services you get in the stack.
Well over a hundred businesses on 365 through us...fairly easy sell.

 

[VISA MC]

@Sky-Knight Do you verify the bitlocker keys are there after each setup you do? I’ve never ran into this except twice, the second one being today.

Customer only has two email addresses. One at aol and one at gmail. Her husband has a gmail account. The only one that is a valid Microsoft account is the aol one. Logged into the account and saw the computer listed there. Verified the model number and confirmed she only owns one of these machines. Went to manage bitlocker keys and there’s nothing there. The machine is there but no key. Checked in the root of one drive also with nothing.

This customer lost everything because of unknowingly encrypted data that didn’t work right. I guess it’s possible someone else deployed the machine and signed in with their own accounts but based on history with this end user not likely. She ordered the machine straight from Dell and did her own setup. In fact the office 2019 that she purchased on the same invoice is in this aol Microsoft account. I would tend to believe her she isn’t lying about this.

I’m all for encryption and everything else talked about in this thread but this is the exact situation that happens when this crap is forced on people.

@nlinecomputers we also have a handful of customers that have no internet and rely on cellular hotspots and even a few with no cell service either. What a crappy solution that they now can’t setup their own stuff and have to do it elsewhere.

 

[Sky-Knight]

@VISA MC I do actually, because it only takes a few moments for it to appear. If I catch a machine in the field that's new to me, I make a local admin account on the unit and link that with the Microsoft account I'm maintaining for that client. In these cases it take take a day or two before the key shows up, but it always has.

You can also get the key via powershell!

(Get-BitLockerVolume -MountPoint C).KeyProtector

I'm still trying to get this running via a check in my RMM so the recovery keys just pull into a custom data field in my RMM automatically.

 

[nlinecomputers]

The problem is not a fault on the Microsoft account. The end user stupidly created a unique Microsoft account and then forgot about it. Likely some variation of their name @outlook.com. The OOBE needs to be changed so that they require a functioning email address and cell phone that you verify before you can continue. If they are going to force end users into this bullsh!t then they need to make it more idiot proof. I think too many end users don’t realize that they are asking for your current email address during setup. Worse many people already HAVE a Microsoft Account and don’t realize it or they don’t know the password so they create a new MSA on the fly and promptly forget about it. Later once the PC is up and running and they purchase Office 365 they recover the real Microsoft account and buy M365. The machine is still linked to that on the fly account they created and forgot about.

 

[britechguy]

I think too many end users don’t realize that they are asking for your current email address during setup. W.orse many people already HAVE a Microsoft Account and don’t realize it or they don’t know the password so they create a new MSA on the fly and promptly forget about it.

And we, as an industry, are directly responsible for having done a lot to create just such a situation.

It's interesting to me that virtually no iUser I've ever known is unaware that they have an Apple account (regardless of whether they call it an iTunes account, iCloud account, or whatever - like Google and Microsoft, it's the key to all services) and have known since day one.

The years of us, collectively, doing these insane workarounds to make certain that a local account gets created has done nothing but add fuel to the fire that's currently burning.

In the age of cloud computing, a "cloud account" linked to your respective OS should be a basic expectation. We should be teaching our clientele this fact, and refusing to create local accounts anymore as a matter of course.

The customer is not always right. In fact, on many occasions the customer is downright stupid. Part of our job is to "enforce what's needed for today, and going forward" in the spheres in which we work. One of those things is a cloud linked account for any device an end user might use, and making clear that they must log the information necessary to access that account somewhere that they can get at it when needed, and it will invariably be needed at some point. [The fact that you can create aliases for a Microsoft Account, using multiple email addresses and/or phone numbers, should make retention of *something* even easier if things the user actually uses frequently for other things are included in the mix.]

Those clients that insist on doing the untenable should be passed along to some other tech who wants the pain of dealing with them. Such techs deserve exactly what they get.

[And before anyone even bothers, you absolutely can log in to Windows 10 or Windows 11 without an internet connection for an existing account already on the machine that's a cloud-linked account. I've done it many, many times, and it's a simply matter to prove it to yourself if you've never tried.]

 

[nlinecomputers]

It's interesting to me that virtually no iUser I've ever known is unaware that they have an Apple account (regardless of whether they call it an iTunes account, iCloud account, or whatever - like Google and Microsoft, it's the key to all services) and have known since day one.

Not in my experience. I know plenty of people who destroyed an iPhone and make frantic requests to family and friends for phone numbers and email addresses while bemoaning the loss of all their photos. Im sure they had an iCloud account but they are unaware of the username or password. They use gmail for email. By the same token I have seen several android users that lost all the above AND their gmail account because they didn’t know the password. Some are so clueless as to have later managed to regain access to the gmail account but never managed to restore it to the new phone as it was setup on a new gmail account by the cell store clerk who, understandably, can’t be bothered to try and help the user recover their original gmail account.

 

[Sky-Knight]

@britechguy I run into people that don't know their Apple credentials ALL THE TIME. Same with Google, the largest time sink in rolling out MFA to my clients is getting those users to sign into the appropriate stuff to install the free app off the appropriate app store.

And you're right it's very much the same problem, and always rooted in pure stupid that I'm objectively tired of dealing with.

 

[britechguy]

pure stupid that I'm objectively tired of dealing with.

Yup. And that's why I just don't deal with it anymore.

You get one round of careful explanation from me, along with assistance (if needed) in acquiring the information necessary to log those accounts and their passwords (even if we need to change them to do so). After that, you are expected to know this because it is "your electronic keys." That's actually how I explain it, too, because I don't know of many people who don't know precisely where their keys are for their house and car (among other things) 99% of the time or more.

And it's why I want people NOT to use any "automatic login" features. We have done everything in computing to make what is the mental equivalent of "muscle memory" fail to develop. Password managers are a good idea, having browsers remember every login and password is not. Having an "on demand place I can check when I occasionally forget" is essential, having something else do what I should be doing to verify myself as being myself is not.

We have trained in bad, very bad, practices. And some of those (not all, but some) are the direct result of trying to get too stringent about authentication and having those ingenious fools come up with ways to foil that stringency that makes things even less secure.

I'm also pretty much the same way about taking full system image backups. My clients get warned that they will, eventually, almost certainly have a computer "up and die" in such a way that if they don't have a backup they will lose everything. They make an informed choice to be willfully stupid if they persist in doing nothing. But my conscience is clear.

 

[VISA MC]

@VISA MC I do actually, because it only takes a few moments for it to appear. If I catch a machine in the field that's new to me, I make a local admin account on the unit and link that with the Microsoft account I'm maintaining for that client. In these cases it take take a day or two before the key shows up, but it always has.

You can also get the key via powershell!

(Get-BitLockerVolume -MountPoint C).KeyProtector

I'm still trying to get this running via a check in my RMM so the recovery keys just pull into a custom data field in my RMM automatically.

I’ll have to play with this a little bit to see how it handles things like PC name changes and whether the account is signed into upon creation or linked later.

In this particular case I would tend to think the customer wouldn’t have created two back to back Microsoft accounts. One that holds the bitlocker key and another one that holds the Home & Business key that she purchased at same time and was preloaded on the machine, all she had to do was sign in.