Windows 11

[Mercutio]

Tiny 11 Builder has been updated to support all Windows 11 releases. It's basically a long Powershell script that pulls out a list of bullshit Windows Store applications, but it also gives your Windows 11 install an Edge, Media Player and OneDrive-ectomy. The script is very easy to read and modify, if for example you'd rather keep Media Player and the News apps while saying goodbye to Teams and Clipchamp.

My biggest headache with customizing any Windows 11 ISO is ensuring that I have storage and USB drivers for 12th-gen+ Intel systems. Every time I think I have all the drivers I'll need for that, I run in to some new bullshit laptop that expects a slightly different combination of stuff than I had prepared. AMD? It's all fine and good. Have a party. Intel? Sometimes a wired USB mouse won't even work during Windows installation. Thanks, guys.

 

[sedrosken]

Yeah, I don't know what's up with Intel based laptops these days, but on 11th gen and newer I've reliably had no mouse in setup, and especially on HP implementations they seem to like to enable RST for no good reason with no way to turn it off, necessitating installation of disk controller drivers during setup that reminds me of the bad old times trying to get AHCI working on XP boxes. I am quite glad to see NTDEV's pivoted more toward distributing the scripts rather than images -- not that I personally didn't trust them, but I've seen the concern raised several times and I've heard of enough "light" images in the past turning out to have been compromised that I'm a lot happier to use a script that I can read through and kind of understand what it's doing by comparison.

Merc, have you heard anything about Edge/Media Player and friends showing back up after Windows updates? I imagine it'd be a much bigger issue for build upgrades but I've heard from a few of my users that apps they uninstalled seem to come back every time our RMM lets updates go through.

 

[Mercutio]

Edge and Media Player aren't the one I hate, but yes, I've seen OneDrive come back in spite of Group Policies and removing the binaries and registry entries for it. Microsoft is VERY thorough in re-adding it in spite of any precaution to keep it off computers.

I manually used the ADK to build my Windows 11 install media with a baseline for a Ryzen 7000 notebook and a 12th gen Intel something. It has updates, custom folders (I toss all my extra utilities in C:\bin) and various scripts to run after the install. The total size for the whole thing is just over 7.8GB, and almost all the extra is drivers. And it probably STILL won't cover every Intel RST/USB scenario. Importantly, I do not give the option to complete setup with a Microsoft account at all. They can add it back on their own.

 

[Mercutio]

Apparently, Windows 11's next big update is going to start pressuring users on local accounts to switch to Microsoft accounts. This is a whole new level of aggravation, and something that's not going to get better in Windows 12.

 

[sedrosken]

They seem awfully keen on obliterating any goodwill they manage to build up for themselves, don't they?

 

[LunarMist]

Isn't that what they are already doing unless you take extra measures to disable that?

 

[Mercutio]

Isn't that what they are already doing unless you take extra measures to disable that?

They're going to start bitching for local accounts that already exist.
How long until people with non-federated on premises domain accounts get the same treatment?

 

[ddrueding]

My laptop did exactly that after a recent update. After the reboot it presented me with the "create an online account" window. Fortunately there was a "no" button that, after showing a bunch of warnings, allowed me to continue.

 

[LunarMist]

They're going to start bitching for local accounts that already exist.
How long until people with non-federated on premises domain accounts get the same treatment?

So that means the computer has to be connected to the internet forever after that?
I'm thinking of only connecting the computer online every month or so and wiping/restoring it each time. I'm pretty much done with the Topaz or any software that needs internet all the times.

 

[Mercutio]

It's not so much that it must be connected to the internet forever, but it has to be connected for the Microsoft account to be set up. Current standards also default to encrypting the primary drive with Bitlocker and creation of a PIN that is emphatically not the password associated with the named account. It can also mess with what would normally be transparent authentication between Windows PCs, if you're used to stand-alone home or small office systems.

All in all, it's just not something I want to bother with or be bothered by.

 

[sedrosken]

I mean I guess I have to give Microsoft some props for giving me some job security. While they keep screwing things up I know I'll never be bored.

 

[LunarMist]

It's not so much that it must be connected to the internet forever, but it has to be connected for the Microsoft account to be set up. Current standards also default to encrypting the primary drive with Bitlocker and creation of a PIN that is emphatically not the password associated with the named account. It can also mess with what would normally be transparent authentication between Windows PCs, if you're used to stand-alone home or small office systems.

All in all, it's just not something I want to bother with or be bothered by.

So the PIN is per computer/ssd and the account is for the user tracking?
Do you need to log in with the PIN every time?

 

[ddrueding]

You have a password and a PIN. By default you are able to log in with the PIN. The frustrating thing for me is that people entirely forget their password a week after they set up their PC (because they never have to use it), then when I need the actual password for admin-type stuff (or even just LogMeIn remote access), they keep insisting that their password is their PIN.

 

[LunarMist]

I am still confused. Normally I have no password or PIN for Win 10. I set a PW for a travel laptop, but not a PIN. In Win 11 I have to know the PIN and PW for each computer?

 

[Mercutio]

Microsoft has users create a Microsoft Account with an email address and a password.
Microsoft has a separate security system called Windows Hello, which can be tied to a local OR a Microsoft account and can use secondary authentication methods like facial recognition, fingerprint reader or, most often, a short PIN. IIRC, four digit PINs are A-OK.

Windows Hello can fail for a bunch of reasons, and then your face / fingerprint / PIN stops working to authenticate your access. If you've been using the PIN constantly for as long as you've had the computer, and never had even one reason to go look at something on your Microsoft account in any other way, you have to hope you provided proper recovery email and/or SMS-able telephone numbers on your account, or you're left in the same state as the guy with dementia I was dealing with a couple weeks ago.

 

[LunarMist]

From what I understand the Hello only works with laptops. Assuming the email is gone and a PIN is not developed, can one just use a PW like in the old days? Or does it communicate something with the MS? Maybe using MS is a form of demetia itself?

 

[jtr1962]

I don't recall being asked for a PIN when I set up my new laptop. It is set to log me in with facial recognition. Maybe to future-proof that against my appearance changing radically I should make a cast of my face.

Merc, I wonder if you could get an artist to do something similar with that guy who can no longer log on to his computer? If they have a few old photos of his, they can probably make something close. There's also 3D software which made models of faces from front and profile photos.

 

[LunarMist]

There are normally two image sensors, one for tricolor visible light and one for IR to confirm that the head is real.

Windows Hello face authentication

Windows Hello face authentication

learn.microsoft.com

 

[Mercutio]

From what I understand the Hello only works with laptops. Assuming the email is gone and a PIN is not developed, can one just use a PW like in the old days? Or does it communicate something with the MS? Maybe using MS is a form of demetia itself?

Windows Hello is available on all Windows 10 and 11 computers. It is a form of extensible authentication that can use a PIN or a card/NFC reader or a biometric sensor. If I happen to conduct an e-commerce transaction from MS Edge, it'll try to fill card details it imported from some other browser and prompt for the card verification code. After I have provided that, Edge will cheerfully tell me it can use my Windows Hello credential (a PIN or a fingerprint) instead.

If Windows Hello credentials are deemed invalid for some reason, users can THEN use the login and password they created, if they know them. One reason I am aware that can invalidate Windows Hello is using a device on a new network, or booting Windows on a computer that doesn't have all the same sensors as were found on its previous hardware, but I've also seen it happen with Windows home PCs just at random.

 

[LunarMist]

So if I deliberately invalidate the HEllO and discard the account activation email address, then can I use the traditional password method and unencrypt the C: partition? Can I change the password and do everything normally, or do I need to log in with the email and PW and be online?
I clear the browser cache constantly and usually restore the C: drive, so there is no sensitive information stored locally.

 

[jtr1962]

There are normally two image sensors, one for tricolor visible light and one for IR to confirm that the head is real.

Windows Hello face authentication

Windows Hello face authentication

learn.microsoft.com

That explains why using a picture doesn't work. I guess if you cut off someone's head and attempted to use that to log in it wouldn't work, either. I'm surprised more fingerprint ID sensors don't use IR also. True story here-one of my family members was scammed by someone. A relative (who is now dead) may have been connected to Cosa Nostra. My mother was very secretive about what he did for a living. Anyway, this person cut off the index finger of the perpetrator, used it to access his workplace, and took back all the stolen money, and then some. It's a bit of a mystery what the final disposition of the perpetrator was, but I'll guess since he was into online scamming he lost more than just his index finger. Hard to use a computer with no fingers, possibly no arms knowing my relative. Anyway, had the fingerprint ID system used IR, the finger "trick" wouldn't have worked.

 

[Mercutio]

So if I deliberately invalidate the HEllO and discard the account activation email address, then can I use the traditional password method and unencrypt the C: partition? Can I change the password and do everything normally, or do I need to log in with the email and PW and be online?
I clear the browser cache constantly and usually restore the C: drive, so there is no sensitive information stored locally.

You can ALREADY just create a local account and use any account belonging to the Administrator group to decrypt the PC. You don't have to do anything with Windows Hello at all for that. It's just that future versions of Windows are going to nag you about not being in a Microsoft-approved configuration.

 

[jtr1962]

Honestly, I smell a big class-action lawsuit against MS for stuff like this. You shouldn't have to jump through all their hoops just to access your own data. I get security to some extent but you should be able to disable it. I'm the only one who will ever access my PCs. Nobody lives with me. Even when my mother was alive she was more or less computer illiterate. That was before she got dementia. Other than my new laptop, I can't physically take any of my computers with me. My laptop would never be out of my sight if I did bring it on a trip. So why can't I disable all the security BS? I'd just want to keep the parts which prevent people from hacking into my system online.

 

[LunarMist]

You can ALREADY just create a local account and use any account belonging to the Administrator group to decrypt the PC. You don't have to do anything with Windows Hello at all for that. It's just that future versions of Windows are going to nag you about not being in a Microsoft-approved configuration.

Yes for now, but I assumed the concern is that the nagging will be changed to a mandatory requirement.

 

[LunarMist]

Honestly, I smell a big class-action lawsuit against MS for stuff like this. You shouldn't have to jump through all their hoops just to access your own data. I get security to some extent but you should be able to disable it. I'm the only one who will ever access my PCs. Nobody lives with me. Even when my mother was alive she was more or less computer illiterate. That was before she got dementia. Other than my new laptop, I can't physically take any of my computers with me. My laptop would never be out of my sight if I did bring it on a trip. So why can't I disable all the security BS? I'd just want to keep the parts which prevent people from hacking into my system online.

I suppose they will argue that there is enough competition that you d on't need to use MS if the T&C are not to your liking.
Most of the CA suits are because a product does (or does not do) something in the T&C and that you were not informed about it.

 

[jtr1962]

 

[LunarMist]

Who wants to listen to some kind of angry fool? There is no credibility.

 

[jtr1962]

Who wants to listen to some kind of angry fool? There is no credibility.

He repairs PCs for a living, so that at least gives him some credibility.

Truth is people are too complacent. We should have nipped this whole thing in the bud years ago. It's not just happening with PCs, either. Too many things are becoming rentals instead of buy once and use forever.

 

[LunarMist]

Pretty much everything is becoming a service. Of course there are strong business reason for that regardless of the negative impact to individual users. Unless you can develop a better model, it will be difficult to sell the 20th century mentality in the 2020s.

 

[jtr1962]

Pretty much everything is becoming a service. Of course there are strong business reason for that regardless of the negative impact to individual users. Unless you can develop a better model, it will be difficult to sell the 20th century mentality in the 2020s.

The 20th century model worked fine. The problem is businesses think their profit margins should be a lot higher now. It's the difference between making a reasonable profit providing a good or service, versus an obscene profit. It's also the result of defacto monopolies like Microsoft. In theory there may be alternatives. In practice for many businesses and people using the alternatives would at least temporarily hurt your competitiveness. And some of the alternatives to Microsoft are as bad or worse (i.e. Apple).