Should you use a local account or a Microsoft Account on Windows 10?

Topic

New Reply

Of course, you all know that I’ve long recommended using a local account with Windows 10. I have detailed instructions in both of my Win10 books. Usin
[See the full post at: Should you use a local account or a Microsoft Account on Windows 10?]

1 user thanked author for this post.

Microfix

Reply | Quote

Replies

Certainly a local account. As Woody says, there is not much to be gained from using a Microsoft Account. On a phone OS, using a Microsoft Account might make some sense, but on a Desktop OS?

2 users thanked author for this post.

Microfix, Noel Carboni

Reply | Quote

I wouldn’t consider anything but a local account today.

The concept of handing administrative access to one’s system and data over to a company – even one as trustworthy (hah!) as Microsoft – seems, well, for want of a better word, ridiculous!

Of course, if Microsoft WANTED to they could just send your username and password for your local account in with telemetry. Who knows, if you haven’t blocked telemetry, don’t have a rock solid firewall, or are using any web-integrated services (Skype anyone?) maybe they are already sending it in. We can’t really know.

If a Microsoft account is what’s needed to participate in the wonderful world of Apps, well, you might say, who needs Apps? Easy to say, but unfortunately this won’t keep. There will come a day when someone invents software and/or an online service that really IS a “Must Have”, but requires one to hand over one’s account management to have it. I hope that’s still a while off at least.

What if every high tech company required you to turn over your most private data to use any of the tech. Would we all go back to the stone age together or just give in and hope for the best? I know what the masses would do.

-Noel

5 users thanked author for this post.

Elly, NetDef, HiFlyer, Microfix, BobbyB

Reply | Quote

There will come a day when someone invents software and/or an online service that really IS a “Must Have”, but requires one to hand over one’s account management to have it.

You can still log to individual apps using your account while being on a local account for Windows :).

Reply | Quote

Noel Carboni Posted (#96152)

What if every high tech company required you to turn over your most private data to use any of the tech.

Umm… most of the tech companies do this already. (Google, Apple, Facebook, Twitter…)

-- rc primak

Reply | Quote

Umm… most of the tech companies do this already. (Google, Apple, Facebook, Twitter…)

Exactly. A rhetorical question, designed to make people think.

You’ll note my post above specifically does not suggest that “using a local account” will be viable forever.

People today are faced with a choice: Jump on the “modern” bandwagon and embrace Windows 10, or stay on an older system that’s meeting your needs for some time longer. The former pick might involve having to “give in” and use a Microsoft Account sooner than later.

By the way, an anecdote: I was a Microsoft Win 10 pre-release tester from the start. Some time into the program, I wrote some things on the Answers forum about Windows 10 that were true, but to which a Microsoft-employed moderator took exception, and I was banned. Lo and behold, with that Microsoft Account – the only account I’m ever supposed to need – I’m now forever excluded from logging into the Microsoft Answers forum. A permanent exclusion from using some Microsoft services – I’ll bet THAT’s an implication of using a Microsoft account most folks wouldn’t expect.

-Noel

Reply | Quote

You are right there Noel but isn’t it just a case of creating a new Microsoft Account? I know some of your comrades on that forum ended up doing that after being banned.

1 user thanked author for this post.

b

Reply | Quote

That’s a fair question, but consider…

Do we just go quietly through life creating account after account to try to recover from problems, while being told that one account will integrate everything? Do you see the irony in that?

You could end up having to redo all your settings, move all your data, and any number of other things that are tied to that integrating account. Over and over…

As a rule I don’t go out of my way to be where I’m not wanted by the management. Personally I’m glad not to be part of the Microsoft Answers forum any more. I have more time to be here and other places. It’s their loss, not mine.

-Noel

Reply | Quote

Noel, I wasn’t trying to be combative in my reply only stating what I saw occurring last year. The whole thing was totally unfair as there were many truths being told by many and they were either banned or scoffed at and it made me so angry (I was cheering for you guys silently).

I know by being banned, you lose all the MS brownie points you gained because you have to start anew with a new account and you then have to rebuild your reputation again.

I agree, it’s not worth creating account after account but if you accept their rules that’s all there is.

…and yes, it is their loss Noel but our gain! Thank you for imparting your knowledge and expertise.

gts

1 user thanked author for this post.

Noel Carboni

Reply | Quote

I did not take any part of your response confrontationally. I hope mine don’t come across that way. That’s never my intent.

🙂

-Noel

1 user thanked author for this post.

GoTheSaints

Reply | Quote

Over the last few years, microsoft has made its data collection pervasive, subtle and obscure so,
what makes this microsoft account any different?
A local account is a wise choice if given a choice between the two options on a PC IMHO 🙂

No problem can be solved from the same level of consciousness that created IT- AE

Reply | Quote

I agree. What bothers me further is Microsoft’s use of OneDrive to “encourage” people to get a Microsoft account without them even knowing. Less literate users go along with the “I guess Microsoft wants me to do this” and wind up with OneDrive enabled and their system converted to a Microsoft account without even being fully aware; I’ve already seen it happen more than once. And Microsoft knows it.

Every time I set up Windows 10 for someone or tweak a box with it, and see a OneDrive icon that isn’t turned on, it gets disabled from startup. Period. And as others have pointed out, SpyBot Anti-Beacon makes this part of its whole list of handy disable-Windows-10-spying features, so I highly recommend it.

https://www.safer-networking.org/spybot-anti-beacon/

We are SysAdmins.
We walk in the wiring closets no others will enter.
We stand on the bridge, and no malware may pass.
We engage in support, we do not retreat.
We live for the LAN.
We die for the LAN.

Reply | Quote

Office 2016 is such a pain to try to install without an online account when you buy OEM.
Microsoft makes it very hard to do and it autoconnects you at some point. If you try to avoid it, you really need to know some things at some point because they don’t even provide an option for you to retrieve your real product key by following their instructions.

I will post a link on how to do that later if I have time in the Office section. In fact, I will post a link on how to have a customized click-to-run installation so you can avoid installing everything if you don’t want to.

2 users thanked author for this post.

Kirsty, Noel Carboni

Reply | Quote

I suppose this applies to the click-to-run versions only?

Reply | Quote

Yes.

No customization out of the box if you don’t want to install everything and when it breaks functionality, you have no idea what got updated and I’m not sure you can remove the patches. I have been bitten by it at least two times since they started this. In one case, we had to reinstall an older version of Office for the user and in another we installed the 64 bits version which didn’t have the issue introduced by a click-to-run update.

Click-to-run Windows… huuu….

 

Reply | Quote

For me, local account as long as sustainable. I want no part of this new promised world of cloud first on my desktop and I wouldn’t use any other Microsoft product like Xbox or mobile devices to not reward them for their bullying behavior on their traditional desktop users.

I hope I will never have to use their store, but like Noel, I am worried that one day they will make it impossible to avoid.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

For home / small office workstations I take this a few steps further.

1) On new setup: Create a local Admin account. Finish setup and install your base applications and AV, etc.

2) Now create your user account as a LOCAL account, with Standard user permissions (NOT admin!)

3) Repeat step 2 as needed for adult family members that need their own accounts.

4) If you must, convert your account to a MSA. I leave that decision to the reader but I largely agree with the advice given by Woody and Paul T.

5) If you have children, and want to use Microsoft Family Safety, then you need to convert the child’s local account to a MSA. No way around this, and the benefits for this specific use case may be worth it to you as parent.

Never – ever – grant your MSA local admin permissions on your workstation.

Edit: The exception to the above warning: if you must be on a preview/slow/fast ring on a test machine. You are committed to giving the MSA admin privileges. I would not advise that on a production machine.

The primary reason to start with a local Admin account (and create your real user accounts as a Standard User) is this is one of the very best ways to mitigate potential drive by malware drops.

Some rules: don’t surf the net nor open email from the Admin account you create. Think twice if you are ever prompted for that admin accounts password when you do not expect it. If you are browsing the net, reading email, opening an attachment or a document and you see that password request . . . you know it’s time to close all applications and run a virus scan.

And if your standard user account profile gets a non-admin level infection it’s really easy to clean that up from the Admin account. Unless you fall for the prompt that asked for an admin password the infection won’t get root access.

~ Group "Weekend" ~

4 users thanked author for this post.

Elly, Kirsty, rc primak, AlexEiffel

Reply | Quote

The only thing I would add to your scheme is that there may be times when an adult user account may need some service or app which works better with a Microsoft Cloud Account login. I find these to be rare events in my own Windows 10 usage, but it can happen. The solution is to temporarily convert to a MS Account Login, then revert to Local Account (Don’t forget the password and hint you used!) when finished with Cloud-centric activities.

Another approach is to create a separate User Account which is always a MS Account login, but only use that Account when using Cloud-centric apps or other activities which require the use of the MS Account.

And clean your tracks with Glary Utilities and/or CCleaner (CCleaner must be run on a per-account basis!) after using an MS Account (or doing anything involving online activities). You can skip the Registry stuff, but the tracks should be cleaned frequently. (My Chrome Browser has Click And Clean to do the job in there. Firefox can do its own end of session cleanup natively.)

Also, I use O&O ShutUp10 (or its equivalent settings) for all accounts.

Bottom Line is — whenever possible, I stay with Local Accounts. And when cleaning up or doing system maintenance, I stay offline entirely (disable Wireless Networking). And keep backup drives offline at all times.

MS Store Apps do not necessarily need an MS Account login to function — I use several of these without logging in at all.

-- rc primak

1 user thanked author for this post.

NetDef

Reply | Quote

rc primak wrote:

And clean your tracks with Glary Utilities and/or CCleaner (CCleaner must be run on a per-account basis!) after using an MS Account (or doing anything involving online activities). You can skip the Registry stuff, but the tracks should be cleaned frequently.

Why?

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

b wrote:

Why?

Not meaning to answer for rc, but… I’m betting it comes down to a matter of trust.

Some people – maybe a lot of people – would prefer a business model where we pay for the OS, and in turn it doesn’t try to make Microsoft money off us by taking data from us or by watching our behavior.

-Noel

Reply | Quote

My “Why?” was “Why CCleaner after MSA?”

You think cleaning temporary files prevents snooping?

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

1 user thanked author for this post.

Reply | Quote

It’s not about what I think. I know what prevents snooping. It’s about what other people perceive of Microsoft nowadays. Loss of trust is a bad thing.

Perhaps rc primak will jump in here and correct what I implied from his note.

-Noel

Reply | Quote

I can trust my Microsoft Account if I use CCleaner?

I should use CCleaner if I don’t trust Microsoft?

Sorry, you’ve lost me. (I’m not sure you’re answering the question I asked.)

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

The MSA has a History which is accessed online. You might want to go in there from time to time and clean it out as well.

I definitely do not trust Microsoft or anyone else with data collection and storage.

-- rc primak

Reply | Quote

I guess I’m just not that paranoid.

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

Jumping in here.

What the browser cleanup may not get at is Local Storage used by Flash, Silverlight or DOM storage, among other temp files which can get stored in locations outside the browser cache. There’s a lot of areas where web sites may attempt to store persistent tracking content.

Then there’s MS Telemetry, which may be reduced by cleaning out temp files more frequently.

Perhaps I’m being a bit over-cautious, but it doesn’t take long to use Glary or CCleaner, and the results are  definitely more stuff removed than just clearing caches.

If you don’t want  to use third-party cleaning utilities, no problem, but I think they do more than simply clearing the browser caches. Especially if you’ve used Cloud Apps with local storage of their own.

-- rc primak

Reply | Quote

Unless you’re deleting the encrypted files in the hidden folder at %ProgramData%\Microsoft\Diagnosis I doubt whether your apres-Cloud cleanup routine is having any effect on Microsoft telemetry.
http://www.zdnet.com/article/windows-10-telemetry-secrets/

And I still don’t get why cleanup should be any more “necessary” after using a Microsoft Account.

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

Regardless of Windows 10 MSA issues (Windows 7 here), I gave in some time ago to the religion of not working under admin, and having two Windows user accounts for one person : one admin, one non admin. That was after long years of happily doing everything under admin.

There have been a few Microsoft evangelists of this practice, and of course it makes sense. However, whenever I put forth specific questions about how to configure such a PC, answers dried up.

What I found is that Windows is not made for that. It’s not made for one user, on a mono-user computer, to have and use two user accounts, one admin and one non-admin. What you want to do in such a case is to have the same set of software in both accounts, configured the same way, with the same access to the same data.

When I switch to my admin account because I want to do something I can only do there, I don’t want to find an entirely different Firefox, or Word, or whatever, from the one I have spent years configuring and getting accustomed to.

Well, that’s impossible. Software developers just don’t take that into account. If it’s a different account, it’s supposed to be a different person. And each program has a different way of handling user data.

So you end up having only one account properly configured, the non-admin one, and the admin account is a barren desert where you can only have so much. Whereas, being in admin, you should precisely be able to command the full power of your computer, since you are supposed to do the more advanced things there.

I’m not about to revert my policy, because it makes sense from a security point of view. However, it’s really a case of Microsoft giving one piece of advice, and working actively to prevent people from following it.

Also, I have never seen actual research comparing infection rates for admin and non-admin accounts.

Fun fact : protecting yourself from malware apparently entails typing your UAC password each and every time you want to change something in the Start Menu folder. Copy a shortcut for a newly installed program there, type your password. Create a folder for that shortcut, type your password. Delete an old folder, type your password. Change the name of your shortcut, type your password. Make a typo in that name, type your password once more.

I’ve found that UAC generally works fine, and I’m surprised at the number of things you can do from your non-admin account, just by elevating rights temporarily (almost everything). But this Start Menu rigmarole really takes the biscuit.

Directory Opus (only the super-duper Pro-Pro version with a ridiculous price tag) has a very clever button for that : it allows you to elevate your rights for 5, 10 or 30 minutes. Because logging out of your non-admin account, logging in admin, then logging back in non-admin is a ridiculous thing to do just to stick a shortcut in that blasted Start Menu folder, and then maybe doing some housekeeping there as you usually must.

Reply | Quote

Sorry @Clairvaux, but I think you misunderstand the philosophy behind the 2 user accounts, one non-admin (work, regular account) and another one admin account only for admin tasks and not for running Firefox and other applications that you listed.
You use your non-admin account for everything day-to-day but when you are required to do something administrative like installing software, you do not log in as that admin user, but

Run As

that admin user.

There would be times when you have to log in as that admin user, but this is rather rare and in those cases you are better off logging in as the BUILTIN Administrator, the one which is disabled by default and is totally unrestricted, like in Windows XP. If you decide to enable and use that builtin administrator, don’t forget to set a reasonable password to it, as by default is none.

Enteprise/Domain Admins follow the procedures above all the time.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

<p style=”text-align: left;”>For security reasons, you shouldn’t run anything like a browser as admin.</p>
<p style=”text-align: left;”>I only use admin to do admin tasks and the standard account for everything else. The idea is to lower the risk of having the admin polluted by anything outside that is not safe. Yes, my admin account is not really configured for doing much, but I don’t need it for that, so I am fine with this.</p>
<p style=”text-align: left;”>In theory, you shouldn’t even do an elevation in place (what the UAC gives you) because your standard user could be compromised and just wait for you to activate an elevation to do bad things using the compromised code that asked for the elevation. I don’t think the risk is huge when I delete a shortcut on the desktop using admin rights with secure attention sequence activated and it is much more convenient. But giving admins right to a software requesting it coming from a standard account I don’t control have a different risk profile. Still, a lot of people don’t want the troubles of logging out to admin each time they have a little maintenance to do, so it is a matter of managing risk.</p>
<p style=”text-align: left;”>With the auto-updating services that some programs uses now, I find that we really don’t have to use the admin account much anymore on user’s PCs, so that is not that much of a problem to keep softwares patched while having everyone running as a standard user on autonomous workstations.</p>
<p style=”text-align: left;”></p>
<p style=”text-align: left;”></p>
<p style=”text-align: left;”></p>
<p style=”text-align: left;”></p>

Reply | Quote

rc primak wrote:

Another approach is to create a separate User Account which is always a MS Account login, but only use that Account when using Cloud-centric apps or other activities which require the use of the MS Account.

I forgot I do this too . . . for precisely the same reasons you outlined. Good catch!

~ Group "Weekend" ~

1 user thanked author for this post.

rc primak

Reply | Quote

And that is the account I would pay the most attention to cleaning up after each session.

-- rc primak

Reply | Quote

NetDef wrote:

Never – ever – grant your MSA local admin permissions on your workstation.

Why?

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

Doing so allows malware and drive-by attacks direct Root level access to your system areas.

-- rc primak

1 user thanked author for this post.

Elly

Reply | Quote

Isn’t that what UAC is for?

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

b wrote:

Isn’t that what UAC is for?

The average user, in my experience, has NO idea what UAC is all about. They just click “Yes” every time it comes up so the notice box goes away and they can continue with whatever they’re doing.

3 users thanked author for this post.

Elly, NetDef, Noel Carboni

Reply | Quote

UAC is actually meant to prevent an automated process (malware) to run as administrator, unless further authorised by a user.
On the legal side, if the user clicks yes, Microsoft is absolved of formal responsibility because the user authorised that process to run.

I understand your point of view and I know a lot of people doing the same, but hey, should they administer a computer running a complicated operating system in the first place? 🙂
I said elsewhere, iOS has found the right answer and it may be the case for Chromebooks which received a lot of praise from Woody in few posts.
General use Linux is NOT the answer for those who don’t understand Windows.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

There you go. About 20 years and 1.5B Users too late. And I don’t think Microsoft is going to give back the money!

Reply | Quote

… and why would a local admin be more susceptible to malware when signed in with an MSA?

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

Because of elevated privileges. MSA plus Admin Account = more surface area for malware to attack.

-- rc primak

Reply | Quote

What additional surface area is exposed by an MSA?

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

b wrote:

Isn’t that what UAC is for?

Whoa, didn’t we all notice a vast reduction in malware when Vista and the awesome UAC came out? 😀

What PKCano said above. Plus that UAC just irritates intelligent users who really don’t need it.

-Noel

Reply | Quote

Here are two new articles dated February 21, 2017 about increasing European pressure on Microsoft and it “privacy” implications. This is after MS announced some changes that only worked with a web-based interface.(and I suspect a MS account).

Maybe there is some hope, but I suspect it would not fly in the US.

http://www.theverge.com/2017/2/21/14682256/microsoft-windows-10-eu-privacy-concerns

https://www.bloomberg.com/news/articles/2017-02-21/microsoft-faces-european-privacy-probes-over-windows-10

1 user thanked author for this post.

Elly

Reply | Quote

Interesting that Paul Thurrott doesn’t mention ANY disadvantage of signing in to Windows 10 with a Microsoft Account. (Just three advantages; Settings sync, Convenience, Edge sync/convenience.)

And Woody can only come up with, “Using a Microsoft Account to sign in to Windows 10 gives Microsoft (yet another) way to collect information about you”, which sounds like FUD/guesswork. (More info about you than if you only use your MSA to sign in to apps separately?)

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

1 user thanked author for this post.

Woody Lounger

Reply | Quote

b wrote:

(More info about you than if you only use your MSA to sign in to apps separately?)

Possibly unsaid here is that some folks really don’t want to have anything to do with Apps.

That may change in time, but it’s a bit bold of Microsoft to think that Apps today are so attractive that everyone would want to give up privacy and security to have them.

-Noel

Reply | Quote

Plus, most Apps can be used from a Local Account.

-- rc primak

Reply | Quote

But not the Store, so your apps won’t get updated.

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

b wrote:

NetDef wrote:

Never – ever – grant your MSA local admin permissions on your workstation.

Why?

I should have clarified more, since part of my original topic was about malware prevention using standard versus admin level user accounts.

My advice about not granting a MSA account local admin permissions (with some exceptions if you are a Microsoft ring tester) is based on the fact that as admin – MSA allows anyone that might compromise your online account total access to your machine – including the right to remotely access things. I’ve personally seen this happen exactly once, but still – it burned. That episode happened when someone enabled the remote file access feature through One Drive, and their MSA was a local admin account, and their MSA was hacked. The ID thief logged onto that machine and extracted saved banking passwords from the victims browser using Nirsoft tools. They were also able to add a system startup malware entry because as admin, they had access to parts of the C: drive that a standard user would not.

There were so many other mistakes made that led to this, but you hopefully get the reasoning behind my advice.

~ Group "Weekend" ~

1 user thanked author for this post.

Elly

Reply | Quote

That’s what two-step verification is for; to prevent access from untrusted devices:

https://www.cnet.com/how-to/how-to-use-two-step-verification-with-your-microsoft-account/

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

I use two factors for my MS Cloud Account as well.

-- rc primak

Reply | Quote

More evidence that 99% of the current Windows users are not qualified to maintain and manage Windows and would be better served by an appliance connecting to the Cloud.
There is a good reason why iOS does not allow running as root, unless jailbreaking the device, in which case Apple declines any responsibility for that device.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Ubuntu Linux does not run as Root. But there are ways to get around this.

In iOS, it’s not the user who has been getting around its security restrictions. It’s the App developers. And the results are much more difficult for users to manage or fix than in Windows or Linux.

-- rc primak

Reply | Quote

Noel Carboni wrote:

Whoa, didn’t we all notice a vast reduction in malware when Vista and the awesome UAC came out?

UAC was not awesome on Vista, and that’s probably why some people who don’t keep up with the times still disable it. But it became far less intrusive since Windows 7, and very useful as a layer of protection against malware:

UAC Technologies: What’s Different in Windows 7

UAC plays defense against Malware

Noel Carboni wrote:

What PKCano said above.

Yes, it’s difficult to protect from themselves users who will click on anything without reading/thinking.

Noel Carboni wrote:

Plus that UAC just irritates intelligent users who really don’t need it.

Would they be the same intelligent users who comply with the requirement to use sudo on other platforms in the name of security, but find clicking Yes in Windows UAC to be a cumbersome chore?

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

Using the sudo command with the required password is indeed irritating. But necessary. As a Linux user,I am keenly aware of the tradeoffs between security and convenience.

-- rc primak

Reply | Quote

b wrote:

And Woody can only come up with, “Using a Microsoft Account to sign in to Windows 10 gives Microsoft (yet another) way to collect information about you”, which sounds like FUD/guesswork.

You’re right. It’s guesswork – Microsoft hasn’t told us what data it’s collecting. But I’d be willing to bet that the Microsoft Account is picked up by Edge, and wouldn’t be a bit surprised if telemetry is tied to an MS account as well.

We don’t know. Microsoft hasn’t told us.

Reply | Quote

What we DO know is that Microsoft does what it does in the name of profit.

So one simply has to ask:

How is it more profitable to Microsoft for us to use Microsoft Accounts?

-Noel

Reply | Quote

And one has to actually answer that question to know if it’s a disadvantage to us.

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

MS Account Activity is tracked by Bing  and Cortana. Enough said.

-- rc primak

Reply | Quote

Isn’t Bing and Cortana activity tracked with a local account?

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

I don’t know how much of Cortana can be turned off, but Bing data collection can be severely restricted. I restrict both Bing and Cortana in my local accounts, and use local search.

-- rc primak

Reply | Quote

So just not using a Microsoft Account doesn’t seem to confer any advantage with regard to Bing or Cortana tracking then.

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

rc primak wrote:

I don’t know how much of Cortana can be turned off

It can be completely turned off. It takes some technical backflips to do it, but it’s worth doing.

-Noel

Reply | Quote

Noel Carboni wrote:

Possibly unsaid here is that some folks really don’t want to have anything to do with Apps.

If those people actually use Windows 10 they probably wouldn’t be interested in the advantages of Microsoft Account at all (Sync/Edge), so this discussion wouldn’t apply to them.

Noel Carboni wrote:

That may change in time, but it’s a bit bold of Microsoft to think that Apps today are so attractive that everyone would want to give up privacy and security to have them.

I have no privacy concerns about using a Microsoft Account full time. What’s the security downside?

(I can understand why enterprises are blocking Microsoft Accounts from being used at work, because they may need to ensure that their confidential business data is not inadvertently stored in Microsoft’s cloud.)

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

Fyi, it was only during the era of smartphones beginning in the mid-2000s that online user accounts(= email account and password) were required by the vendors, ie the elimination of local user accounts(= username and password).

Smartphone OS were provided free of charge to the users with a fair trade-off, ie … Google’s Android smartphones required Google accounts(= gmail acct) mainly for Google to get ad and marketing revenue, and revenue from sales of apps. Apple’s iOS iPhones required Apple ID accounts(= any email acct) mainly for security(eg Find My iPhone and unusable stolen or lost iPhones) and revenue from app sales.

M$’s Win 10 desktop OS is NOT free of charge for the users. So, it is unfair of M$ to require users to login with M$ accounts in order to fully use Win 10.

Quoting a commenter(in Jan 2017);
“Note to Microsoft: Google gets away with it because everything that they provide is basically free, and even in Android you can get out of the marketing stuff if you don’t use Google services. Windows 10 is not free, and if I didn’t know in advance I would be pretty p***** when I realized that I paid to be part of an ad campaign (I wonder how long until we start seeing Mountain Dew ads in the start menu). “

Reply | Quote

ch100 wrote:

I think you misunderstand the philosophy behind the 2 user accounts.

Yes, that philosophy must be very profound for me to misunderstand it. Maybe it’s the philosophers who don’t do their explaining exactly right ?

There’s an embedded help in Windows 7 (and there might as well be one, given the price of the product). Nowhere does it begin to address that issue. Here is what it says :

When you are logged on to Windows with a standard account, you can do almost anything that you can do with an administrator account, but if you want to do something that affects other users of the computer, such as installing software or changing security settings, Windows might ask you to provide a password for an administrator account.

So : masters of confusion. This last sentence conflates, oh, maybe four different things : change accounts and log into your admin account (that’s the obvious way to interpret it given the context), stay in your non-admin account but react to an UAC alert which will temporarily elevate your rights, deliberately choose to run a program as administrator without any prodding from the OS, and now this mysterious extra-secret built-in administrator account, which we are not supposed to know about, but you are telling me I should use rather than the normal, advertised administrator account (when ? why ? how ?).

When you set up Windows, you were required to create a user account. This account is an administrator account that allows you to set up your computer and install any programs that you’d like to use. Once you finish setting up your computer, we recommend that you create a standard account and use it for your everyday computing. If you create new user accounts, you should also make them standard accounts. Using standard accounts will help keep your computer more secure.

Straight from the horse’s mouth, and downright false. If you’re not an Enterprise/Domain Admin and are just learning about this admin / non-admin thing, I defy you to interpret this in another way than : you need to log to your admin account to install software. Indeed, that’s one of the main reasons why I was reluctant for so long to abandon my admin account-only setup : because I’m installing software all the time. When I finally took the plunge, I was flabbergasted to realise that all it took was to clear an UAC alert with a short password — which is totally acceptable for a software install.

And that was after researching the subject for months, reading reams of advocacy threads specialised in coaxing you into the non-admin religion, etc. The dominant tone was : yeah, you’re going to suffer, but it’s for your own good.

ch100 wrote:

…admin account only for admin tasks and not for running Firefox and other applications that you listed.

Let’s put things in the right order. I don’t use my computer to “run Firefox or other applications”. I use it to do… things. And in order to do those things, I need applications. For instance, a browser. Is there anything you can do on a computer nowadays without using a browser ?

Say I have a driver issue. If repairing that is not an administrative task, I don’t know what is. In order to download drivers (or just determine which one is needed), I need a browser. Heck, even changing the settings on my router requires a browser !

Word ? Of course, I need Word ! In order to bring administrative tasks to fruition, I need to have my technical notes on hand. Which were written in Word. And so on and so forth.

This idea of depriving you of your best tools just when you need them most is really ridiculous. Imagine a surgeon embarking on a particularly delicate procedure, and the hospital manager barging in : no ! you can’t have your usual, nice set of tools you are accustomed to ! take this drill and hack saw, and be over with it !

ch100 wrote:

…You use your non-admin account for everything day-to-day but when you are required to do something administrative like installing software, you do not log in as that admin user, but Run As that admin user.

I know and use Run As (sometimes). Trying to understand your point of view, is it the following :

> There’s no real way to duplicate your set of software, personnalisation and user data from your non-admin account to your admin account ;

> However, there’s no real need to do this, since almost anything that would require logging in to your admin account can be done from your non-admin one, through mostly benign elevation (responding to UAC alerts, running as admin), and you get to work with your usual set of software, personnalisation and user data ;

> For the rare case where you do need to log as admin, it is better to do it through the embedded, and disabled by default, Administrator account, because it’s totally UAC-free ?

If this is the case, well, I’ve never seen it put that way. Either people dismiss the importance of using your familiar environment when doing so-called administrative work, or they say : yeah, it’s important, but you won’t be able to keep it, so be a geek (or a sysadmin) and deal with it.

And there’s this false view, universally promoted by Microsoft and Microsofties, that in a home setting, the admin account is for the head of the family, while everybody else gets relegated to crippled user status :

Assigning an appropriate account type to the people who use your computer is straightforward. At least one user must be an administrator ; naturally, that should be the person who administers the computer. All other regular users should each have a standard user account. Use a guest account if you have guests or occasional users; that way, they can use your computer without gaining access to your files.

This, from Ed Bott, one of the best Microsoft tutors around, in a 1 400-pages book with 40 of them devoted to the issue of user accounts. He does go on to qualify this, by stressing how easier it has been made to stay under non-admin since Windows 7, and advising to have both types of account even if you are the “administrator”. But he doesn’t stress that you don’t need your environment in the admin account, since you can have it in non-admin, and, most of the time, elevate from there — if, indeed, this is the case.

The whole, ahem, “philosophy” of having admin accounts which are extraordinarily important, but which you are encouraged to almost never use by cheating into them, is so counter-intuitive and confusing as to require a great deal more of explaining.

And I still don’t know how to update my Start Menu without typing a zillion UAC passwords. I’ve just tried to run Windows Explorer as admin, but no, that would have been too easy, I suppose.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

I’m not going to get into splitting hairs over what a user account can do vs. and administrator account. The distinctions are well known among Windows users, and published at Microsoft’s sites.

What I can tell you is that you are taking a few sentences in Microsoft’s descriptions way out of context.

Let it suffice to say that Standard User accounts are restricted and that current malware does not as easily break through these restrictions as if it were running in an administrator account. I have personally seen this distinction working in my use of Windows, as have others.

It’s not as though using an administrator account grants unlimited powers. There are some tasks which even a normal Admin account cannot do. For those tasks, or for a long series of Root level commands, special techniques and tools are required.

Most everyday Windows users probably will not need to do things requiring special methods, but I just wanted to point out that even administrator accounts are not unrestricted. They are however, much less restricted than Standard User Accounts.

-- rc primak

2 users thanked author for this post.

Elly, ch100

Reply | Quote

Some criticize my choice, but I have never experienced a downside to disabling UAC entirely, while reaping the benefits in productivity from not being blocked from doing what I need to do on a daily basis. I always ran Vista and Win 7 that way, I run Win 8.1 that way, and I have a Win 10 config that runs that way (without Apps of course). No one has more stable systems and I’ve only ever installed each OS on hardware once.

Of course, I don’t claim disabling UAC is for everyone. It IS however, a great loss in Windows 8 and newer that there is no way – as there was with 7 – to choose supported settings to achieve that goal! Windows has been dumbed-down so that it can no longer provide what a true power user needs.

Some would say “it’s for the greater good because too many people just get in trouble with the ability to disable it”, and would point out that I’m evidence that a geek can actually accomplish it anyway, so why complain?

They have a point, but it’s clear evidence that Microsoft is moving away from serious general purpose computing – which is what the people who engineer the world’s products need.

Why isn’t there an expensive “Ultimate” or “Workstation” version that provides all the power that’s really there, and shuns the ad-based, privacy-invading revenue? I’d pay for it, and I know a lot of others who would too.

I always figured there’d remain serious capabilities in the system because Microsoft needs to engineer further versions of Windows itself using Windows. I didn’t imagine they’d stagnate into just coding second rate Apps and call that “operating system development”.

-Noel

1 user thanked author for this post.

Elly

Reply | Quote

This is essential to understand for everyone reading your posts.

Of course, I don’t claim disabling UAC is for everyone.

1 user thanked author for this post.

Elly

Reply | Quote

@ rc primak

rc primak said:

There are some tasks which even a normal Admin account cannot do. For those tasks, or for a long series of Root level commands, special techniques and tools are required.

Not asking for details as to *how to hack* Windows that requires some *higher form* of privilege than an *Admin Acct*, but could you at least identify a couple of the areas that would require such a *super-admin* privilege level.

In other words, what requires that level of access–what’s being edited or changed?

Reply | Quote

anonymous wrote:

Not asking for details as to *how to hack* Windows that requires some *higher form* of privilege than an *Admin Acct*, but could you at least identify a couple of the areas that would require such a *super-admin* privilege level.

In other words, what requires that level of access–what’s being edited or changed?

It’s not often, but there ARE some things – especially if you like to tweak Windows in ways that Microsoft hasn’t provided support for – that are protected against the Administrators group from changing. Some settings in the registry, for example. And some PowerShell commands fail if not run as SYSTEM. Microsoft is doing more and more “protecting the system against Administrators” as time passes. I presume they believe that “Windows as a Service” requires preventing users from doing what they want. That’s a fundamental conflict of interest in my opinion.

Yes, you can Take Ownership of file system and registry objects and change permissions from an Administrators group account, but that’s not always convenient or prudent.

I don’t use it often, but I have a shortcut to a command prompt that allows commands to be executed as SYSTEM rather than my account (member of Administrators), and it starts via this command:

C:\BIN\PsExec.exe -i -s CMD /k cd \temp&ver&ECHO Executing as SYSTEM

-Noel

Reply | Quote

I ALWAYS use a local account – I never use a Microsoft account.

But that’s just because I want as little of my data as possible going out from my computer to who-knows-where.

But that may not bother you, so you might want to have a Microsoft account, along with “cloud” storage, Office 365, the whole works.

I can see some scenarios where you might want all of this:
* A church youth group shares news and posts among the members of the group.  No sensitive information is involved.
* You have identical computers in two location (e.g. at work and at home), and you want to easily “pick up right where you left off” when you go from one computer to the other.  Again, no sensitive information is involved.

The only way this will work is if there is no sensitive information on any of the computers.

There are much better (i.e. much more secure) ways to share information, so I think most people would prefer the more secure alternatives.  I know I would.

The only times I have ever worked this way is when it was related to my job: in all of those cases, I had secure ways to log into the company network.

Jim

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

2 users thanked author for this post.

Elly, Noel Carboni

Reply | Quote

Noel Carboni wrote:

Of course, I don’t claim disabling UAC is for everyone. It IS however, a great loss in Windows 8 and newer that there is no way – as there was with 7 – to choose supported settings to achieve that goal! Windows has been dumbed-down so that it can no longer provide what a true power user needs.

Could you explain this?

I can search Windows 10 Settings for UAC (or just type UAC at Start or Cortana) and could then disable it by setting Never notify (if I didn’t appreciate why Microsoft gave us all UAC):

Windows 10: User Account Control (UAC) – Change Settings in Windows 10

This looks exactly the same as Windows 7 (and 8) to me. And it can still be disabled via Group Policy or the Registry. So what has changed in this respect with Windows 8/10?

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

This looks exactly the same as Windows 7 (and 8) to me.

You are not getting this right here. I am not providing details, but while UAC in Windows 10 behaves exactly like on Windows 8, it does not behave exactly like in Windows 7.

It may “look” exactly the same though.

 

2 users thanked author for this post.

Elly, Noel Carboni

Reply | Quote

Why the secrecy?

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

Spend the time to find out. 😉

 

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Many thanks for the pointer ………. oh! ………. wait! …

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

Local account only for sure.  I don’t use Windows “apps” or any Microsoft cloud services, so there is no need to stay connected.

As a rule, I don’t stay logged into any social networks either, unless I am actively using them.  If you use your Facebook account to log into everything else, you are very “connected”  🙂

My email client only logs into my email server long enough to retrieve new messages.

I use Google and Dropbox, but don’t stay logged in there either.

I view signing in to anything to be on an “as needed” basis only.  Like this forum, for example 🙂

Windows 10 Pro 22H2

Reply | Quote

“Some criticize my choice, but I have never experienced a downside to disabling UAC entirely . . .”

Well, I’m glad that’s worked for you, but it sounds analogous to “I like to drive 100mph without wearing a seat belt, and so far I haven’t crashed into anything.”

2 users thanked author for this post.

MrJimPhelps, b

Reply | Quote

driftless wrote:

“Some criticize my choice, but I have never experienced a downside to disabling UAC entirely . . .”

Well, I’m glad that’s worked for you, but it sounds analogous to “I like to drive 100mph without wearing a seat belt, and so far I haven’t crashed into anything.”

🙂 It didn’t “work for me” by accident, I can assure you.

Is it so hard to imagine that someone could be adept enough at using a product that the training wheels actually slow them down? Or that someone could understand and set up a security environment well enough to have malware protection in entirely another league beyond what everyone gets out of the box?

Not everyone falls off Niagara Falls because there’s no guard rail. Some just enjoy the better view.

Hey, I’m just trying to share what I know here. When I try to learn to do things better I am more likely to ask “how did you manage that?” instead of trying to find fault.

Your mileage may vary. Mine does, especially above 100 mph. 😀

-Noel

Reply | Quote

b wrote:

So what has changed in this respect with Windows 8/10?

You SERIOUSLY didn’t know that no matter the settings you choose, UAC is on all the time in Win 8 and 10 (unless a registry or group policy tweak is done)?

Depending on what you are doing with your computer system, there is a usability difference between Windows 7 with UAC turned off via settings vs. Windows 8+’s most permissive setting.

Ever have Explorer refuse to copy a file to where you want it? There are some things you just can’t do directly. Beyond permissions issues, file system and registry virtualization mean that the system second guesses where you’re working and secretly puts things in other places because “it knows better”.

-Noel

2 users thanked author for this post.

Elly, ch100

Reply | Quote

Noel Carboni wrote:

You SERIOUSLY didn’t know that no matter the settings you choose, UAC is on all the time in Win 8 and 10 (unless a registry or group policy tweak is done)?

Depending on what you are doing with your computer system, there is a usability difference between Windows 7 with UAC turned off via settings vs. Windows 8+. Ever have Explorer refuse to copy a file to where you want it? There are some things you just can’t do directly. Beyond permissions issues, file system and registry virtualization mean that the system second guesses where you’re working and secretly puts things in other places because “it knows better”.

-Noel

Yes, SERIOUSLY. Why would I? Since I intend to never switch off UAC for myself or anyone else.

But you clearly have a much broader definition of UAC than me (and most people, in my opinion). If I change Windows 10 UAC settings I can prevent privilege-elevation prompts. That’s UAC off to me and most users. Your definition of “on all the time” must mean something different.

This article says that only poorly written apps need the registry hack in addition to the setting:

Disabling User Account Control (UAC) in Windows 8

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

It’s not applications that bother me, but the OS itself whose behavior changes unacceptably with UAC enabled.

The definition of a Windows feature isn’t opinion-based.

-Noel

Reply | Quote

If I am ever forced to use Windows 10, then I will only use a local account. Woody’s “only” reason is good enough for me.

Hope for the best. Prepare for the worst.

Reply | Quote

GoTheSaints wrote:

I know by being banned, you lose all the MS brownie points you gained because you have to start anew with a new account and you then have to rebuild your reputation again. 

That would provide quite a disincentive for anyone who cares about reputation points to provide criticism of MS or its products– even when they desperately need to hear such criticism.  People don’t volunteer their time because they have a disdain for MS and Windows (as a Win 10 detractor, I’ve been accused of being anti-MS and anti-Windows even as I am trying to get through to MS so they improve their products so I can keep using them as I have for more than 25 years)… they do it because they’re enthusiastic and want Windows to be as good as it can be, which you’d think MS would appreciate.

If, of course, the goal was for Windows to be as good as it can be from the perspective of the customer.  If their goal was to run roughshod over their customers while claiming to be working in their favor… well, they’d do exactly what they did.

Like Noel, I am a member of many different tech forums (I’ve seen his posts in a lot of them!), and this is far from the first time I’ve read about MS banning people for criticizing Windows 10.  By all accounts, they purged the forum of all who weren’t MS fanboys who would cheerfully say that anything MS did was the best, most brilliant thing ever, and then claimed that Windows 10 was made with unprecedented levels of customer feedback.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11 for maintenance)

Reply | Quote

+1

Reply | Quote

“By all accounts, they purged the forum of all who weren’t MS fanboys who would cheerfully say that anything MS did was the best, most brilliant thing ever”

I know a few of these “fanboys”. For them, Microsoft can do no wrong, and the solution to all of your computing problems is to upgrade to whatever is the newest version of Windows. That’s the “advice” they will give you, even if you have just given a list of problems that upgrading has caused your computer.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

Reply | Quote

Noel Carboni wrote:

driftless wrote:

“Some criticize my choice, but I have never experienced a downside to disabling UAC entirely . . .” Well, I’m glad that’s worked for you, but it sounds analogous to “I like to drive 100mph without wearing a seat belt, and so far I haven’t crashed into anything.”

It didn’t “work for me” by accident, I can assure you. Is it so hard to imagine that someone could be adept enough at using a product that the training wheels actually slow them down? Or that someone could understand and set up a security environment well enough to have malware protection in entirely another league beyond what everyone gets out of the box? Not everyone falls off Niagara Falls because there’s no guard rail. Some just enjoy the better view. Hey, I’m just trying to share what I know here. When I try to learn to do things better I am more likely to ask “how did you manage that?” instead of trying to find fault. Your mileage may vary. Mine does, especially above 100 mph. -Noel

Noel, I apologize if my reply seemed snide, as I value the standard of civility that is observed in the AskWoody forums and I hope I did not run afoul of it.

UAC is a core security benefit of modern Windows, and in my experience, it is a negligible inconvenience. When I am building up PCs for my employer, I use our local admin account to install drivers and software. For Win7, a user profile transferred with USMT places a command prompt at the top level of the (otherwise empty) Start Menu. With that, I can right click, choose Run as Administrator, approve the UAC prompt, then install most of what I need to without further prompts, using batch files. In 8.x and 10, Windows key+a fires up an admin command prompt, a slightly shorter route to the same useful destination.

On my production 8.1 PC, I run as a Standard user and elevate through UAC when necessary, a slight inconvenience.

Please consider the possibility that we’ve all benefited from herd immunity, i.e., that with the OS attack surface reduced because of UAC, Windows is a less attractive target, leading crackers to turn their attention elsewhere (Flash, infected PDFs, JRE etc.). Thus we may find an ethical aspect to observing best practices, as it benefits not only ourselves but the broader ecosystem as well.

I’m not suggesting how you should run your own environment, merely offering some food for thought.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

It’s always reasonable to question what seems at odds with what others are saying.

I never take offense because debate is healthy – it’s how we all learn. 🙂

I’m proud to say I’ve never contracted a digital infection nor spread malware, and I hope for that to be the case with everyone.

-Noel

1 user thanked author for this post.

driftless

Reply | Quote