What is the best practice now for user creation when reinstalling Windows and the customer is not present?

[Blue House Computer Help]

I'm having trouble with the Technibble search not working, and a quick skim of this form didn't show me anything about it so...

What is the best practice now for user creation when reinstalling Windows 10 or 11 and the customer is not present to put in their Microsoft account information? I do need to log in as the user to restore files from Fabs and make sure it looks just right.

I have always just done the "Continue with limited setup" option instead of connecting to Wi-Fi in order to create a local account, and I know if you create your Windows 11 installer with Rufus you can continue to use that option, but I'm just wondering if that's the way it's meant to be done or if that's just a poor man's workaround?

 

[Sky-Knight]

Local accounts can easily be converted into Microsoft accounts if the user wants it.

Windows 11 Home will do all it can to force the issue. So the current trick that works to get around that is to leave the laptop offline, and when it gets to the connect to a network screen you press shift + F10, and in the command prompt that pops up type in OOBE\BYPASSNRO. This will let you click an I don't have internet button, and move forward with local account creation.

It will also bug the ever loving piss out of the user and you as soon as it sees an Internet connection going forward until a Microsoft account is merged, but at least you can bypass the NAGs to setup a system.

Windows 10 does what it always did, and you just have to keep it offline during initial setup to make a local account.

If you don't want to deal with this, only sell machines with PRO on them, because those systems can "join a domain" and skip all this crap.

 

[britechguy]

What is the best practice now for user creation when reinstalling Windows 10 or 11 and the customer is not present to put in their Microsoft account information? I do need to log in as the user to restore files from Fabs and make sure it looks just right.

I think we (as in those of us who do this kind of setup) really need to start asking:
1. Do you have a Microsoft Account?
and if the answer is Yes then getting the login credentials for use when setting up a new machine. And if anyone here says, "I don't want that information!," well, it's no longer a choice (and, to be honest, I don't know of many of us who don't routinely ask for login credentials as part of doing a very great many things we do - it goes with the various territories).

If the answer is no, then do the Q&A to determine if the client has an email account that they'd like to use as a login ID for a Microsoft Account and create it using that, and if they don't, discuss creating a Gmail or Outlook.com account (or similar) and then using that email address as the login ID for a freshly created Microsoft Account.

We have got to "take control of the situation" and the only way that's going to happen is by taking direct action such as the above. Many have already pointed out just how irresponsible it is to create a Microsoft Account with a login ID that the owner of the machine has no idea of what it is or that it exists or how to access the thing.

This isn't exactly an entirely new world to us, but it is to many clients, and we're better off training them about it (and with billable time) than anything else.

 

[Sky-Knight]

@britechguy MS is now defaulting MFA configuration, we can no longer ask for this information as it will pop on their phone. But this is only for new setups, after that a pin is created on the endpoint and only the pin is required after that.

Worse if we're setting up the account for them, it's going to get harder and harder to bypass the MFA requirements on both Google and Microsoft platforms.

The age of impersonation is coming forcefully to an end.

 

[britechguy]

The problem being that a tech doing a setup is not, in any meaningful sense, "an impersonator."

If MFA of the text or authentication app type is going to become required to set up new computers, then there's going to be a whole lot of noise and a whole lot of hurt until sanity for setup is returned.

Everyone, and particularly technology companies, knows that the vast majority of both business and residential users never have a hand in initial setup of their systems. IT Departments and people such as ourselves have been doing this since PC time immemorial.

 

[Blue House Computer Help]

Too right. Thanks for the good information, both of you.

But the question still remains… What does Microsoft themselves expect techs that are setting up a non-domain joined computer for somebody else to do.

 

[Sky-Knight]

Too right. Thanks for the good information, both of you.

But the question still remains… What does Microsoft themselves expect techs that are setting up a non-domain joined computer for somebody else to do.

They expect users to be self servicing...

I'm not joking, they literally do not want techs setting up computers anymore.

 

[britechguy]

I'm not joking, they literally do not want techs setting up computers anymore.

And I'm not kidding when I say that, in this instance, what Microsoft expects is irrelevant and unrealistic.

Everyone knows, including Microsoft, how the real world works and will continue to work for the foreseeable future. There is no chance of self-servicing end users becoming the norm. Zero.

 

[Sky-Knight]

And I'm not kidding when I say that, in this instance, what Microsoft expects is irrelevant and unrealistic.

Everyone knows, including Microsoft, how the real world works and will continue to work for the foreseeable future. There is no chance of self-servicing end users becoming the norm. Zero.

Why? Apple did it... Google did too.

I agree it's nuts, but it IS what's expected in 2022.

 

[britechguy]

By the way, if SMS MFA remains a possibility during setup, then I'd give a number (probably Google Voice) that I have access to during that process, and then after setup is complete logging in to the Microsoft Account and making sure that the users actual mobile number were put in as an update. If the account already exists then I'd ask the end user for permission to tweak for setup beforehand, then reset afterward, even if they need to do the initial tweak to allow that.

As you can see from the above, when necessity dictates working around something a workaround will be found.

This is not an abstraction or a philosophy, real needs that cannot be ignored exist. And the ability for third parties to configure machines is absolutely a real need. Making that more difficult than it need be serves absolutely no one, and people should make a stink about it.

Not everything needs, nor deserves, Ft. Knox grade security.

 

[Sky-Knight]

SMS is typically there for recovery purposes, it can be used as MFA on MS's user facing systems too. It can also be used on M365 services on the business side. It's just EXTREMELY discouraged.

The part that makes me cringe is if you look at Google and Microsoft's account recovery processes for the accounts in question, they aren't really providing any extra security, just annoyance. The root of trust in these circumstances is just untrustable. But fixing that requires support, and that's not happening on a free service. So these games just keep getting played.

In the meantime... yeah we're all stuck dealing with it. That's why I do everything I can to use local accounts on Windows still, and will continue to do so via whatever means I have. I do not mind Microsoft bugging users until they convert, that's fine. But I still need to be able to setup a machine.

And in Microsoft's view, that means you setup the machine with your shop's login... Invite the customer's login to their own machine, grant that login local admin rights, and then remove the device from your shop's login online when you're done. Which also means handing a device to the user that is not fully tested AND WORSE... technically doesn't have a working local admin login anymore. But that process provides a clear chain of custody. Which in theory has benefits to both the shop and the customer.

Fortunately, Win11 only requires ONE account to be "Microsoft". So if you hit it with your shop's account, then make a local account as a local admin, and then follow that up with removing the unit from your shop's Microsoft account online... you can still basically do everything the way we've always done it.

The only risk? That process leaves the Bitlocker recovery keys not backed up to anything accessible by anyone. So I encourage users to have a MS login, even if they don't use it daily to access their equipment. There's really not much benefit to using a MS login in Windows anyway until you buy an M365 sub.

 

[britechguy]

The part that makes me cringe is if you look at Google and Microsoft's account recovery processes for the accounts in question, they aren't really providing any extra security, just annoyance.

I'm not trying to start an argument here, but this is exactly what I have been saying to you, on many occasions, over the last several years.

If you make security requirements onerous, the worse they get the more "stupid workarounds" not only become necessary, but prevalent.

We need to selectively secure based on the sensitivity of what's being secured. Some things don't need ultra-strong security, and shouldn't have it.

Common sense has left the building. MFA-ing everything, drive encryption on for every computer, mobile device, etc., on by default, and the list goes on and on. This is all causing more and more grief, real, genuine grief, as time goes on. The damage it's doing when things go wrong (and I don't mean a security breach in that "go wrong" class - that's a thing of its own) is just immense.

The idea of "tool to task" in terms of how one applies security has just left the building. It's to everyone's detriment.

 

[Sky-Knight]

@britechguy Yes, but the part that you're not getting is that on the business side, we can make MFA so brainlessly easy that it's actually easier than a normal password login.

The fact that the personal stuff is so hard is anathema... MFA as a precursor to passwordless signon is the future because it's both safer AND easier.

It doesn't need to be difficult, it's just being made to be so for no real reason.

 

[britechguy]

@Sky-Knight

You know what my primary customer demographic is, and that's the context in which my comments, virtually all of them unless noted otherwise when necessary, apply. I made a post a long while back that it shouldn't be necessary for any one of us who post here and who have been posting here for long periods to have to explain our respective milieus each and every time we send a message. I remember your primary customer demographic, you should remember mine, and we both should realize that comments made (except in direct reply to each other) should be thought of in the correct context. If you establish a topic (or post an addition to an ongoing one) I presume your context is business clients unless you say otherwise. When I establish a topic, or add to an ongoing one, the general context is residential clients (or myself, like the CC stuff).

There is a big difference between what your typical residential user needs and what business users need.

Again, it comes down to looking at those needs (and on the part of Microsoft, which is clearly ignoring them) and working in light of same.

When I was one of the end users IN a business setting, it was a given that we would use whatever security mechanisms our employer (really, their IT department) demanded. I have no problem with that.

But those security mechanisms are very often absolutely not useful or helpful to a residential user, and should not be foist upon them. And when they are foist upon them, almost invariably the workarounds that come about make security worse, not better.

I know in one of the books I have by Arthur Bloch that are collections of variants on Murphy's Law is one that reads: Nothing can be made foolproof because fools are just so damned ingenious! When it comes to virtually anything IT related, I have found that observation to be true on far more occasions than I care to remember.

 

[MudRock]

Windows 11 Home will do all it can to force the issue. So the current trick that works to get around that is to leave the laptop offline, and when it gets to the connect to a network screen you press shift + F10, and in the command prompt that pops up type in OOBE\BYPASSNRO. This will let you click an I don't have internet button, and move forward with local account creation.

Actually, this is now the slow method, requiring a reboot/etc. Someone discovered that if you punched in a banned email address and any random password, they will just push you straight to the local account creation. For example, punch in "no@thankyou.com". This works for Windows 11. Haven't tried 10 yet.

How to Install and Log In to Windows 11 Without a Microsoft Account

Maintain only a local account on your Windows 11 PC.

www.tomshardware.com

If you want to get rid notifications bugging you about Microsoft account and that random full-screen "MOVE TO MICROSOFT" screen, search "Notifications". I don't have a Win11 system in front of me, but this is how it looks in Win10:



4th and 5th are the important ones. They have worded them in a way that it is hard to know what they actually do.

 

[britechguy]

On a related note to @MudRock's suggestion. Open Settings, Accounts, Sign-In Options Pane and make sure that the toggle that requires use of Microsoft Hello sign-in only for Microsoft Accounts is OFF. Under Windows 11, at least, it now defaults to ON. This is the only way that the use of Password sign-in when offline is supported. I always want the password option for sign-in, regardless of connectivity status.

 

[Sky-Knight]

Actually, this is now the slow method, requiring a reboot/etc. Someone discovered that if you punched in a banned email address and any random password, they will just push you straight to the local account creation. For example, punch in "no@thankyou.com". This works for Windows 11. Haven't tried 10 yet.

How to Install and Log In to Windows 11 Without a Microsoft Account

Maintain only a local account on your Windows 11 PC.

www.tomshardware.com

If you want to get rid notifications bugging you about Microsoft account and that random full-screen "MOVE TO MICROSOFT" screen, search "Notifications". I don't have a Win11 system in front of me, but this is how it looks in Win10:

View attachment 14019

4th and 5th are the important ones. They have worded them in a way that it is hard to know what they actually do.

Handy! And ditto on the notification tick boxes. The bottom three are on my all time most annoying tick box list.

 

[britechguy]

The bottom three are on my all time most annoying tick box list.

As soon as I saw @MudRock's post, I added this to my setup protocol. I already had two of those three off, and have no idea why I failed to uncheck the third.

 

[fincoder]

Actually, this is now the slow method, requiring a reboot/etc.

Apparently the OOBE\BYPASSNRO method no longer works in W11 22H2, not sure about the other method of terminating task Network Connection Flow.

This article says the fake email address method is now the only option:

FREE EDITION: Securing Windows 11 with 22H2 @ AskWoody

www.askwoody.com

 

[frase]

If a new laptop I use a fresh media creation tool image, that way it is not halfway through the setup process; also removes bloatware.

Ask client for all account passwords.

- I disable wifi or chose Limited Setup
- If required backup data via Fabs and note apps installed.
- I setup the account as local - if using Fabs name the account same as older one, if not named USER.
- Install apps such as what was listed BEFORE I initiated backup.
- Install AV if required.
- Deploy Fabs to restore data.
- Run Updates if needed/most not as is a fresh image.