Another method for avoiding using a Microsoft account during setup

[Markverhyden]

My understanding has always been that Windows 11, as shipped from the factory, has Device Encryption (Home) or BitLocker (Pro) active as shipped. It's not turned on as part of the setup process by the end user, but of the basic setup of Windows itself.

Have you verified that? As in booting from other media and trying to access files on the drive in question? While I'm not surprised about anything OEM's do. Like turning on FDE when a machine is doing OOBE and logging in with a MS account. I've done a few and have yet to see a single popup/notification to that effect. At least in that situation recovery is possible in most cases since they should be able to access/recover the online account. But doing this out of the box with no notice is a extremely troublesome development. I guess it's getting to the point where we need to start warning customers that they need to assume everything on any equipment is encrypted and will have to do mandatory backups lest equipment failures make native data recovery nearly impossible.

 

[nlinecomputers]

Since Windows 8 Microsoft has employed device encryption, a limited form of BitLocker Encryption on systems pre installed with Windows. Signing to a Microsoft Account was the final step to engage the encryption. Many OEMs can and did opt out of this but many didn’t and Windows 11 seems to have taken the option away. OEMs are now required to have the hardware and enable DE on Windows 11 home. Activation of the encryption is so fast as to infer that it is already encrypted on shipment, even if you bypass the M$ account somehow the disk is likely still encrypted. The TPM chip holds the actual key and they during boot up decrypt the drive enough to boot Windows and wait for authentication. If you “suspend” BitLocker the TPM chip simply always decrypts the drive without any authentication. Encryption is only removed if you disable BitLocker. I suspect that the system is booting up in this suspended state until you complete OOBE and login to your Microsoft Account.

 

[britechguy]

In the end, I really don't care all that much the exact progression of events under the hood. Everything I've been reading, for many months, and in Microsoft's own documentation, is that under Windows 11 device encryption/BitLocker is in place from the first second that the end user has any access to Windows itself.

I intend to put together a "standard for me" immediately post setup script that will contain:

echo [-] Disabling BitLocker/Device Encryption...
manage-bde -off C:

As far as I'm concerned device encryption is just a disaster waiting to happen, and given the number of issues that have been the direct result of device encryption that have been reported here on Technibble forums, well, it hasn't made my opinion anyting but stronger.

 

[Blues]

The real issue with device encryption is that it is being done as a by default and when setup by end users they rarely know or pay attention to things they just want into the system. This results in enabling features with a generally sound idea but poorly executed as the users rarely note or maintain anything after initial setup and the necessary recovery information is lost resulting in a bigger problem than the generally small risk of data theft.

 

[britechguy]

the users rarely note or maintain anything after initial setup and the necessary recovery information is lost resulting in a bigger problem than the generally small risk of data theft.

Absolutely. That's precisely why I call the universal automatic enabling of device encryption (at least on PCs) a disaster waiting to happen. Most of the "total losses" of data that I know of have not been the result of a simple drive failure, but where encryption (and lack of knowing it was on or having keys) has made it impossible.

And for those who insist on using local Windows 10 user accounts, rather than Microsoft Account linked ones, that key is not automatically stored anywhere. Tick, tick, tick . . .

 

[fincoder]

And for those who insist on using local Windows 10 user accounts, rather than Microsoft Account linked ones, that key is not automatically stored anywhere. Tick, tick, tick . . .

Device Encryption is not automatically enabled unless there is a Microsoft Account to save the key in.

I don't work with Windows Home....but are people seeing Windows 11 Home edition....ONLY allows Microsoft accounts to sign in? No way to trick that?

That's exactly what this thread is about. The answer is yes and it isn't so much a trick as a feature put there by Microsoft that's hard to find:
During the OOBE (out of box experience, or initial startup of a clean install):
- SF10 to get command prompt
- enter "oobe\bypassnro"

Also if you create Windows 11 install USBs using Rufus it can remove the Microsoft account requirement (and CPU/TPM requirements).

 

[YeOldeStonecat]

Activation of the encryption is so fast as to infer that it is already encrypted on shipment, even if you bypass the M$ account somehow the disk is likely still encrypted. The TPM chip holds the actual key and they during boot up decrypt the drive enough to boot Windows and wait for authentication. If you “suspend” BitLocker the TPM chip simply always decrypts the drive without any authentication. Encryption is only removed if you disable BitLocker. I suspect that the system is booting up in this suspended state until you complete OOBE and login to your Microsoft Account.

This is the part that I guess I am more curious about. Up until now, I always thought...and told people...that BL is not activated UNTIL the end user signs into a Microsoft account. I did not think it was possible to bypass a Microsoft account for sign in, and still somehow have BL activated and encrypting the drive. Because....HOW....would you retrieve the key without having a Microsoft account that it was saved to? Or...saved to removable media/text file/printed. So far I have been under the impression that BL will 100% present this window (see screenshot) when activated...but I could be wrong, perhaps it may just...activate behind the scenes without any dialog box to indicate to the end user that it's been turned on. (Exception of course, when one has a 365 policy that forces it on and captures the key, like I make for my clients in their 365 biz tenant....and only on WinPro. That policy does it quietly behind the scenes)

 

[nlinecomputers]

That’s pure speculation on my part and I hope I am wrong as it would mean a risk for data loss without securing the key should the TPM chip get reset Or fail. But I can see Microshit doing that to make the OOBE faster.

 

[Blues]

One of my issues is most end users I know never log out of their PC and setup facial or thumbprint recognition and don't know their password or pin and last time I even considered recovery options, fortunately the matter was solved w/o, there was no option to login and get recovery keys on a different device with facial or print login options it seems that those are, or at least were previously, working though some other mode to authenticate their MS account leaving the user unable to work with recovery options.

I was also like others under the impression bitlocker was not on by default if a local account was used in the OOBE. I suspect an issue some might run into is where OOBE was done with a MS account and then later changed to a local account possibly leaving BL enabled and on w/o reliable recovery means.

 

[britechguy]

Given the number of folks here who are doing OOBE and forcing a local account as part of that, surely someone can verify the BitLocker (Pro) or Device Encryption (Home) state of the system drive immediately thereafter.

This should not be difficult to verify for the next person so configuring a Win11 machine.

 

[YeOldeStonecat]

Given the number of folks here who are doing OOBE and forcing a local account as part of that, surely someone can verify the BitLocker (Pro) or Device Encryption (Home) state of the system drive immediately thereafter.

This should not be difficult to verify for the next person so configuring a Win11 machine.

We're unbuckling 4 or 5 computers today in our service room....
I just walked over to a laptop, Win11 Pro, it's only a "local" user account so far, has not joined AzureAD yet for the client.
The other laptops are the same. Still just "local" user accounts, and they have the same status. These are all Lenovo ThinkPads and ThinkCentre TinyPCs. None are Windows Home (we'll never purchase a Windows Home computer to unbuckle...however I'm very curious how that process goes...once in a while we do help out the owner/manager/staff at clients of ours who bring in their personal computers.

 

[britechguy]

We're unbuckling 4 or 5 computers today in our service room....
I just walked over to a laptop, Win11 Pro, it's only a "local" user account so far, has not joined AzureAD yet for the client.
The other laptops are the same. Still just "local" user accounts, and they have the same status. These are all Lenovo ThinkPads and ThinkCentre TinyPCs. None are Windows Home (we'll never purchase a Windows Home computer to unbuckle...however I'm very curious how that process goes...once in a while we do help out the owner/manager/staff at clients of ours who bring in their personal computers.
View attachment 14492

Thanks.

Now, the next question is does it get automatically turned on if/when a Microsoft Account Linked Win11 User Account gets created on the machine? I'd hope not, but who knows?

If BitLocker is to be enabled automatically, it would really be helpful were the triggering events for activation. And I'd hope those would be strictly at device setup.

Turning it on at "user behest" is another thing entirely.

 

[YeOldeStonecat]

Thanks.

Now, the next question is does it get automatically turned on if/when a Microsoft Account Linked Win11 User Account gets created on the machine? I'd hope not, but who knows?

If BitLocker is to be enabled automatically, it would really be helpful were the triggering events for activation. And I'd hope those would be strictly at device setup.

Turning it on at "user behest" is another thing entirely.

I am seeing it activate automatically, without user intervention, when signing into a Microsoft 365 "work/school" account. I cannot answer for "when signing into a PERSONAL Microsoft account". I've love to find the answer to that. I could go unbuckle a rig and test it with my personal account I suppose...and then wipe it again when done.

But I'd really like to see how a Windows 11 "Home" OOBE goes with these same points....I fully understand and appreciate things said above, that "home users" get used to doing a PIN or fingerprint or camera...and...they "forget" their Microsoft personal account password. So we're pretty stuck being able to retrieve that key.

 

[britechguy]

Microsoft personal account password. So we're pretty stuck being able to retrieve that key.

But thank heaven there is a procedure to do this for Microsoft Accounts that often results in success with some input from the end user. One of the reasons I hate local accounts, as I find the gyrations needed to get back in more onerous.

I just don't set up local accounts anymore unless the client is adamant, and very, very few are. I'd rather spend the time determining whether they have an existing Microsoft Account (based on their email address) if they're not sure one exists, and creating it if it doesn't, than going the local account route. And with the latest developments with regard to BitLocker/Device Encryption, I'm far more inclined to stand my ground on this one.

 

[YeOldeStonecat]

But thank heaven there is a procedure to do this for Microsoft Accounts that often results in success with some input from the end user. One of the reasons I hate local accounts, as I find the gyrations needed to get back in more onerous.

I just don't set up local accounts anymore unless the client is adamant, and very, very few are. I'd rather spend the time determining whether they have an existing Microsoft Account (based on their email address) if they're not sure one exists, and creating it if it doesn't, than going the local account route. And with the latest developments with regard to BitLocker/Device Encryption, I'm far more inclined to stand my ground on this one.

Yeah I've got to find some article on "how to recover a Microsoft personal account"...I've not gone through those steps before. Call it a result of being spoiled by having the keys to the kingdom, we're always an "admin" of either their on prem server (domain controller)...or as in this case, full global admins of their Microsoft 365 tenant. So we can always go in and reset the password of their account.

Guessing the process of creating a Microsoft personal account involves giving at least one or two alternative methods of contact...such as a cell phone number to send a text to, and/or an external email address (such as a GMail account)...from which a "forgot my password..need to reset it" link can be sent. Which..I also see that as a fallback for security as a wise patient hacker can usually fairly easily phish and get into a users personal email account...and be there waiting for that password reset link as they initiate the "forgot my password" process on the users Microsoft account. We now block that method in M365Biz tenants.

 

[fincoder]

I suspect an issue some might run into is where OOBE was done with a MS account and then later changed to a local account possibly leaving BL enabled and on w/o reliable recovery means.

Now, the next question is does it get automatically turned on if/when a Microsoft Account Linked Win11 User Account gets created on the machine? I'd hope not, but who knows?

For the last year or two (in Win10/11) a local account login is retained even after a Microsoft Account is supplied for an app and the user selects the option to use the account to sign in to apps automatically. Before recently, that option would force users from local to MSA login causing confusion about what password to use on the next login (so MS has improved things there).

So now users can have local account login AND have a Microsoft Account associated with it that is used for all apps that want it. This is effectively the same as a MSA login without the MSA login. I think Device Encryption activates in this situation and the key is saved in the linked MSA.

 

[britechguy]

Just wanted to note that I went through OOBE just this morning on a Lenovo IdeaCentre AIO 3, setting up a MS-Account-linked Win11 user account, and device encryption was not enabled, which came as a shock. Everything I've read so far says it's turned under Windows 11 Home or Pro, but a check with manage-bde -status said it was not.

 

[PaulTech]

Create an email or alias email, create a "setup" Microsoft account > do the initial computer setup > use the cmd window and create your local user (net user ...) and also assign to Administrators (net localgroup Administrators NewGuy /add) > log out and log into local user. Now delete the original setup account.

 

[timeshifter]

Create an email or alias email, create a "setup" Microsoft account > do the initial computer setup > use the cmd window and create your local user (net user ...) and also assign to Administrators (net localgroup Administrators NewGuy /add) > log out and log into local user. Now delete the original setup account.

Wouldn't you end up with the computer still linked to that account, but no real way to know what it was unless you remember that you set it up and what you used. And the recovery key is in that mysterious account.

 

[YeOldeStonecat]

Just wanted to note that I went through OOBE just this morning on a Lenovo IdeaCentre AIO 3, setting up a MS-Account-linked Win11 user account, and device encryption was not enabled, which came as a shock. Everything I've read so far says it's turned under Windows 11 Home or Pro, but a check with manage-bde -status said it was not.

SOMEtimes it can take 2-3 reboots.
Also can quickly check status...in the search box, type in "bitlocker" (quotes not needed)...and the "Manage Bitlocker" link will pop up, click on that for the GUI version....see if it's enabled, suspended, whatever.