Windows 11

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
There's an issue now with Windows 11 that can prevent systems from booting under some circumstances. When installed on a new PC, Windows 11, even Home edition, now encrypts drives by default. Assuming the user can remember their Microsoft Account info, they can sign in to their account on Microsoft to recover the decryption key, which is 48 digits long. Anyone who has ever had to do boot time troubleshooting on Windows knows how many times you'll wind up having to reboot a PC to fix something. That translates in to repeatedly typing in a 48 digit key over and over to allow access to the encrypted volume. What fun.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
16,625
Location
USA
Is it possible to remove encryption after installation? What happens when you swap drives around, use Acronis, Macrium, etc.? I'm not liking this at all.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
You can remove the encryption if you'd like. It only takes a few minutes to decrypt a whole SSD. Whole drive encryption used to be a feature only in the more expensive versions of Windows, so I was surprised to see it on machines running Windows Home edition. The question of what happens with encrypted data depends on the software and the state of the drive when the backup is created. Some tools will make an encrypted backup. Some will copy the raw data that's present. Some will just refuse to work. What fun, right?

In theory, the recovery key should be stored with your Microsoft Account, can be backed up to an external device like a USB drive or it can be put in trust for a key recovery agent within a relevant organization. I'm a little bit concerned and haven't had a chance to test what happens when a Windows 11 PC that meets the requirements for hardware encryption (TPM chip etc) isn't configured with a Microsoft Account or domain membership in the first place. I HOPE it doesn't encrypt in that case.

I'm pretty sure the Thinkpad I just got from Lenovo also had its drive encrypted by default but of course the first thing I did with that thing was blow away whatever was there with my own Windows 10 system image.

I don't see Windows Home editions very often but between UEFI/Secure Boot and now encryption by default, Microsoft is really doing everything it can to make boot-time tools impossible to use on new computers.
 

sedrosken

Florida Man
Joined
Nov 20, 2013
Messages
1,590
Location
Eglin AFB Area
I had to use an obscure key combination to bring up a CMD window to bypass the OOBE on the laptop I bought my sister for Christmas -- she doesn't have a Microsoft account presently, and I wanted to make it her decision to make one rather than have Microsoft try and force her into it.

I finally took the plunge and upgraded my work laptop since we're kicking the tires and looking at a possible company-wide deployment sometime early 2024. Thankfully the worst of the UI BS can be worked around, but at the same time I feel like I'm not getting the full picture of what using 11 is like if I do work around them, so I'm torn. I have to be able to, actually, y'know, work, but at the same time I need to get proficient with doing things the 11 way so I can properly support my users.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
You CAN use Rufus to prepare an install image that drops the MS account requirements. Most of the integrations for the account boil down to redirecting folders to Onedrive (no, thank you) and having a place to put the default-on Bitlocker recovery key.
 

sedrosken

Florida Man
Joined
Nov 20, 2013
Messages
1,590
Location
Eglin AFB Area
Right, but this was a Dell refurb I wanted to keep the (two year!) warranty on, I wasn't sure what it does and doesn't allow me to change (and was too lazy to read the terms) so I was hesitant to reformat and reinstall just for that. Frankly, if I was going to do that, I would have just installed 10 since it's a Zen3 laptop that doesn't need 11 for a competent CPU scheduler or anything.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
The hardware warranty in no way depends on the state of software on the PC. We won that fight in like 1998. When I ship an in-warranty laptop for service, I remove the drive before I ship it anyway; I've heard of people getting their laptop factory reset too many times to trust anything else.
 

sedrosken

Florida Man
Joined
Nov 20, 2013
Messages
1,590
Location
Eglin AFB Area
Hmm. Maybe I will just nuke it and install 10 over the weekend then, before I send it out to her.

Dell is at least a heck of a lot better about not preloading a ton of bloatware than they used to be -- the only thing I actually uninstalled was McAfee. It's just a shame Microsoft themselves are a lot worse about it than they've ever been.
 

sedrosken

Florida Man
Joined
Nov 20, 2013
Messages
1,590
Location
Eglin AFB Area
For giggles I installed 11 fresh on my main desktop, to kick the tires a little between reinstalls of 10. Since all my user data lives on my NAS and I have a decent internet connection now, it doesn't matter much what I run on there day-to-day since there aren't any huge backup/restore operations involved. I installed the latest version, 22H2.

I spent an hour trying to set my default file viewer for JPG, JPE, PNG etc to IrfanView. It just would not do it! And for JPE, JPG and PNG specifically it straight up pretended the formats didn't exist!!

Turns out if you have the new version of the Microsoft Photos app installed (and 22H2 comes with it pre-installed), it locks your defaults. This is beyond ridiculous, beyond Orwellian -- it ought to be flat-out illegal. From what I understand this is expected and intended behavior. I could be wrong, and it could just be an exceptionally convenient bug. I'm surprised it even let me uninstall the app at all knowing all that.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
16,625
Location
USA
What happens if the user updates to Windows 11 from 10? Can PS still be used to open everything from the Explorer?
 

sedrosken

Florida Man
Joined
Nov 20, 2013
Messages
1,590
Location
Eglin AFB Area
IME every user setting that couldn't potentially cause a problem (for MS's bottom line, anyway) gets preserved. Essentially your default apps are reset to Microsoft's recommendations, but there's nothing stopping you from setting them back... until another update reverts them again.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
What happens if the user updates to Windows 11 from 10? Can PS still be used to open everything from the Explorer?

You'll have your default Mail, Web Browser, Image Viewer and Media Player set to a default Microsoft application. If you have software that's known to be incompatible with Windows 11 (eg Flash Player), it'll be removed.

You'll be pressured to make a Microsoft account if you don't have one.

Microsoft JUST made the UI for selecting default applications less stupid, but not as unstupid as it was on Windows 7 or 10.
 

sedrosken

Florida Man
Joined
Nov 20, 2013
Messages
1,590
Location
Eglin AFB Area
It's been my experience, especially on big build-changing updates, that it resets all my defaults again. It's almost to the point where I want to just break down and stop bothering with anything else, and that's exactly what they're going for, my guess anyway.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
If you REALLY want to fix it for all time and don't mind breaking out a bazooka, you can force the matter with a group policy object. Here's an article that explains it. The GPO overrides any BS Microsoft does, even with full OS upgrades.

One of the companies I support uses NitroPDF Pro on every system and the sheer number of things that try to steal PDF handling is kind of crazy.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
Something I just found out is that the firmware ID string overrides the online Windows activation database. I have an Asus Zenbook that I switch up for making and testing system images and I just noticed that when I applied the Win 11 Pro image that should activate through online entitlement, it told me it's unlicensed, even though the same PC was valid for Windows 10 Pro and the allowed to activate with the initial release of Windows 11 Pro. Once I switched it back to Win11 Home, it won't take the same Pro key it had before. It's not the end of the world since I am just applying updates and imaging, but I do have a finite number of "free" Windows Pro licenses.

Windows 11 is the first version where I'm trying to preserve the Home system image, because the release media didn't force a Windows account and the updated ISO does. I'd rather work from an updated system that doesn't force the matter than deploy workarounds, even if I do think Microsoft will respect an answer file for some time to come.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
16,625
Location
USA
I have no idea of most of what you say, but it seems quite hopeless for a normal person. It sounds like you cannot easily do an upgrade without an account. My 2021 computer that came with 11 Home was demanding of an account just a couple months after 11 exsited.
Is there any meaningful difference between Home and Pro if you are not working with a business AD etc.?
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
I have no idea of most of what you say, but it seems quite hopeless for a normal person. It sounds like you cannot easily do an upgrade without an account. My 2021 computer that came with 11 Home was demanding of an account just a couple months after 11 exsited.
Is there any meaningful difference between Home and Pro if you are not working with a business AD etc.?

I'd say that it depends on your expectations. I like having access to group policies and remote desktop and I always assume that Windows computers have those things, but home edition doesn't. You can use things like VNC or use various tricks to enable proper RDP, but I'd rather just have it. Home edition's administrative controls look different and I don't always remember how.

There ARE workarounds if you don't want a Microsoft account, but it's a legitimate mess. Tell the Win11 OOBE that you want to join a domain and give it an invalid email, use an answer file, create your media with Rufus, install from the original Windows 11 media. If you're like me and legitimately use lots of personal machines, even giving in and making the account is a hassle because Microsoft only allows individuals to associate 10 devices with their account. If I actually want "a" Microsoft account to work as intended, I have to go through contortions to keep multiple IDs in sync (for password and personal security certificate sync) or run my own private Active Directory.

I'll also say that I think the value of a Microsoft account is dubious for most end users. Onedrive keeps 15GB of user files in Microsoft's cloud, whatever the first 15GB is. Hope you aren't a big fan of keeping music in your Music folder or video projects in your Videos folder! If it fills up, user files will start saving to the normal directory structure and now home directories are scary and confusing because some stuff will be local and some will be under Onedrive. Great. Password and certificate syncing is nice and it's welcome, but Microsoft does NOT explain how an account, a password, a PIN or Windows Hello are different without actual research that basically no home user is ever going to do. As much as I want to pick on people for not knowing an important password, Microsoft is prompting them for an EMAIL ADDRESS and if I had to guess, 95% of consumer Windows users also re-use the same password they have on their email account when they're told to set a password for that... and worse, they're also immediately asked to set a PIN, which is different from and can replace their password on a device, until something happens and the PIN isn't authorized and Microsoft expects the password again. The whole thing steps on my last nerve with Windows.

Apple has a similarly low number of allowed devices although I think it treats iOS and MacOS differently. Google is at least kind enough to keep all my Android and ChromeOS devices active on one account until I manually delete them.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
Just today, I'm finally getting around to doing something with Windows Server 2022. I upgraded things to 2019, and no one has any real interest in upgrading for no reason, so it hasn't been on my radar.

Server 2022 does not have a mandate for Microsoft accounts, nor can Windows Store software be installed. It doesn't have the incredible majority of the telemetry BS in Windows 11.

The down sides are pretty small: it deliberately misses support for common integrated NICs and Wifi (this can be fixed but it's a hassle); most consumer AV software doesn't run, and you'll have to do a tiny bit of work to make sound or Bluetooth operate, if those are things you care to have. I'm also aware that popular and god-awful chat software Discord won't run on Windows Server, but that's a feature IMO.



Grey market Windows Server licenses cost about the same amount as grey market Windows desktop licenses. Somewhere between $25 and $50 will get a working product key.
 
Last edited:

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,737
Location
USA
It's been a long time since I've deployed a windows server product, the last may have been server 2012.

What kinds of things are you using it for these days or is this mainly to learn and stay updated?
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
It's been a long time since I've deployed a windows server product, the last may have been server 2012.

What kinds of things are you using it for these days or is this mainly to learn and stay updated?

Right now it's just learning. None of my customers are a good fit for Azure, which is absolutely the end goal of everything Microsoft is doing now. I totally understand why you aren't messing with it any more. A lot of SMB systems expect a Microsoft environment and even though MSSQL and .net code run fine on Linux now, often the applications my customers rely on will throw in other requirements that don't play so nice.

Azure needs a serious pricing adjustment for small business. 10-person businesses can't work with the expectation of $2500 monthly bills for IT services, which is what MS wants out of them.
 

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,737
Location
USA
I hear ya on the gap between the major enterprise cloud services and the SMB market. That cost is no joke and it's a gut punch getting their first bill. The enterprise cloud market really wants the big fish revenue.

I know there are mid-tier offerings from the likes of Linode and DigitalOcean to name a couple but they can also be expensive and lacking in needed functionality like in a full Microsoft shop.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
One tiny and weird hitch for using Server 2022: the trial version is considered a separate SKU from Standard Server or Datacenter. A valid product key for one of those doesn't work with the trial software. There's still a fix, which is to remove your existing trial key with a publicly-known default key for Server Standard:

dism /online /set-edition:serverstandard /productkey:VDYBN-27WPP-V4HQT-9VMD4-VMK7H /accepteula

You'll be asked to reboot. Open up your choice of command interpreter and run this:

csript slmgr.vbs /upk
slmgr.vbs /cpky
slmgr.vbs /ipk
[your legal and totally legit provided key]
 

sedrosken

Florida Man
Joined
Nov 20, 2013
Messages
1,590
Location
Eglin AFB Area
Well that's downright annoying, isn't it? I already had to do a rain dance and throw salt behind my shoulder to get Windows 10/11 to upgrade from Home to Pro on an OEM key, but that is at least understandable to a certain extent. It boggles my mind that they seem to expect you to completely reinstall a server product that you might already be using in production to properly license it.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
I suspect that Microsoft considers Windows Server the way it considers Office Professional: it's not something that consumers are ever supposed to have.

Office 2021 was the first release of Office Pro 2013 that had a single user perpetual license SKU. 2016 and 2019 were not available to end users outside a volume license.

I'm probably going to have to ask the guys at my datacenter if they have a retail disc or ISO of it that I can rip. I don't know that I trust getting the disc image from some random torrent site.
 

sedrosken

Florida Man
Joined
Nov 20, 2013
Messages
1,590
Location
Eglin AFB Area
The way I handled deploying Office 2021 (we used it for a mass deployment on some Surfaces before we wisely just began selling them Microsoft 365 on a tenant account in yearly commitments instead) was I used the Office Deployment Tool to download the data for 2021, then used the same tool on the target machine to install it after copying it in from a thumb drive. It's a little more cumbersome than just... having an ISO to rip... but it works well enough.

What did not work well enough was how they handled those single-user licenses. Activation requires a Microsoft account. We ended up associating 25 licenses per account for several accounts, as directed by one of our contacts with our reseller, but that was its own big dumb nightmare. I won't do it again. If a client wants Office 2021 perpetually licensed as opposed to paying for 365, they can buy it and install it and use their own Microsoft account themselves.

The push to a Microsoft accounts on all fronts has been swift and brutal. In time I expect even the Shift+F10 oobe\bypassnro trick won't work to make Windows 11 finish installing without one. At that point I fully expect to need to make a master image with a local Owner account already made and to just apply it with dism or whatever. One might argue I should have been doing that anyway, but we don't have VL keys and I'm not certain how Windows goes about activating after such an installation. Will it intelligently grab the key from the UEFI firmware? Hopefully, but my experience with Microsoft products is such that I'm not willing to bet on it.
 
Last edited:

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
Will it intelligently grab the key from the UEFI firmware? Hopefully, but my experience with Microsoft products is such that I'm not willing to bet on it.

The answer to that question is yes. I do maintain images with Home and Pro licenses and I check them against desktop and mobile platforms as I encounter new chipsets. I've never had a problem with Windows 10 or 11 activation on brand-name systems.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,511
Location
Horsens, Denmark
One tiny and weird hitch for using Server 2022: the trial version is considered a separate SKU from Standard Server or Datacenter. A valid product key for one of those doesn't work with the trial software. There's still a fix, which is to remove your existing trial key with a publicly-known default key for Server Standard:

dism /online /set-edition:serverstandard /productkey:VDYBN-27WPP-V4HQT-9VMD4-VMK7H /accepteula

You'll be asked to reboot. Open up your choice of command interpreter and run this:

csript slmgr.vbs /upk
slmgr.vbs /cpky
slmgr.vbs /ipk
[your legal and totally legit provided key]

Just a heads-up, I had to do this on a server that had a number of things installed, including SQL and some industrial compute-specific RTOS VMs, and it BSODed so hard I gave up and reinstalled using the key at the beginning. My old practice was to always install as a trial and enter the keys after the build was finalized. Don't do that anymore?
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
Just a heads-up, I had to do this on a server that had a number of things installed, including SQL and some industrial compute-specific RTOS VMs, and it BSODed so hard I gave up and reinstalled using the key at the beginning. My old practice was to always install as a trial and enter the keys after the build was finalized. Don't do that anymore?

The trial ISO I got from MS didn't give me the opportunity to use another key during install, hence the workaround. I've always done trial and put in the key at the end as well.

I'm not sure I'd do that with a production server though.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
Apparently not even Microsoft is asking its employees to transition to Windows 11 if they're happy on 10.
Maybe they know the "every other version is decent" pattern is real? Maybe it's even deliberate.

Microsoft is REALLY pushing 365 hard for end users and the current corporate messaging is modest numbers of thin clients to talk to virtualized desktop sessions in the cloud and I really wonder how long we'll still have local Windows with full OS functionality vs. RDP terminals with Xbox NanoVisor for stuff that doesn't scale well to streaming from that same cloud. We are almost back to VT-100s and 3270s.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
16,625
Location
USA
For who, the basic office workers? For any significant workstation usage wouldn't the latency kill productivity?
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
For who, the basic office workers? For any significant workstation usage wouldn't the latency kill productivity?

For a lot of people. Gaming is the most significant use case for a typical PC. If things like Geforce Now and Stadia are acceptable in general, there's not much of a case to be made for having fat client systems on the vast majority of computers.

Apple's version of this argument is contained in the idea that there's no reason to upgrade an Apple system from whatever SoC it has, even if it's an overgrown phone CPU.
ChromeOS is BASICALLY hardware agnostic to hardware; we don't change what we're given, but also the OS doesn't run much better for being on an i5 vs a Celeron Nwhatever.

And Microsoft is absolutely evangelizing virtual machines so we can all rent our computing rather than owning what we use. It was bad enough when it was servers, but it's definitely spreading down to virtual desktops as well at this point.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
16,625
Location
USA
But we should still have a few years when personal systems can have a regular OS?
I don't need internet very much. If the OS doesn't work without it, then I'd have to freeze it in place before then.
MAC users are going ape over the file sizes and hardware performance needed for the Abode AI DeNoisers. Everybody is buying new gear.
 

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,737
Location
USA
For who, the basic office workers? For any significant workstation usage wouldn't the latency kill productivity?
This does hurt a little bit but at my current job, we have to use Chrome remote desktop (CRD) into our hardened cloud based system in order to do everything. We aren't allowed to have any code/content/customer data on our laptops. Everything is either CRD or tons of ssh tunnels and terminals logged in. Even my Visual Studio Code instance has to use the SSH plugin to write code that's on this cloud system (which runs a distribution of Linux).
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
I used to have developer environments on VMs that were secured separately from whatever the rest of their PCs were doing, but running locally. Now the virtual desktops run on the same physical hardware as the servers where their code winds up and they just get a software defined VPN for their personal access to that system. One of my devs has a habit of hosing her Windows installations and thinks she knows enough to fix things on her own (she does not), but after the third emergency where she hosed her local VMs as well, I migrated to server-side access and everything being locked down tight. Now she complains all the time about what she can't do but BYOD keeps me from having to do a bunch of extra nonsense.

I can understand the appeal for that use case and I suspect it's why Handruin lives with it as well. I think it's more dubious for a general purpose end user PC though.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
16,625
Location
USA
I'm not sure how that will work in certain industries where the equipment/instruments are run with Windows, yet are on a totally separate network that cannot connect to the internet directly. Just updating the OS and software is a PITA process. The costs of change controls are high (I see many of those PRs), but changing hardware is much more or not even feasible depending on global regulations.
I get the feeling that Merc is not operating in a globally or even Federally regulated environment. Most companies of any size need to show they are taking fairly decent security steps these days and the "MS crapware as a service" is appealing.
 

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,737
Location
USA
That federal regulations could be part of it too and the environment I'm in is FedRAMP compliant which is why my environment is locked down so much and also everything I access uses a hardware FIDO2 with Titan security key with an expiring cert every 16 hours.
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,327
Location
Gold Coast Hinterland, Australia
Mini-rant about Win11...
The built in backup solutions downright suck.
  • MS has nerfed the old "Windows 7 Backup and Recovery" in ways that it fails to run the backup on a schedule, with some of the most BS reasons. (This includes using both local and remote backup destinations). IIRC, the root cause is that the scheduled tasks doesn't run when the machine is asleep (toggle option that isn't enabled be default, that should be), and when waking doesn't wait long enough for destinations to become active before throwing a "I can't find the destination error", because it won't wait for external HDDs to attach or for LAN connection bring up after waking from sleep. Why can't it retry 5 times every minute before failing...
  • The "File History" backup no longer allows you to define additional folders and will only backup locations defined as Libraries, so forget backing up Thunderbird or Firefox profiles. (not everyone uses Windows Mail with IMAP, you do know that POP3 and other fair superior email clients exists right)?
  • The recommended backup solution is now OneDrive based, and the free tier is only 5GB (gotta pay for it you need more) and has no SLAs on data integrity or even recovery, it's best effort YOLO.
Compare that to Windows 10, where the above two issues don't exist. (Win7 backup works as you would expect and File History allows you to define additional folders).

Compared to macOS - Time machine works out of the box without having to be a sysadmin.
Compared to GNU/Linux - most of the backup solutions work and work extremely well, from roll-your-own rsync scripts to the various backup solutions offered.

And yet MS can't even get backups working...
 
Top