Microsoft-Account Requirement bricks core Windows functionality!

[Talkingstreet]

As Windows 11 is about to make a Microsoft Account mandatory for all new installs many have raised multiple concerns from privacy to anti-trust behaviour. But I haven't seen anyone talking about the fact that logging in with Microsoft-Account bricks core Windows functionallity:

 

The root of the problem is that even though Windows will display your Microsoft-Account name as the user-name, deep down Windows requires a real account name. (Eg. The one it lists when you call the "net users" command or the one you have to use when doing anything with the terminal or the one your user folder is named after) The problem is that it chooses the first five letters of your Microsoft-Account E-Mail-Adress at the time of setup!

Additionally even though you log into your computer through Windows Hello, deep down Windows requires a real password. And it uses the one of your Microsoft Account during PC-Setup WHY??? The problem is that soooo many services rely on these "true" log in details. Not only the command line or the file system rely on this information, but nearly every Windows functionality introduced before Windows 10. So also network folders / shared folders and many more.

 

It gets even worse when you forcefully change these things through the command line (you can't do it in the settings). Either it doesn't work because the Microsoft-Account somehow just reverts the changes, or destroy your installation. (Both happened to me)

 

And we haven't even talked about the fact that it is very common in a lot of companies or schools to have a central data storage server with all the user data and for the users to be able log in from every computer connected to this so called "windows domain" it completely bricks that very useful functionality.

[MrMase]

Business and companies are expected to run Windows Enterprise / Education versions which are not subject to these requirements.

However as far as I know you can still force an offline setup in Windows 11 using the trick below so that you don't have to create a MS Account.

 

Once you get to the Out of Box Experience

Press Shift + F10 to launch command prompt

Type: taskkill /F /IM oobenetworkconnectionflow.exe

Close command prompt

[Talkingstreet]

You are wrong Enterprise / Education versions are subject to those requirements. And the removal of possible tricks you mention prompted me to make this post.

And anyway a non echnical user won't be able to use those tricks, but they still use basic windows features like file sharing.

[GoodBytes]

2 hours ago, Talkingstreet said:

As Windows 11 is about to make a Microsoft Account mandatory for all new installs many have raised multiple concerns from privacy to anti-trust behaviour. But I haven't seen anyone talking about the fact that logging in with Microsoft-Account bricks core Windows functionallity:

Microsoft doesn't need you to make an account to track you or associate your data with your account. That is a miss conception.

It already has all the info they need to identify you, if they want to. 

 

The reason Microsoft, Apple (iOS), and Google forces you to make an account (technically, yes, you technically don't need to make an account on Google and Apple (iOS) devices, but your experience is severally lacking. In other words, you are forced to make an account), it is more for YOU the user to get started using the company services. If you already have a Microsoft account, you be more easily pushed to get the services, use the platform app store, and so on. That is the real reason.

 

 

2 hours ago, Talkingstreet said:

The root of the problem is that even though Windows will display your Microsoft-Account name as the user-name, deep down Windows requires a real account name. (Eg. The one it lists when you call the "net users" command or the one you have to use when doing anything with the terminal or the one your user folder is named after) The problem is that it chooses the first five letters of your Microsoft-Account E-Mail-Adress at the time of setup!

Yup. I agree. They added at some point the ability to network the computer. It should have the ability to set the account name,

 

 

2 hours ago, Talkingstreet said:

Additionally even though you log into your computer through Windows Hello, deep down Windows requires a real password.

That's normal. But the password isn't stored on your system in text form. Microsoft did a proper secure implementation for Microsoft linked accounts.

 

2 hours ago, Talkingstreet said:

And it uses the one of your Microsoft Account during PC-Setup WHY??? The problem is that soooo many services rely on these "true" log in details. Not only the command line or the file system rely on this information, but nearly every Windows functionality introduced before Windows 10. So also network folders / shared folders and many more.

I am not sure I am following you. The passwords stored, when you "save the password" when you network access a system, aren't stored in plain text, it is very well encrypted.

 

2 hours ago, Talkingstreet said:

It gets even worse when you forcefully change these things through the command line (you can't do it in the settings). Either it doesn't work because the Microsoft-Account somehow just reverts the changes, or destroy your installation. (Both happened to me)

Again, I am not sure I am following you; can you share an example?

 

2 hours ago, Talkingstreet said:

And we haven't even talked about the fact that it is very common in a lot of companies or schools to have a central data storage server with all the user data and for the users to be able log in from every computer connected to this so called "windows domain" it completely bricks that very useful functionality.

 

No it doesn't. You are issued a company/school account on a domain joined system, and you use that to login.

The School/Company/Establishment created the account for you, and you use that. It cannot guess what is your account... if that is what you are saying.

 

Noticed how you are at the OOBE (Out of the Box Experience), the first-time setup screen. It asks you if this system is a Home PC or a Work/School PC. For Home/Work, you'll use the company/school issued email address, and it will automatically domain join the system to the company/school network and apply company/school policies and install any provided programs. This was done to help IT in small companies, and school, and gives the power for companies to tell their employees "Here is money, buy what you want if you know what to buy, and just sign in with the company/school account, and everything will set up for you. No need to bring the system to the office/school and require manual setup." (Or situations along those lines... think remote work as well).

 

As for IT system setup for system deployment, Enterprise and School licenses don't require a Microsoft account. For all editions of Windows, you also have Audit Mode (Ctrl+Shift+F3 anywhere in the OOBE screen), to have a temporary local account made to install drivers, programs, and setup the device for all future users). If a company somehow uses Pro, then instead of making an account "Admin", they will just make the account "it@company_name.com". Same thing, at the end of the day.. in fact better, as they have it automatically join the system to the domain, and setup all programs automatically. They just need to fine tune anything they may want to, and off they go. The system is ready.

 

 

 

[Talkingstreet]

Concerning the password:

When you set up your PC through a Microsoft-Account you choose how you want to log into your PC. There are several options:

facial recognition, finger print, PIN, Microsoft-Account password, picture-password or a security key.

These ways of unlocking are tied/related to your Microsoft-Account. (You can't use them withou an account)

 

But the windows system needs something I call a "true" password, so a password like this "true" username I mentioned. It's for all the systems that don't integrate with the Microsoft- Account yet, because the fundamental idea of our modern computers needs some sort of local user.

 

Now network-shares and a lot of other services still work with this "hidden" local user and a "true" username and password.

In addition to that I have found out through setting up multiple PCs and searching the internet that the "true" username is set as the first five letters of your Microsoft-Account email-address and the "true" password is set as the password you used at that time with your Microsoft Account.

(just type the phenomenon I mention into Google and also here are some other reports from years ago up until a few months ago (there are a lot more, this is just a selection):

https://www.reddit.com/r/Windows10/comments/58lv09/windows_use_first_5_letters_of_our_email/

https://www.reddit.com/r/Windows10/comments/79af5i/why_does_windows_uses_the_first_five_letters_of/

https://www.reddit.com/r/Windows11/comments/q2jkor/are_user_account_folder_names_still_truncated/

https://www.reddit.com/r/Windows10/comments/gmoewj/any_way_to_rename_user_folder_name_without/

https://www.reddit.com/r/Windows10/comments/44xnr0/microsoft_account_users_what_is_your_user_folder/

)

 

Even though Microsoft, as you are correct to point out, obviously hashes the passwords. My guess is when you type your account details in during setup they are used generate the "hidden" / "true" user.

 

I hope that clears out the questions

 

[MrMase]

5 hours ago, Talkingstreet said:

You are wrong Enterprise / Education versions are subject to those requirements. And the removal of possible tricks you mention prompted me to make this post.

And anyway a non echnical user won't be able to use those tricks, but they still use basic windows features like file sharing.

Sorry but you are wrong on this as such as move would mean Microsoft have to retire Microsoft Deployment Toolkit and Microsoft Endpoint Configuration Manager as devices would not be able to be imaged. There are also plenty of outlets stating the changes are for Home / Pro versions.

[cretsiah]

5 hours ago, GoodBytes said:

It asks you if this system is a Home PC or a Work/School PC. For Home/Work, you'll use the company/school issued email address, and it will automatically domain join the system to the company/school network and apply company/school policies and install any provided programs.

say what now??? so now you gotta have 3 seperate accounts on the computer for windows for each person???

- personal junk

- work

- school

 

that would actually go a long way to explaining the mess my daughter had on 1 of her computers with windows on it...  it really didnt appear to like having mixed items under the same user account

 

aka school stuff + personal stuff

[GoodBytes]

4 hours ago, cretsiah said:

say what now??? so now you gotta have 3 seperate accounts on the computer for windows for each person???

- personal junk

- work

- school

Well, you should not be mixing school and personal, nor work and personal in any case.

This is also why most companies give you a work laptop/desktop. And typically, it is even company policy to keep things separate.

This has nothing to do with Microsoft, or Windows, this applies no matter your system and OS.

 

Same with phones if you have a company issued one. It is for work and only work. So, unless you have a dual SIM device, you are carrying 2 phones.

You may need to use a second account on a dual SIM phone even if you want to use a single device. That could be a requirement, although it is a rare thing to be asked, to my knowledge, but phones can do this.

 

4 hours ago, cretsiah said:

that would actually go a long way to explaining the mess my daughter had on 1 of her computers with windows on it...  it really didnt appear to like having mixed items under the same user account

Each user should have their own account, which is the whole point of accounts. This doesn't matter if it is an MS account or a local account.

If you are a parent, you'll soon, and you'll want to set up a MS-Link account for your daughter in any case for parental control. Or you can have fun pulling away the keyboard and mouse, the old fashion way, I guess, and physically monitor what they do online all the time.

 

[cretsiah]

2 hours ago, GoodBytes said:

Well, you should not be mixing school and personal, nor work and personal in any case.

This is also why most companies give you a work laptop/desktop. And typically, it is even company policy to keep things separate.

This has nothing to do with Microsoft, or Windows, this applies no matter your system and OS.

 

Same with phones if you have a company issued one. It is for work and only work. So, unless you have a dual SIM device, you are carrying 2 phones.

You may need to use a second account on a dual SIM phone even if you want to use a single device. That could be a requirement, although it is a rare thing to be asked, to my knowledge, but phones can do this.

whilst the practice and the sentiment of this idea is great, we both know that that it gets violated on a constant basis and sorry to be bearer of bad news, it doesnt work in every case not at the OS level, email maybe with discipline... this is not really always feasable for everyone, having a computer for every aspect of digital life.

 

2 hours ago, GoodBytes said:

Each user should have their own account, which is the whole point of accounts. This doesn't matter if it is an MS account or a local account.

im not talking 1 account each here as in 1 for mum, one for dad, one the kid, im saying based on what you said mum has 3 accounts, dad has 3 accounts, kid has 3 accounts on one computer at the OS level not Email level,  not to mention how much slower windows gets every time you add another account....

 

3 hours ago, GoodBytes said:

If you are a parent, you'll soon, and you'll want to set up a MS-Link account for your daughter in any case for parental control. Or you can have fun pulling away the keyboard and mouse, the old fashion way, I guess, and physically monitor what they do online all the time.

Parental controls arent that great at the best of times, then there is the fact they mean didly squat anyway once your kid hits certain age brackets (13-16-18 depending on which service(s) is being used ) ..... 

there are things like Net Nanny which try to improve control too but generally ive found they are more intrusive and annoying than helpful....

 

as for my daughter i think we done alright there, thanks muchly......

  wasnt her fault that she had to use her personal computer for school stuff either, she was just lucky she had one, seeing as the schools replacements were nackered or non existent

 

 

 

[Ratgrot]

Check out my post about completely side-stepping the Microsoft account requirement

 

[GoodBytes]

34 minutes ago, Ratgrot said:

Check out my post about completely side-stepping the Microsoft account requirement

 

It doesn't help him. He will still face multiple accounts for work, school and home. Local or MS-linked, it doesn't matter.

 

What he asked is Windows 9x or MSDOS, where the concept of accounts didn't really exist, nor domain joining, and so no work/school IT can push policies and software to it, and so, he is free in mixing everything together, and requires IT manual access to the system to do anything.

 

The reality of things is that typically, a high-school student or elementary school student doesn't have a job at the same time as their school, where such job requires them to have a computer as well as their school.

 

For adults who are in the work field they'll be on two devices regardless, their personal PC and their work PC (typically issued by the company).

PCs issued by work tend to have security software tied to the company security infrastructure. Those are many times very demanding on the system resources, a cost that the company is ready to have, if it means saving potentially millions from data breaches of any kind. Typically, company account policies are also applied, and the device is managed by the company IT department. 

 

As for a student who needs a computer, normally the school provides one for school usage only, or requires parents to buy/issue one.

Such a system lent to students or acquired by parents is normally an iPad or a Chromebook. This is mostly because there is no other budget choice. Android tablets tend to be awful at best. In addition, despite Microsoft best efforts, they can't have OEMs or themselves really make competitive to Chromebooks competitive low-cost devices. Microsoft, like OEMs, is stuck with awful, overpriced products by Qualcomm and Intel in that segment. And so, Microsoft is being forced out from this space by those CPU/SoC companies. All Microsoft can do is play the waiting game until low-end CPUs and SoC gets to a state of performance where the system is usable. (ChromeOS has a lot of similarities to Android, and so gets day-1 driver support (same drivers, basically), and carried its lightweight design, at the cost of a full fledge OS.. doesn't need MediaTek or Qualcomm to make specific drivers for that OS, or make the CPU require special CPU instruction support for best performance)

 

If one, as an employee of a company, chooses to bypass work issued laptop/account all to mix one's personal PC with a work PC, where this is going against, typically, company policy, then that is up to you. You are the one taking the risk and there is a compromise of any kind affecting the company data or infrastructure, you are responsible, not IT.

[cretsiah]

On 7/4/2022 at 3:38 AM, GoodBytes said:

What he asked is Windows 9x or MSDOS, where the concept of accounts didn't really exist,

not quite ....

 

if you only have available ONE computer for all these things for your family then you are kind of in trouble.

with win 98, win xp, win 7 every time you added a new user userspace the whole system would start to slow down.

 

as for domain joining ( this sort of makes sense in the work environment even school  )

..... so you go to use your computer and it has a hissy fit because no network available, so now your IT  department cant push updates anyway but you cant use your computer because it cant phone home to let you log-in either to do your work .. this seems a little problematic to me...

- or are you now going to say that the work computer set-up by decent IT people is now going to have 2 accounts on the work computer ( which you have argued against ) one for when the network is available and one for when its not ?   

 

for schools here its even worse because half the time they cant log-in to the school's portal to do their work and all their programs are provided through the school portal ....... the actual teachers have just as much trouble as the students 

 

 

On 7/4/2022 at 3:38 AM, GoodBytes said:

For adults who are in the work field they'll be on two devices regardless, their personal PC and their work PC (typically issued by the company).

PCs issued by work tend to have security software tied to the company security infrastructure. Those are many times very demanding on the system resources, a cost that the company is ready to have, if it means saving potentially millions from data breaches of any kind. Typically, company account policies are also applied, and the device is managed by the company IT department.

this works for big business's yes its not so great or as easy for small business's

 

On 7/4/2022 at 3:38 AM, GoodBytes said:

If one, as an employee of a company, chooses to bypass work issued laptop/account all to mix one's personal PC with a work PC, where this is going against, typically, company policy, then that is up to you. You are the one taking the risk and there is a compromise of any kind affecting the company data or infrastructure, you are responsible, not IT.

wasnt there major arguments over this about when people were considered to be on their own time, i believe some business's ended up adding a " public use computer " in an attempt to help circumvent this issue ...... but there are still video's online of people being caught doing / watching the wrong thing at work.