Another method for avoiding using a Microsoft account during setup

[Diggs]

The device encryption in Win11 is starting to hit home pretty hard. I've had a few customers with Win11 laptops that won't boot. I used to be able to pull the drive, dock it, and get all their personal data off it before a N&P. Now they have no idea their device is encrypted. They swear they don't have a MS account and wading through the recovery process with a customer that is at work and cannot respond is just a huge time suck. I'm really tired of it already......

 

[britechguy]

wading through the recovery process with a customer that is at work and cannot respond is just a huge time suck.

Then why do you do it? And that's a serious question.

We all know that this sort of thing actually requires the full attention of the client, so if they can't give it, it needs to be postponed.

We can, and should, be training our clients in regard to what we need from them, too. I have yet to have a client bail on me and try to find someone else when I tell them we cannot do this unless they can devote their full attention to getting me the information I need to get the job done. I just have them get in touch again when they can focus and have easy access to the machine and whatever else they need to have access to.

One thing's certain, though, is at the end of any of the, "I don't have an {insert entity} account!," statement when they must to use a service they will not only know that they do, but what all the credentials are, and I will generally have watched them log them, before that job is over. Customers need to know what is in place, and take steps to remember that, for services that they use. On the odd occasion when I actually have to set that up, I get them as involved as I can in picking both userid and password - then making them record same.

 

[britechguy]

The device encryption in Win11 is starting to hit home pretty hard.

Which is why I'm adding "turn off device encryption" to my standard initial setup steps for Windows 11 machines.

If ever there were gross overkill, it's the attempt to have universal device encryption. It results in way more heartache in almost all cases (at least in the residential market, but even for small businesses, too).

 

[Sky-Knight]

@britechguy The pin for Microsoft is just a password that's only valid for login purposes on a specific machine. It's not valid for network access or any other purpose. It's device locked, and can only be used at the physical terminal.

Which yeah... isn't a bloody PIN! But I'm also not sure what else to call it. What to use? Super Local Password?

@Diggs Educate, and raise your rates to compensate for the additional time required. You're not pulling files anymore, you're doing an account recovery. Get paid for it!

@britechguy I disagree, because ID theft often amplifies with laptops found in pawn shops. There's a risk vector there that's better off sealed, and users that cannot keep tabs on a simple cloud login that should also be holding a copy of their data anyway... Well, they deserve what's coming to them. Again, our phones are all encrypted now, why are our laptops any different?

 

[britechguy]

Again, our phones are all encrypted now, why are our laptops any different?

Because they're entirely different devices and the characteristic issues (already well discussed in this venue on multiple topics) are entirely different.

If someone's pawning (or otherwise giving away) a computer and does not wipe it first then they deserve precisely what they get. Actions and inactions have predictable consequences, and if you are stupid enough (and that's what it is, pure stupidity), to hand off a computer you have been using without wiping it first, well . . .

 

[Sky-Knight]

Because they're entirely different devices and the characteristic issues (already well discussed in this venue on multiple topics) are entirely different.

If someone's pawning (or otherwise giving away) a computer and does not wipe it first then they deserve precisely what they get. Actions and inactions have predictable consequences, and if you are stupid enough (and that's what it is, pure stupidity), to hand off a computer you have been using without wiping it first, well . . .

They get stolen all the time too, just as commonly as phones do.

Also, if the computer is configured the way Microsoft does things by default, all your junk is in Onedrive so you've equally lost nothing. The Microsoft account that users "forget" about gives them FREE access to a 5gb Onedrive storage vault, which again by default snags not a copy, but the ACTUAL LIVING VERSION of Desktop, Documents, and Pictures.

So, if people would keep tabs on their accounts, the encryption wouldn't matter because the device is totally disposable. JUST LIKE THEIR PHONES!

 

[nlinecomputers]

Because they're entirely different devices and the characteristic issues (already well discussed in this venue on multiple topics) are entirely different.

If someone's pawning (or otherwise giving away) a computer and does not wipe it first then they deserve precisely what they get. Actions and inactions have predictable consequences, and if you are stupid enough (and that's what it is, pure stupidity), to hand off a computer you have been using without wiping it first, well . . .

Not everything that ends up in a pawn shop is given away. Many laptops are stolen and as it is a fairly cheap device most people don't have serial numbers for them so they can't properly report them stolen. Most people can't even tell you the brand let alone the exact model number. "It's a Microsoft laptop." (and no we are not talking about Surface) #facepalm

 

[britechguy]

Not everything that ends up in a pawn shop is given away.

And not everything is stolen, either.

Both you and @Sky-Knight seem to believe that security in general can be greatly improved by encryption, and I do not. Most of the scams, malware, etc., that end up causing the most damage don't care if there is encryption or not because they are "invited on" to the machine by the user and installed by them, whether they realize that's happening or not. Once it's in situ, it has the keys to the kingdom.

Theft is not at the very top of my list of things to worry about, whether for phones or laptops. It comes back to the fact that the first, and foremost, security you can have is physical security. Once any device is literally out of your hands there are myriad ways to get at the contents. And given how many home users, anyway, still set things up to allow login without a password, or use a PIN like 1234, if a machine like that is lost so is all hope.

Both of your experiences, and approaches to the world as a result, are at great divergence with mine. Your worries are not generally mine, or at least where they fall on the list of things that deserve concern are wildly different.

If I have a choice my home clients, like myself, will have device encryption OFF. I'm not going to apologize for that choice, nor do I feel the need to explain it given all the water that keeps passing under the bridge on this very venue about the messes that it causes on far too many occasions and for what I consider to be very near to zero benefit.

 

[Sky-Knight]

@britechguy

Once any device is literally out of your hands there are myriad ways to get at the contents.

It's mathematically extremely unlikely to break drive encryption, if this weren't the case no one here would be concerned about it. You're not wrong about the extremely weak pin vector however. I too believe this situation causes more issues than it solves on PCs.

But the fact of life is it's beyond either of our pay grades, and no amount of re-configuring the stuff that comes over our desks is going to change much. All of this is very much educate and adapt, because no amount of changing defaults has ever worked. See your own comments about being stubborn about UI changes. Such is the way of things.

 

[britechguy]

because no amount of changing defaults has ever worked.

You are absolutely right, on a global level. I'm mostly concerned with my own client base, particularly longstanding ones. Now that we're entering the era of Windows 11, there are defaults, such as Fast Startup and drive encryption, where turning them off will be a part of my standard device setup and even service calls.

I can't fix *the* world but I can do my best to make the worlds of myself, and my clients, the "best" (taken as a whole, all things considered) they can be.

I agree that we are all going to have to come up with our own procedures to deal with the fallout of whatever defaults Microsoft, Apple, etc., set. And that often means encountering situations where what we would reconfigure had we been involved from the outset will not have been.

 

[nlinecomputers]

Once any device is literally out of your hands there are myriad ways to get at the contents.

And that is just flat wrong. If encryption didn't work then governments wouldn't be worried about it. For example the Terrorist attack in L.A. several years ago. After the police took out the shooters they recovered an iPhone. The FBI didn't have the means to decrypt the phone's encryption. The only thing they could do was try all the possible pin number combinations. The only thing stopping that was a built-in self-destruct. They ended up hiring a security firm that could duplicate the encrypted contents onto a modified iPhone that had the self-destruct disabled so that they could run all the pin numbers. A proper password would make such an effort take years

And not every lost laptop is a home user. A couple of years ago a laptop was stolen, at a Starbucks, of a man in our school district's administration office. The laptop had the Social Security numbers of every employee and student in the district. And it was not encrypted. Fortunately, it was recovered at a pawnshop.

 

[britechguy]

And not every lost laptop is a home user.

And I'm not going to say this, ever again: I write, unless explicitly stated otherwise, from the perspective of the client base I serve.

That should not need repeating again and again.

I realize that other contexts exist, and if I'm talking about them you'll know.

When I read you or anyone on this forum I keep in mind what I know about the clientele you serve based on a now several years long history of reading. The context I presume you are embedding observations in is based upon that. I suggest you consider doing the same.

Device encryption is generally a nightmare waiting to happen for home/residential users. I'll do what I can to head that off at the pass.

 

[Sky-Knight]

@nlinecomputers The issue is home users specifically. Criminals and terrorists aren't home users. Encryption protects them because they won't be stupid enough to use a pin of 1234 to get into a device they're using.

And if you're law enforcement trying to beat your way into a recovered laptop to get evidence from it, you're going to beat on the pin until it expires and faults back to the password and now you're stuck trying to get through that. Because brute forcing the login will take less time than decrypting the device itself.

 

[SlickMinnow]

Tried all the methods listed above. There is no other option than to join a network to continue.
There is no way to disable wifi (unless I physically open the laptop and remove the wifi chip?).
There is no "back" button or anyway to get out of the "Lets connect you to a network" page.
So, the only way to do an install of Windows 11 is to install Windows 10 and do an in place upgrade.

F*%k Microsoft

Many laptops will use a Fn key to enable/disable wifi. Look for a key with what looks like a tiny i with parentheses (like an antenna radiating radio waves). Often I find it around F7 or F9. Good luck!

 

[Sky-Knight]

Many laptops will use a Fn key to enable/disable wifi. Look for a key with what looks like a tiny i with parentheses (like an antenna radiating radio waves). Often I find it around F7 or F9. Good luck!

Doesn't matter, because the lack of network connectivity work around on Win11 only works if there is no NIC in the system! Good luck removing the wifi card AND the onboard LAN port.

Shops are going to have to join the unit to their own accounts, and then disconnect it. Clunky... but it works.

 

[NviGate Systems]

Could also use a USB Ethernet card and just yank it when the time is right, there are I think still USB Ethernet that are working OOB.

 

[nlinecomputers]

Doesn't matter, because the lack of network connectivity work around on Win11 only works if there is no NIC in the system! Good luck removing the wifi card AND the onboard LAN port.

Shops are going to have to join the unit to their own accounts, and then disconnect it. Clunky... but it works.

What about just disabling them in Bios until the OOBE finishes.

 

[Sky-Knight]

What about just disabling them in Bios until the OOBE finishes.

Extremely few EFIs let you do that. But if you could kill the wifi card and the NIC in the BIOS? Maybe? Even if that works, it won't forever. These hoops are going to have increasing levels of flames attached as time goes on.

 

[britechguy]

These hoops are going to have increasing levels of flames attached as time goes on.

I really hope that Microsoft makes it as impossible to use Windows without a Microsoft Account as Apple and Google have made it to use their ecosystems effectively without these respective accounts.

For large organizations, there already methods to deploy Windows that are appropriate to these entities. For small (and I mean really small) businesses they should establish a Microsoft Account for the business which any computers set up use for that setup. It's a simple matter to add another user, even if you want them to be a local user, after having done that. Home users need to have Microsoft Accounts like they have Google and Apple and all sorts of other accounts.

The resistance to the Microsoft Account is utterly irrational and its use should be considered as standard as other accounts connected to certain ecosystems have been for many years now. We are now in the age of cloud computing and "X as a service," that means having the structure to support that, which includes cloud-based accounts, even if "the same one" is used on multiple machines.

 

[fincoder]

Tried all the methods listed above. There is no other option than to join a network to continue.

Tried this method? Has worked for me every time so far:
When you get the request to connect to WiFi, press SF10 to get command prompt, enter taskmgr and end the task Network Connection Flow.
Close task manager and command prompt, you then get the local account setup screen.