Windows 11 Pro will require Microsoft Account.

nlinecomputers

nlinecomputers

Well-Known Member
Reaction score
8,565
Location
Midland TX
Microsoft is going to force you to either have a Microsoft Account, join a domain, or Azure Active Directory on first boot up. This means an internet connection is also required. Not all business PCs have internet connections, not all customers want to buy into Office 365/Microsoft 365. While I encourage use of a M$ Account and sell M365 it's not a fit for everyone. This is a bad move and needs to be stopped as an antitrust issue.


arstechnica.com

You’ll need a Microsoft account to set up future versions of Windows 11 Pro

It's one of the new build's smaller changes—but also one of the most annoying.
arstechnica.com arstechnica.com
 
nlinecomputers said:
Microsoft is going to force you to either have a Microsoft Account, join a domain, or Azure Active Directory on first boot up. This means an internet connection is also required. Not all business PCs have internet connections, not all customers want to buy into Office 365/Microsoft 365. While I encourage use of a M$ Account and sell M365 it's not a fit for everyone. This is a bad move and needs to be stopped as an antitrust issue.


arstechnica.com

You’ll need a Microsoft account to set up future versions of Windows 11 Pro

It's one of the new build's smaller changes—but also one of the most annoying.
arstechnica.com arstechnica.com
Click to expand...

Are you going to sue Apple and Google too?

But in all seriousness, every single one of our clients that doesn't want any of the above needs to have an MS account anyway. All of their equipment uses that account for the admin signon if for no other reason than to have an account that's holding the recovery keys for device encryption. This tech is fundamental to everything Microsoft is doing, it's going forward... plan for it... or die by it.
 
Give me internet in the freaking nowhere and we will talk. Internet connections in the oil patch are more miss than hit. Even if they eventually join AAD sometimes you have to deploy in the field. This just complicates such things.
 
nlinecomputers said:
Give me internet in the freaking nowhere and we will talk. Internet connections in the oil patch are more miss than hit. Even if they eventually join AAD sometimes you have to deploy in the field. This just complicates such things.
Click to expand...

This practice will have to end then, because if you deploy without Internet when the unit comes online a user can click a prompt and with a single login wind up being the one that owns the recovery key.

This is true of Windows 10 with TPM enabled too... this situation isn't new, what's happening now is you're being forced to manage it.
 
Again not every company wants to subscribe to Microsoft 365. The problem in a business setting is that personal Microsoft Accounts are not suitable for business as personal change and creating generic MSA tend to get lost. This is just making Windows into a subscription by forcing you to be tied to a second subscription. What of the organizations that adopted Google Workspaces?

And speaking of BitLocker. What happens to machines that are setup and encrypted under one M365 AAD account but is repurposed to a new user? I know you can manually have the key backed up to AAD but does the process of changing the M365 license automatically save the existing key to every account? If not we techs are going to have to remember to add backing up the key to AAD part of your SOP for re-provisioning a PC.
 
nlinecomputers said:
Again not every company wants to subscribe to Microsoft 365. The problem in a business setting is that personal Microsoft Accounts are not suitable for business as personal change and creating generic MSA tend to get lost. This is just making Windows into a subscription by forcing you to be tied to a second subscription. What of the organizations that adopted Google Workspaces?

And speaking of BitLocker. What happens to machines that are setup and encrypted under one M365 AAD account but is repurposed to a new user? I know you can manually have the key backed up to AAD but does the process of changing the M365 license automatically save the existing key to every account? If not we techs are going to have to remember to add backing up the key to AAD part of your SOP for re-provisioning a PC.
Click to expand...

You really do not understand how AD works do you?

There is a difference between computer accounts and user accounts... computer accounts are created when a device joins a directory, THAT is where the encryption stuff is stored, it has nothing to do with the user.

If the company doesn't have AAD or AD, then the machine will still need to be joined to an AAD, this is the PERSONAL Microsoft login, which will simply collect machines. And the only reason you're doing it is again to get that computer account that has the recovery key stored in it. You don't actually have to use those accounts for day to day, you just need one on the box to link the device to the directory.

That free account is exactly that too... so away with you and your subscription paranoia. This is about TPM and how the new authentication models use it to secure things, and the device encryption.

P.S. Google Workspaces doesn't secure the endpoint, never has... never will... and therefore is a huge hole in the security of any organization.
 
Sky-Knight said:
There is a difference between computer accounts and user accounts... computer accounts are created when a device joins a directory, THAT is where the encryption stuff is stored, it has nothing to do with the user.
Click to expand...
I never find it under the device name directly. I have to find the user and then find the device under the user. If I look at the top level at just the device I never can find the key there. It's supposed to be as you say but I've never seen it.
 
nlinecomputers said:
I never find it under the device name directly. I have to find the user and then find the device under the user. If I look at the top level at just the device I never can find the key there. It's supposed to be as you say but I've never seen it.
Click to expand...
That's for the Business stuff, and that also makes no sense. It's in Azure AD and it's under the computer account for that machine in AzureAD. The User -> Computer path you're taking just takes you to the computer's account via the user's. It's not different... But also easier to get at it that way because far too many of these machines have gibberish for names, or very similar names, which can make finding the correct account a challenge.

Joining a machine to Azure AD requires M365 Business Premium to do this by the way, if you don't have Azure Plan 1 or greater... you're stuck joining those machines to a personal account. You don't have Windows Hello for Business anyway.
 
Sky-Knight said:
That free account is exactly that too... so away with you and your subscription paranoia.
Click to expand...
What Free account. The free level of Azure Active Directory requires at least one subscription. Personal Microsoft Accounts are what the OP link is referring to. If you don't subscribe to some form of Microsoft 365 you don't get any AAD free level or premium. That is an ADD-ON to M365.

And you don't have to sell me. I am fully on board. But I can't convince all my clients. Some clients don't trust "the cloud". They are idiots but I need 'em to pay the bills. And in spite of what Microsoft thinks, that segment is bigger than they think and can't be ignored. They get to buy Office from staples as I won't sell to them.
 
@nlinecomputers

If you have a customer that uses M365 Business Standard or Basic, OR doesn't have M365 at all... they DO NOT HAVE AZUREAD that can support Windows Hello for Business. And as such each of their machines needs linked via Windows Hello to a PERSONAL MICROSOFT ACCOUNT.

Make an email at Outlook.com with their name on it, MFA it with a TOTP authenticator, share the tokens with them, and USE THAT to setup the first admin logon on each system.

Then you can make local logins for the actual users.

NONE OF THIS IS M365 RELATED! It's the "free personal" stuff Microsoft does.

None of this is NEW, you should have been doing this on any TPM integrated equipment for Windows 10 and if you have not, you're MISSING RECOVERY KEYS! Which will be bad!
 
britechguy said:
Certain clients really do have to be dragged, kicking and screaming, into the 21st century. There is no choice involved, so don't give them one.
Click to expand...
They do have a choice... to not use Windows.

But in this case Microsoft is doing some really interesting things with TPM that I hadn't considered until I had the chance to attend their cloud security week last week. Formal training on this topic really helped!

TPM is being used as a seed engine for encryption. PINs on login on the surface seem less secure because they're easier to guess, but they CANNOT BE USED for any sort of network access. They are locked to the hardware they're assigned to, and only for physical terminal access. The hashed password behind the scenes connects to a Windows Hello, or Windows Hello for Business identity that digitally defines the user themselves. This on top of the machine accounts that have always existed give admins the ability to zero trust on a level we've simply never been able to do before.

We can in the new world... not trust the machine, not trust the user, and incrementally open access on demand! It's incredibly complex, and I don't expect many to even really delve into it. But the TLDR here is a superior user experience, that's easier to use AND more secure, all at the same time. Microsoft is not going to give admins or users the ability to say no here... They're planted their flag. You will be part of this new world or you will leave their ecosystem.

All of this makes Active Directory look as dated and useless as NT 4.0 domains did when Windows 2000 introduced AD. It's time to evolve.
 
Sky-Knight said:
@nlinecomputers

If you have a customer that uses M365 Business Standard or Basic, OR doesn't have M365 at all... they DO NOT HAVE AZUREAD that can support Windows Hello for Business. And as such each of their machines needs linked via Windows Hello to a PERSONAL MICROSOFT ACCOUNT.

Make an email at Outlook.com with their name on it, MFA it with a TOTP authenticator, share the tokens with them, and USE THAT to setup the first admin logon on each system.

Then you can make local logins for the actual users.

NONE OF THIS IS M365 RELATED! It's the "free personal" stuff Microsoft does.

None of this is NEW, you should have been doing this on any TPM integrated equipment for Windows 10 and if you have not, you're MISSING RECOVERY KEYS! Which will be bad!
Click to expand...
Yes, I am aware of all that. That is my complaint. Setting up information like that gets keys lost. End users are idiots and this mess is one of the selling points for going to Microsoft 365 so that you don't lock the keys in the car. But end-users are idiots and don't trust the cloud so you can't sell them on the benefits like having AAD manage all of this for them. Instead of a spreadsheet with passwords on it that gets forgotten.

Again I am sold. Most of my clients are sold on it. But we all have that paranoid/nutjob/cheapass segment that at least having a local account bypassed.
 
nlinecomputers said:
Yes, I am aware of all that. That is my complaint. Setting up information like that gets keys lost. End users are idiots and this mess is one of the selling points for going to Microsoft 365 so that you don't lock the keys in the car. But end-users are idiots and don't trust the cloud so you can't sell them on the benefits like having AAD manage all of this for them. Instead of a spreadsheet with passwords on it that gets forgotten.

Again I am sold. Most of my clients are sold on it. But we all have that paranoid/nutjob/cheapass segment that at least having a local account bypassed.
Click to expand...
How? The only way the data gets lost is if you're not deploying the machine correctly. You'll have the keys in a personal account with their name on it...

Also, any other admin accounts that merge with a personal account will ALSO get the recovery key. That thing is stupidly easy to get, but you do need an account on it that has admin rights that's merged and pin locked, reboot and POOF that machine is recoverable.

We cannot be Dell...we can't just drop a machine and run anymore. But that's not a bad thing, that's a GREAT THING for everyone on this board. Manage the tech, get paid for it! Or get paid to fix it...
 
Sky-Knight said:
How? The only way the data gets lost is if you're not deploying the machine correctly. You'll have the keys in a personal account with their name on it...
Click to expand...
Cept that users don't remember they have an M$ account. You can hand all the paperwork you want to these clients and they shove it in a drawer and forget it. And pin numbers just make the process worse. How many clients have you asked what their Microsoft account password is both deny such an account exists and insist that the PIN is the password. Not every small business jumps on the managed services bandwagon. I still have break-fix clients and those are clients that are going to get burnt by this. I promote encryption, Microsft 365, etc but it has to be OPT-IN not forced or automatically done in the background because END-USERS ARE STUPID.
 
nlinecomputers said:
Cept that users don't remember they have an M$ account. You can hand all the paperwork you want to these clients and they shove it in a drawer and forget it. And pin numbers just make the process worse. How many clients have you asked what their Microsoft account password is both deny such an account exists and insist that the PIN is the password. Not every small business jumps on the managed services bandwagon. I still have break-fix clients and those are clients that are going to get burnt by this. I promote encryption, Microsft 365, etc but it has to be OPT-IN not forced or automatically done in the background because END-USERS ARE STUPID.
Click to expand...
You aren't understanding what I'm telling you, completely missing the point!

If you make a user on a machine, the local admin user during initial setup, YOU LINK THAT ACCOUNT to a personal Microsoft account, and then make a NEW LOCAL ONLY ACCOUNT for the end user. If the END USER links their account, it JUST DOESN'T MATTER!

Because all cloud accounts on the platform that have admin rights will get the recovery key! So you can have it, and your customer can have another account that does the same, and NEITHER of the accounts need be the daily driven accounts on the desktop!

If the users do not deal with this correctly, and wind up in our shops... we get to charge them for a N&P and then teach them. They'll either learn or lose their data AGAIN, and AGAIN, and AGAIN until they do.

And I do not CARE anymore. The above is how I feed my kids, and if at this stage if people wish to continue being willfully stupid, I'm going to HAPPILY take their money and put it in my account.
 
nlinecomputers said:
Unless the client is paying me to manage the system I don't keep passwords. Not their free babysitter.
Click to expand...
Then they pay you to do nuke and paves later! Either way, you win!

But even the break fix people should have a Microsoft account to link their junk to, you're going to need that to service them correctly. Because if you don't, they'll probably blame you when the bomb goes off.

But yet, you're right that's a liability... Which is yet another reason why break fix doesn't really work in the modern world. But I know... We still try... Don't know why some days, but we still try.
 
Also, if my client objects to a Microsoft Account how are they going to react to one on the disabled administration account? Cue the paranoid.
 
nlinecomputers said:
Also, if my client objects to a Microsoft Account how are they going to react to one on the disabled administration account? Cue the paranoid.
Click to expand...

Again their choice is to not use Windows.

But oh wait... they already HAVE a cloud account... personal ones... for Android or iOS BOTH require PERSONAL Google or Apple accounts just to turn the phones on. The business accounts don't even come until later!

And the crazy part? The reason these devices are cloud integrated is EXACTLY THE SAME as Microsoft wants for Windows. Online password reset, a backup target for encryption keys, and a TPM module to manage the pin / pattern / biometric unlocks.

The truly paranoid have no choice but to do Linux, and flip phones.
 
You must log in or register to reply here.

Similar threads

NviGate Systems
Windows 10 Now Advising Users About Lack Of Windows 11 Eligibility
2
Replies
39
Views
2K
NviGate Systems
NviGate Systems
ThatPlace928
Workarounds for Windows 11 on Incompatible Hardware
2 3
Replies
59
Views
1K
Sky-Knight
Sky-Knight
britechguy
Microsoft and Windows Licensing (I know, groan, not again!)
Replies
11
Views
606
fincoder
fincoder
Metanis
Peer windows sharing password issues.
Replies
3
Views
566
Sky-Knight
Sky-Knight
backwoodsman
Windows 11 without a Microsoft account?
2 3
Replies
51
Views
2K
Rigo
Rigo
Back
Top