Bitlocker on drives

[fincoder]

In my opinion, that this is all really, truly seamless when you are using a MS-Account-Linked Win User Account.

So the same as me using a local account then, that's what I'm getting at. You need to start believing people that tell you there's no advantage in a Microsoft account login, either that or try it yourself and see. If I'm wrong and there's something I'm missing out on then let me know and I'd be happy to concede the point.

 

[britechguy]

If I'm wrong and there's something I'm missing out on then let me know and I'd be happy to concede the point.

I say the following with zero snark or anger, but you're never going to concede the point.

I like having my own and my client's respective Microsoft Worlds all tied up neatly in one little bow with a Microsoft Account being that bow. The information that the Microsoft Accounts in relation to "all things Windows and Microsoft" are extensive and integrated into one place.

That last sentence, and that alone, is my primary reason for strongly preferring an MS-Account-linked Win10/11 User Account in all cases. I can't, and won't, attempt to justify it further. You don't see any value in that and I do.

 

[timeshifter]

It takes a bit of social engineering to flush out any possible email addresses a client might have used. I had one particularly difficult one a few years ago, and I don't remember how I found it, but I think I saw some reference to an odd ball address a guy had. When I asked him about it he was like "oh no, ...". But I persisted and it turned out that that was the account he had used to set things up, was able to locate the key and save his data.

 

[fincoder]

I say the following with zero snark or anger, you're never going to concede the point

Sure, zero snark but a big assumption
I actually would use and recommend MS account login, if anyone could articulate something specific and useful that local account users are missing out on.

I'm at a loss as to why you won't concede that all Microsoft services operate seamlessly without Microsoft account login. That's the main point I was making and it's objectively true.

I like having my own and my client's respective Microsoft Worlds all tied up neatly in one little bow with a Microsoft Account being that bow. The information that the Microsoft Accounts in relation to "all things Windows and Microsoft" are extensive and integrated into one place.

Still nothing specific.

In my situation, as a happy user of Microsoft consumer-level services like 365 Family and OneDrive (but not encryption), the only thing that isn't wrapped up in Microsoft's little bow is my PC login password. I personally don't get what the advantage is in having Microsoft control my actual login, happy to use their useful services but as I've said those don't require Microsoft account login to PC.

 

[britechguy]

I'm at a loss as to why you won't concede that all Microsoft services operate seamlessly without Microsoft account login.

What in God's name are you doing to access them: You're logging in! You're just doing it in the service (e.g. OneDrive, with a MS Account being used in conjunction with a Windows local account). I don't see what benefit this brings, at all. You're either logging in, once, and when you log in to Windows or you're logging in twice, once to get into Windows, then again in the service(s) being used to connect to a Microsoft account to use the services.

Just like I would not use 5 different browsers, logging in to the same Google account separately on each, I'd not use a local account and then log in to one or more Microsoft accounts to use services. I prefer one browser, one Google login, one window (or tab, in my case) per service. It's exactly the same principle in using a MS-Account-linked Windows account.

I don't see the value in using a local account, and then logging in just like you do for a Microsoft Account linked account from the get go. [And I realize that your MS login under a local account can persist over time. But that's not the point.]

Having the Bitlocker key associated with a given device, and that alone, is worth using a MS-Account to set up the Windows User Account from the very start.

I really am out at this point, because if all I've said before now, and in this post won't convince you, nothing will. And I've believed for quite a while that nothing will. And I'm OK with that.

 

[britechguy]

I personally don't get what the advantage is in having Microsoft control my actual login, happy to use their useful services but as I've said those don't require Microsoft account login to PC.

As a separate thing of it's own, I really don't understand what you mean by "Microsoft control my actual login."

Windows and Microsoft are effectively inseparable, so even when you were using Windows 7, pre-MS accounts, Microsoft was still effectively controlling your login. There was just no cloud service(s) connection.

And in today's situation, whether you set up a local account or an MS-Account-linked Windows account, you can log in at any time and in any place whether or not you have an internet connection. Microsoft, at the level of "to the machine" login, isn't really doing anything different than what's been done for decades.

It's just a matter of the linked type account will "automagically" be connected to your MS-Account and all related services whenever an internet connection comes into the mix.

One of the very easiest ways to prove that local login is local is logging in sans internet connection. An even better proof, in my opinion, is changing the MS-Account password on microsoft.com, but not using it on the computer. So long as you keep logging in with the current password (which is stored locally) you can keep logging in with it. It is only when you enter the new password (and the correct one, fat fingering will still allow you to try the "old" local one again) that the check against the MS servers clears it and supplants the existing locally stored copy with the new password. I've done that "parlor trick" on many occasions to prove to folks that login to the computer, while it has a relationship with the Microsoft Account, is still a local thing in almost every way.

 

[fincoder]

or you're logging in twice, once to get into Windows, then again in the service(s) being used to connect to a Microsoft account to use the services.

No you still don't understand.

As I said, it's seamless, exactly the same as if I was using MS account login. You must think I'm exaggerating or using hyperbole but I'm not, which is why I continue to point this fact out to you.

My Windows 10 & 11 local login accounts have my Microsoft account including password associated with them. If I use another Microsoft app or service it supplies the account details automatically. Are you starting to get that it truly is "seamless"?

I repeat, all Microsoft services can be used seamlessly from a local account login. The only difference is I get to choose my password as I want without needing to comply with Microsoft's online password rules, it even allows no password (boots all the way to desktop without login). Control over one's own login and password is a benefit in my opinion, and there's no downside that I know of. You seem to think there's a downside but are unable to articulate it so far.

 

[fincoder]

Windows and Microsoft are effectively inseparable, so even when you were using Windows 7, pre-MS accounts, Microsoft was still effectively controlling your login.

Only in the sense that they wrote the code that's running on my PC, and for local accounts their code makes the choice of security up to me. I can't be locked out from my own PC of Microsoft decides my password is suddenly wrong (e.g. online account hacked).

And in today's situation, whether you set up a local account or an MS-Account-linked Windows account, you can log in at any time and in any place whether or not you have an internet connection.

Yes I understand that. It caches your online password locally. But most computers have a permanent internet connection and login goes to Microsoft's server. If the online account gets hacked or suspended, getting into your own PC is a headache!

 

[britechguy]

No you still don't understand.

No, I do. But it still requires you to have logged in using your local account, and then afterward logged in to Microsoft service number 1 using a Microsoft account.

I realize that everything behaves precisely the same after that.

But as I said earlier, the fact that Bitlocker is now on by default in OOBE makes it critical, to me, that there be an MS account that has that associated with it at initial setup time. That, and that alone, is enough for me to justify my personal stance that I will not set up machines with local accounts as the first or even the only account. If someone insists on a local account, the master admin account on that machine will still be initially set up MS-Account linked, then it will be used to set up the local account, whether that local account is standard or has admin permissions. For me, this is both best and only practice. As the British say, belt and braces.

 

[fincoder]

But it still requires you to have logged in using your local account, and then afterward logged in to Microsoft service number 1 using a Microsoft account.

On a new PC or after a fresh OS install. Once. Other Microsoft services will then use that "automagically". So no disadvantage.

But as I said earlier, the fact that Bitlocker is now on by default in OOBE makes it critical, to me, that there be an MS account that has that associated with it at initial setup time.

The encryption should NOT kick in unless the login is a Microsoft account. So that isn't a reason to use MS account login.

 

[fincoder]

f someone insists on a local account, the master admin account on that machine will still be initially set up MS-Account linked, then it will be used to set up the local account

Not correct. I never do it that way, and I explicitly said that a few posts back. The initial account is always local, and Microsoft has a (slightly hidden) way to do that: oobe\bypassnro.

 

[britechguy]

I never do it that way

I never said you did, nor implied that you did.

I stated, quite clearly, what I do, and will continue to do.

 

[Porthos]

I do not want to join the debate on MS accounts. Has anyone done the bypass to a local account on an OEM laptop out of the box and looked to see if the lock shows on the drive in My PC?
Since I do not do physical work any longer, I have not tried it myself.

When I used to set up new OEM computers, I always wiped the drive and used an image to set it up.

 

[fincoder]

I do not want to join the debate on MS accounts. Has anyone done the bypass to a local account on an OEM laptop out of the box and looked to see if the lock shows on the drive in My PC?

I did one today, brand new Acer laptop, used bypassnro on initial startup. Has had no Microsoft account added as yet (waiting for the customer to come and pick up, will activate Office 2019 when he comes in).

manage-bde -status BitLocker Drive Encryption: Configuration Tool version 10.0.22621 Copyright (C) 2013 Microsoft Corporation. All rights reserved. Disk volumes that can be protected with BitLocker Drive Encryption: Volume C: [Acer] [OS Volume] Size: 952.60 GB BitLocker Version: None Conversion Status: Fully Decrypted Percentage Encrypted: 0.0% Encryption Method: None Protection Status: Protection Off Lock Status: Unlocked Identification Field: None Key Protectors: None Found

 

[fincoder]

The owner of the above Win11 Home computer got back to me with their MS account password for activating Office 2019. After putting that in, and selecting "Microsoft apps only" for future use of that account, and then rebooting, the bde status command shows exactly the same as above. Encryption did not activate. This is what is showing in Settings > Accounts > Email & Accounts:

 

[lcoughey]

It may still be recoverable by a pro.

If it weren't such a pain with the time zone difference, I might be able to assist remotely.

Down under, you can check our ITLand .(https://goldcoastdatarecovery.com.au/) for local data recovery support.

 

[YeOldeStonecat]

You need to start believing people that tell you there's no advantage in a Microsoft account login, either that or try it yourself and see. If I'm wrong and there's something I'm missing out on then let me know and I'd be happy to concede the point.

I could spend HOURS...talking about (and giving examples of) the many benefits of signing into Microsoft accounts when it comes to Microsoft 365 for work. It wasn't specified "work" or "home". However, for this thread I'll assume "home"...while there are fewer benefits, there still are benefits. Whether the end users cares about those benefits, or not...well, hard to say.

For a single user on a single PC that does not want any passwords on their computer and really doesn't ....sure, local account is fine. But for those with multiple devices....it's nice to have all those accounts "automatically synced". Not just files via OD, but, ..Edge browser does the same that Chrome does with a GMail account..syncs everything...which is cool and useful. Software purchases via Microsoft store, as well as other licensing, are synced across devices. The old topic of this thread, Bitlocker, the key is saved there. End user can employ more secure login methods...Windows Hello...via facial recognition or fingerprint or PIN. While yes "some" of this can be manually done through a local user account...it's just not as smooth, and..let's face it, we're talking about relying on end users to do that stuff and maintain it. Which..well, it's something I'd do...because having it controlled...automated...is much better, it removes human error/human lack of paying attention/human laziness. Example? OneDrive can be prone to "kicking out" of sign in with a local account. When you sign into a MS account, it's more enforced/automated. Esp a biz account when it's managed via InTune.

Disadvantages of a Microsoft account for home user? Much shorter list for me..and most of it...it's a non issue. I'm sure there's cases where a password is not wanted...just boot the device right up to desktop. For a "non savvy home user"..I suppose the debate could be made that, they wont know, or they forgot, or they lost...their Microsoft account credentials. Of course when done correctly, losing bitlocker keys is a non-issue. A local user account can be popped/reset easily with many of the free tools out there. Microsoft "personal" account can't be reset easily, more of something the end user has to have/know. But again, when done "properly"...Microsoft personal accounts can still be great and do have advantages.

 

[Sky-Knight]

The cloud account also enables the family protection components, so your parental controls of the windows environment to configure screen time limits, and other similar things as a parent are ALL LINKED to the personal Microsoft account.

The account the kids have to have to play Minecraft, is the same as they have to have to use XBOX gaming services online. All of this is controlled in the same place, and my relationship as a parent is defined via my personal Microsoft account, and linked to my kids and associated to my wife.

None of this is possible without that account structure.

My argument has always been, and will continue to remain...

You cannot use an iPhone without an Apple account.
You cannot use an Android without a Google account.
People need to get used to the idea of not being able to use a Windows device without a Microsoft account.

There is no such thing as a communications device that remains offline, and offline is the only place local accounts belong.

 

[fincoder]

Edge browser does the same that Chrome does with a GMail account..syncs everything...which is cool and useful

Yes I use that with Edge, with local account login that also remembers my MS account for apps. See the screen shot above showing local account with MS account authorised for use in Microsoft apps.

Software purchases via Microsoft store, as well as other licensing, are synced across devices.

As above, works with local account login.

The old topic of this thread, Bitlocker, the key is saved there.

Device encryption is not activated automatically for local accounts, that's one of the benefits.

End user can employ more secure login methods...Windows Hello...via facial recognition or fingerprint or PIN.

I agree a Microsoft account login could be more secure, e.g. because the old local account password reset methods won't work.

The PIN can be used with local account if a password is set (not in earlier Windows 10 versions). Correct me if I'm wrong, but I thought fingerprint, facial recognition and PIN merely provide an alternative to entering a password, but the password can always be used instead so those things don't increase security. Unless there is a way to force the use of password & biometric combined?

OneDrive can be prone to "kicking out" of sign in with a local account.

Not if the local account is authorised to supply the saved MS account details to apps, which is the default after a MS account is entered into an app for the first time.

The cloud account also enables the family protection components, so your parental controls of the windows environment to configure screen time limits, and other similar things as a parent are ALL LINKED to the personal Microsoft account.

Fair enough, I haven't played with that or heard of any of my customers using it. Sounds like a reason for MS account login in that specific circumstance.

You cannot use an iPhone without an Apple account.

That's correct I think.

You cannot use an Android without a Google account.

That's not correct. Many of the preinstalled apps and phone/sms functions can be used without adding a Google account.

People need to get used to the idea of not being able to use a Windows device without a Microsoft account.

Why though if everything they need to do can be done without MS account login? Microsoft services aren't essential, but if wanted they can all be used seamlessly with a local account (apart from parental controls it seems).

Microsoft has continued to allow local account use and there is no sign of that being taken away. Apart from the seeming enforcement at initial startup (that can be bypassed with a Microsoft provided script), the use of local account has become more seamless in the last few years, and they've even reduced the trickery that results in end users switching to MS account login without them realising.

To be clear, I'm not totally against MS account login and will happily setup that for customers. By default though, I use initial local account login to setup customer PCs. Sometimes I switch to MS account login on request or as my recommendation for people that want maximum security.

 

[britechguy]

Correct me if I'm wrong, but I thought fingerprint, facial recognition and PIN merely provide an alternative to entering a password, but the password can always be used instead so those things don't increase security.

That would be incorrect, at least under Windows 11. Open Settings, Accounts, Sign-In Options.

You can choose to force only Windows Hello login methods. That can be a PIN or any one of the biometric methods that the given machine supports. Mine supports facial recognition (which I don't use) and my partner's supports fingerprint.



As you can see, mine is off. Since a PIN is only locally stored, that will work whether you have an internet connection or not. If the above noted setting is Off, you can flip-flop over to using your password. If it's on, you cannot.

I've never had a situation to test whether, when that setting is ON, and PIN login fails, whether a failsafe allowing password is supported.

As to Android without a Google Account, you are technically correct, but @Sky-Knight is practically correct. Trying to use an Android device as most of us want to use a smartphone is absolutely impossible without a Google Account. The device is so neutered without one that only it's most basic functions are available.