Hands-On Windows 120 transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show
0:00:00 - Paul Thurrott
Coming up next on Hands-On Windows, we're going to take a look at local accounts in Windows 11 24H2 and whether they make sense, after I've been advising you for years not to use them. All right, can we take that again, because I think my little bottom bar thing popped up. Coming up next, on hands-on windows, we're going to take another look at local accounts and whether they make sense in windows 11 24 h2, despite the fact that I've been advising against them for years. Podcasts you love from people you trust. This is Twit. Hello everybody and welcome back to Hands-On Windows. I'm Paul Theriot.
We have spoken a lot over the years about the different types of accounts and account types and types of types of accounts and all that kind of fun stuff. But key to this is this notion of signing accounts. Most people sign into Windows 11 with a Microsoft account, an MSA. People who are in schools or workplaces or other organizations can sign in with a Microsoft work or school account, both of which are online accounts. But if you go back in time, we used to always sign into Windows with a local account, and a local account is what Microsoft sometimes now calls an offline account, of which are online accounts. But if you go back in time, we used to always sign into Windows with a local account, and a local account is what Microsoft sometimes now calls an offline account. It's the type of account you could conceivably create on the PC even when the PC is offline. So I've been advising against using local accounts for maybe as long as there have been Microsoft accounts, frankly and for good reasons, and we'll get into that. But when we think about Windows 11, 24h2, and we think about all the terrible things that have been going on in Windows over the past couple of years forced OneDrive folder backup, forced edge usage and so forth it occurred to me that maybe there is a way to use a local account securely and correctly that's just about as good as using a Microsoft account from a security privacy perspective, and that maybe in doing so we could overcome some of the worst behaviors that are in Windows 11 today. So I thought we could take another look at that and there's a couple of different ways to do that. But I have been setting up several computers actually on this trip I'm still in Mexico for local accounts instead of Microsoft accounts, just to kind of make sure I understand how that works with different installs of Office or Microsoft 365, you know what this type of thing looks like, right.
So, stepping back again, sorry, I should say most people should use a Microsoft account. If you use a Microsoft account with Windows today, you don't have a problem with what's going on with OneDrive or Edge or anything else in Windows. Just don't do this, okay, there's no reason. But if you're bothered by these things or if you're a more sophisticated or technical or power user, um, and you want to use a local account, for whatever reason, you want to make sure you do it securely, um, we can, we can kind of talk through that. So the things you don't get with a local account are actually many. You don't get account recovery right. That account is just on the computer. You don't get with a local account, or actually many. You don't get account recovery right. That account is just on the computer. You don't get automatic disk encryption, although that's something that's changing in 24H2, which is what kicked off me looking at this again. You don't get that 2FA passkey, automatic two-factor authentication that you get with a Microsoft or a work or school account. You don't get setting sync right, which is a convenience, it's not just a big deal. But you also don't get automatic pass-through of your Microsoft account credentials to apps like Edge or OneDrive or the Microsoft Store or any of the other store apps, right, and so that's a big convenience. But you can work around that, and you can actually work around most of what I described earlier.
So if you're setting up a new computer, or if you've reset a computer, you can step through the out-of-box experience and you'll eventually get to a screen that looks like this screen that looks like this, and in Windows 11, 23h2, and now again in 24H2, microsoft will not allow you to proceed unless you're connected to the internet, and so the trick here is to run a command line which is now pretty well understood. You basically it's shift F10, bring up the command line window. We'll put up the exact text you have to type in at the bottom of the screen here Hit enter. The computer will reboot. You'll go through the OOB again, and this is the third or fourth screen, except when you get to it, this time it will have this additional link at the bottom. This is I don't have internet, so you click that, and then it lets you create a local account, like we used to do in the olden days. So here I would type in Paul and kind of move on from here. So that works fine there.
The only part of the Ubi that remains is the privacy screen, and that's where I kind of advise you to mostly turn off those features. You want things like find my device. Most people want to share their location, and if you do have presence sensing in the computer you probably want to enable that. But other than that, most of the rest of the privacy settings should be off, and the other things that are typically in the UBI are gone, and so what you arrive at is this really clean desktop that you see here. It's actually even a little bit cleaner than this. You don't see most of these icons right away. You're not connected to the internet, right, and so the first thing that I did here was connect to my Wi-Fi network. That put a bunch of standard shortcuts here in the start menu, and then what this is here is a series of screenshots I took because this was a clean computer and I didn't want to try to record over it, but just so you can kind of see the types of things that you should do if you're going to do this.
So here we have or I have a local account named Paul, very clean. There's not a lot going on here. You can see there's an issue here with Windows Security. You can see that OneDrive is not signed in, and in this case it was just that the virus definitions were not up to date and it needed to check for updates, so it was not a big deal. There will be other issues in Windows Security. We'll get to that in a little while, but for now you can just clear out whatever's there and kind of move on.
The first thing you should do and this is the big change in 24H2, is activate disk, or rather device, encryption. In previous versions of Windows 11, if you signed in with an MSA or with a work or school account, it would automatically encrypt the disk. That was part of it. If you signed in with a local account, it would not. So in 24H2, the way that Microsoft describes it, is that the disk is encrypted automatically, no matter how you sign in. Interesting, I wasn't sure how this was going to work, because you actually have to save a private key as a backup in case you lose your access to the disk, and that doesn't happen unless you make it happen, and so I was curious how that would work, and so, depending on whether you have Windows 11 Home or Pro, you'll see something slightly different here. So this section down here is Pro only, so this just won't be here if you're on 11. If you're on 11 Home, sorry so it says that encryption is enabled, but it's not actually activated. Now the computer I used was actually Pro, so I went through the BitLocker steps. But for Windows 11 Home, you just click sign in, you type in your credentials to your Microsoft account make sure you don't sign in as a user, make sure you're just using it for apps and then it will activate the encryption, which basically means just finish encrypting the disk. However, I did the BitLocker version, so this is what you see in Pro.
So you turn on BitLocker. You have to save that recovery key, right? You can't save it to the disk you're encrypting. That's the point. You have to have it someplace safe so you could save it to a Microsoft account, which I'm not doing in this case because I'm trying not to use it too much. Save it, save it to a file. You have to save it to a file on a external disk, a USB key perhaps, or a network attached storage, whatever you might have, or you could just print it on paper. I put in the little USB key, saved it, and then I'm prompted here to activate BitLocker. So in either case, whether it's BitLocker or just standard drive encryption, this will take a little while, depending on how much is on the disk. You can keep using the computer while it's doing this.
So it says here that it is encrypting. It's a little subtle but up. Well, if it was behind me, the settings app will say the same. So you can just kind of yeah, you can just move on from here. So it says encryptions and process progress. You don't have to worry about this anymore.
All right, so that's step one. That's the big thing. If your computer is physically stolen, somebody gains access to it. They're not going to be able to get the data off the drive. So that's job one.
Job two is securing that local account. So when you created your account and in this case it was just called Paul back in the UOB, you're given the chance to give it what Microsoft calls a super memorable password. I didn't give it a password, but I did that knowing that I was going to do that fairly immediately. And I'm going to do that here. So you go into the settings, app to accounts to sign in options, and we're going to look at all this stuff right here. So the first step is to get a password on the account right, and so that's pretty straightforward. You just click add, type it twice, password hint you're in. So that's good.
You come back and now, once you've done this, you can create a PIN. In fact, at some point you'll be prompted to. You have to have a PIN in Windows 11 if you are signing in with an account that has a password. But I'll just do that here manually type in my password, type in the PIN twice, and now I have a PIN. So once I have a PIN, it's possible to use the other forms of Windows Hello authentication, depending on what's available in your computer.
This particular computer has both, so I have facial recognition and fingerprint recognition. So even though I'm using a local account, I can still have that highest level of security on my sign-in. So I set up both of these. I'll step through this super quick. You don't really need to see this per se, but in both cases you type in your pin, you do the sensor, uh, again and again you can add another finger, or even do the same figure twice if you want, uh, it to be more accurate. And then same thing with facial recognition. Um, I wear glasses sometimes when I'm laying on the bed using the computer, so I do it twice. You can improve recognition here. Do it with and without glasses, right? Okay, now that that's out of the way, this account is actually roughly as secure as a Microsoft account from a sign-in account perspective. Right, I don't have that kind of back-end service going on with 2FA and all that stuff. But as far as this goes, I've got my backup recovery key saved somewhere I have. The disk is encrypted and the account that I'm using to sign in is protected with a password, a PIN and two forms of Windows Hello biometric authentication. It's pretty good.
So from here, it's kind of the basics. You're going to do something you would do on any computer, which is check for updates, install the updates, check for updates, sign those and then, as that's going on, or afterwards, your call it's time to look at OneDrive. So if you want to use OneDrive, you can sign into it. Now I'm going to go through those steps through the images here. But if you don't want to use OneDrive, if that's part of the point of what you're doing. I just don't want One use OneDrive, if that's part of the point of what you're doing. I just don't want OneDrive.
You can actually uninstall OneDrive. This is on the local computer, not in the shots, but if I can bring that up, if you go into and this is something I should definitely not be doing, because I had a problem with this before but if you go into the list of apps that are installed on the computer, it's under M for Microsoft OneDrive you will see a OneDrive item in here and you can uninstall it. I don't actually recommend doing that unless you're really really serious about not using OneDrive. The better approach in many ways is actually let me bring up. Let me do it the other way here. Bring up, let me do it the other way here. Task man, because I get the shots on um. You can just prevent one drive from running in the when the computer boots up, right. So find one drive in this list and just disable it and that way it won't run automatically. So you're not signed in, it's not running. I I would just leave it on there. It's not like it's taking up space, but um, but I think most people do want to use oneDrive and I certainly do.
You can just sign into OneDrive. There are two or three sign-ins to your Microsoft account. That can occur if you're not signing into Windows with a Microsoft account. One is Microsoft Edge, one is OneDrive and then the other is something I'm going to show you because it's kind of important. It lets you sign into all of the other Microsoft store apps but in this case, manually sign into OneDrive. We do the 2FA authenticator. It steps through this kind of wizard. It's going to prompt you to back up the folders. Really wants to back up the folders. I turn that off right to step through this again. This is just basic information about the app and then it will start processing the files right. In my case, I've got a gajillion files. It's going to take a little while, but you know we'll just kind of step through that and let it happen. So once that's done.
In this case I did the third of the items I described. Second, but I added a Microsoft account to settings, not as a sign-in but rather as an account I can use with apps. This wouldn't have worked with OneDrive, which is why I did it the way I did it. But if you go into accounts email and accounts, not this thing up here where it says add a new account for email, calendar and contacts, but rather accounts used by other apps. This is probably something we talked about I don't know last winter. You know this notion of app accounts, right? So you add a Microsoft account. This would be the Microsoft account I would normally sign into, right? This is the thing that's associated with all the apps and games I've purchased my Xbox Game Pass subscription, my Microsoft 365 subscription and so forth so I sign in again.
2fa all the familiar stuff. This is the key screen. This is the thing you have to be careful of Every time you sign into a Microsoft account. Microsoft's like. So you want to sign into a Microsoft account? Do you want to sign into a Microsoft? You should sign into a Microsoft account. Be sure not to just click next, because you might end up converting your local account to a Microsoft account. Instead, just select Microsoft apps only here, as I did. It tells you you have to use Windows Hello with this account, so you can authenticate against your Microsoft account as well using Windows Hello. So that's great. We've already enrolled fingerprint, facial et cetera, so it all still works.
So I've proven who I am, I've got this account and now, every time I am signing in or going to use an app that requires a sign-in or wants a sign-in, I will be given the opportunity to use this account. It won't be automatic, but I can sign into that account and you can see the types of. In fact, I should say, this option here is these two sign-in options. So Microsoft apps can ask me, ask to sign me in. All apps need to sign me in. I need to ask. Rather, I always choose the second option. I don't ever want to be automatically signed into a Microsoft Store app. I want to be given the choice and I want to make sure that that's what I want to do. So choose the second one, if that's also what you want.
You can see that we talked about passkeys over the winter as well. It feels like a million years ago, but starting with 23H2, when you sign in to Windows 11 with a Microsoft account, you get a passkey for that account. Well, as it turns out, when you create an app account for a Microsoft account, you also get that passkey. So this is the basis of some form of pass-through authentication that's going to occur so when I use the Store app later, or Xbox app or whatever it might be. It will ask can we use this account? And it will authenticate through Windows Hello using a passkey. So not too much to know about this here, but this is one of those things that's happening under the covers.
So I have gone into the store app again. I already updated all the apps, but now I'm going to sign in and I will be prompted. It says hey, we have this account on the computer. Do you want to use this account? Yes, I do Again, authenticate myself with Windows Low. And now I'm in, and so I'll go through that process with all of the Microsoft Store apps I use, including the Xbox app. Here it's the same process. Clipchamp same process. Right, it's the same thing over and over again. Once, the same thing over and over again. Once you're done with that kind of stuff, that to me, is the big things. I've added a little account photo here just because I don't have one until you do that. And then I went into Microsoft Edge and here again, it's not going to do the pass-through, it's not going to do it automatically, and so you can sign in. And this is the third of those three instances where, again, 2fa authenticate yourself, make sure you are who you say you are. In time your little profile will show up, and very quickly I think. Yeah, you get all your extensions installed, all the things that occur through the settings sync in that app.
The next step for me was to install Microsoft 365, the desktop app. So in this particular install, those apps weren't already on the disk. If they were, I would just run one of the apps. So in this case I just had to go install those apps. Not a big deal. You just get them from the internet, like you would, and then you run one of the apps and of course you're going to start getting these folder backup annoyances. That's what Microsoft does. So I say no to that and I keep praying that they don't just enable it on me. So what I've done so far here is sign in with a local account from the get-go.
Over the winter we talked about other ways to do this. You could convert a Microsoft account to a local account. You could create a Microsoft account, sign in, then create a local account, sign out of the local account, sign into the local account, delete the Microsoft account. You could still do those things, but the process I just described was you've bought a new computer. You've reset an existing computer and instead of ever going through a Microsoft account, you've signed in from a local account from the get-go. But properly secure the disk which secures the hardware physically, properly secure that account, password, pin and then Windows Hello, whatever you have available in that computer. Update the computer like you would anyway, update the apps like you would anyway, and then create that app account so you can sign into Microsoft Store and also other Microsoft Store apps and then sign into manually OneDrive, if you're going to use it. If not, disable it.
And Microsoft Edge if you're going to use it, and if not, just ignore it, don't worry about it. There's nothing you have to do there. You don't have to use it. And if not, just ignore it, don't worry about it. There's nothing you have to do there. You don't have to use it, just don't use Microsoft Edge.
To date, I've done this with standalone perpetual office versions. I've done it with Microsoft 365. I have not been harassed yet. So you do get that folder backup prompt and it's going to do that. That's part of Windows 11. But other than that, actually this is a cleaner, better, if you will, less harassing kind of install of Windows 11. So do I recommend it Again?
If you're not sophisticated enough to understand all of the sophisticated is maybe not the right word Technical enough, you just don't care about this kind of stuff. If you don't understand the security implications of not encrypting that disk, of not properly securing that account, then, no, please do not do this. You'll get all that stuff automatically when you install or set up a Microsoft account. But if you know what you're doing, if you're technical, if you've used Windows for decades and you know your way around it really well, yeah, this is not technically as secure as using a Microsoft account, but I would say it's secure enough. It's not insecure, assuming you configure it correctly.
So I'm going to keep working at this. I want to make sure nothing comes up as a surprise in the future. But I've done it, like I said, on several computers now. I've had no problems. It's been working out great. So I think it could work out great for you as well. If you have the same concerns with Windows as I do, alrighty, well, thank you for watching. We'll have a new video every Thursday. You can learn more at twittv slash how. Thank you so much. Thank you especially to our Club Twit members. I'll see you next week.
