[SOLVED] Professional questions about Win11

[AJAshinoff]

I am an IT manager with a lot of experience, going back to DOS 3.3. that's pre-windows for the younger folks . Today a new group of systems came in with Win11 installed. Having extensive history with MS and knowing how they operate, I'm wary of being on their bleeding edge when it comes to anything. Needless to say, particularly today, I refuse to trust them more than I need to. My questions are related to a subject that I spend way more time on these days, with pretty much everything being ON and/or online by default, security.

I recall VAX and dumb terminals. I remember the revelation of distributed processing which created the home PC/Small Biz boom and placed Unix in the realm of major companies and institutions. I also remember how MS became what it is today, which is why trust for MS, even though I use many of their products, doesn't come easy.

Objectively, how secure is Win11 from Microsoft itself? I'm not referring to updates (unless they are now automatic by default), but about someone from Microsoft getting in for any reason or rolling things back to a previous state without my authorization? If ON by default, can it be terminated?
Is any of your disk storage or processing now dedicated to anything or anyone's else's disposal ?

I have 88 systems running Win10. I can't just upgrade without considering security and the expense. I'm savvy enough to know just because you don't see something happening doesn't mean that nothing is going on. Incidentally, a friend working for the VA told me they've been instructed not to load win11 on anything due to security concerns.

Legit?

 

[USAFRet]

It is little different from WIn 10. Or 8. Or 7.

MS does not have direct access to your data, or rolling things back to a previous state.

 

[hotaru.hino]

If Microsoft had such capabilities, you'd think with the now 30 years the Windows NT kernel has been in use, someone would've found out about it. So either Microsoft really does have some of the best security and Bill Gates is taking his secret to the grave, or that capability actually doesn't exist.

 

[AJAshinoff]

If Microsoft had such capabilities, you'd think with the now 30 years the Windows NT kernel has been in use, someone would've found out about it. So either Microsoft really does have some of the best security and Bill Gates is taking his secret to the grave, or that capability actually doesn't exist.

Not entirely true. I have had instances where Win7, and more WIn10 systems have reverted to a previous state overnight. I always attributed those to situations where something unstable had occurred and MS took the initiative to prevent harm. And MS has had support request capability embedded for quite some time. All it takes is some coding initiate a host reaching out through your firewall. Not sure about you, but I've never read the entire license for every software I'm agreeing to.

As for 11, the supposed requirement to have a MS account to simply use the OS opens the door to intrusion, primarily from MS.

In the late 90s ('97 or '98) I attended an NPA meeting in Phoenix where US West (now centrylink), Novell (now defunct) and MS projected greater and total dependence on the web and leveraging the eventual continual online connection to become a goldmine of profitable data. Further they projected every household spending on or above $100/mo. at a time when dial-up was still prevalent (AOL, CompuServe, etc.), DSL was emerging, and ISDN was fairly popular amount businesses (as opposed to T1 orT3).

Noticing trends, Office365 being changed to Microsoft365, a potential requirement for a MS account in what appears to be a thin-client looking OS, OneDrive being made readily available and mandatory to use some things (powerpoint), the offer to sync your data with Edge on first boot, and a hard push toward Azure for server management and storage, and I can see Microsoft's ala carte monthly subscription offering via web connectivity pretty easily. Think Adobe creative cloud but with you local OS, your file server and your productivity applications. You buy a box, hook up all cables, plug it in, sign up with a MS account, it reads your subscription and it does the magic (to use their terms) while you wait.

**added: via TechSoup Microsoft has adjusted its licensing to have 'on premise' software/licensing.

Not so far fetched. I have too much responsibility for many thousands of people's personal information, so have have to play it cautious.

And yes, my friend at the VA has told me the VA is very concerned, enough to forbid its use for privacy reasons.

 

[AJAshinoff]

It is little different from WIn 10. Or 8. Or 7.

MS does not have direct access to your data, or rolling things back to a previous state.

I'm more concerned about their creating a beachhead to do just that when/if they choose. It is how Microsoft has always worked only far less intrusive.

 

[TerryLaze]

As for 11, the supposed requirement to have a MS account to simply use the OS opens the door to intrusion, primarily from MS.

How? You don't need to be online to get into windows after you registered, so account or not doesn't really matter.
If you had to be always online and connected with them it would be a different story and up for argument.

 

[AJAshinoff]

How? You don't need to be online to get into windows after you registered, so account or not doesn't really matter.
If you had to be always online and connected with them it would be a different story and up for argument.

Unless in a corporate environment where all systems are connected to the domain and inherit the web which is always on (primarily for remote administration and end-user remote access).

 

[TerryLaze]

Unless in a corporate environment where all systems are connected to the domain and inherit the web which is always on (primarily for remote administration and end-user remote access).

I'm not saying that, the systems are always online, I'm saying that you can use windows without being forced to be online and if MS wanted the access to your system it would not allow that.

 

[USAFRet]

I'm more concerned about their creating a beachhead to do just that when/if they choose. It is how Microsoft has always worked only far less intrusive.

That theoretical possibility has existed ever since you plugged in your first modem, sometime last century.

 

[joeldf]

The reality is that Win 11 is not any different than Win 10 under the hood. All the "privacy" settings are the same, and can all be turned off except for what they call "minimum information" for the Diagnostic data. I think that goes back to Win 8, even Win 7 to some degree if I recall.

The only real drastic change in Win 11 (besides the UI) was enforcement of a more limited hardware support and add more stringent security requirements for installation.

Even that MS account requirement? I know it was originally only the Home editions that "required" the MS account, and not the Pro editions. But I also know that MS was going to start making the Pro editions require it too. I just don't know if that's been implemented yet. But that's just for initial installation - it could easily be changed back to a local account at any time. I do know that if you are upgrading existing Win 10 installations, it does not change the existing login type. If it was already a local account, then it stays a local account after the upgrade.

I have worked in companies with corporate accounts on their computers for years (since the Win NT/2000 days). Still do to this day with all machines using MS Office tied accounts (but on their own domains - so it's a "username at companyname dot com" situation). I've never seen any roll-backs in all those years. And believe me, I'd call the firm IT department immediately if something like that happened on my work PC.

I finally updated my personal PC that I built almost a year ago with Win 10 Pro on it, to Win 11 this past weekend. I already had experience with Win 11 on a new Dell PC I purchased for my son a few months ago, so at least I already knew what to expect. While my son's is set up with an MS account (he is set up as part of a Family account I set up, so I can limit what he does on it - he is 12, so...), my own PC is set up with a local account. But I still control the MS Office Family account that I have by accessing it from the browser.

Going through the settings, there's really nothing different. Some things just look different - the main Settings dialog is all rearranged and re-done. But a lot is still the same - the old Control Panel applet still exists, along with the Device Manager, the Disk Manager, the Network and Sharing Center... all of those things are the same and still available. As has been stated here for a while now, Win 11 is really just a new coat of paint on the old house.

Having said all of that... it may be Windows 365 that you have to worry about. I wouldn't touch that with a 100' ethernet cable.

 

[AJAshinoff]

The reality is that Win 11 is not any different than Win 10 under the hood. All the "privacy" settings are the same, and can all be turned off except for what they call "minimum information" for the Diagnostic data. I think that goes back to Win 8, even Win 7 to some degree if I recall.

The only real drastic change in Win 11 (besides the UI) was enforcement of a more limited hardware support and add more stringent security requirements for installation.

Even that MS account requirement? I know it was originally only the Home editions that "required" the MS account, and not the Pro editions. But I also know that MS was going to start making the Pro editions require it too. I just don't know if that's been implemented yet. But that's just for initial installation - it could easily be changed back to a local account at any time. I do know that if you are upgrading existing Win 10 installations, it does not change the existing login type. If it was already a local account, then it stays a local account after the upgrade.

I have worked in companies with corporate accounts on their computers for years (since the Win NT/2000 days). Still do to this day with all machines using MS Office tied accounts (but on their own domains - so it's a "username at companyname dot com" situation). I've never seen any roll-backs in all those years. And believe me, I'd call the firm IT department immediately if something like that happened on my work PC.

I finally updated my personal PC that I built almost a year ago with Win 10 Pro on it, to Win 11 this past weekend. I already had experience with Win 11 on a new Dell PC I purchased for my son a few months ago, so at least I already knew what to expect. While my son's is set up with an MS account (he is set up as part of a Family account I set up, so I can limit what he does on it - he is 12, so...), my own PC is set up with a local account. But I still control the MS Office Family account that I have by accessing it from the browser.

Going through the settings, there's really nothing different. Some things just look different - the main Settings dialog is all rearranged and re-done. But a lot is still the same - the old Control Panel applet still exists, along with the Device Manager, the Disk Manager, the Network and Sharing Center... all of those things are the same and still available. As has been stated here for a while now, Win 11 is really just a new coat of paint on the old house.

Having said all of that... it may be Windows 365 that you have to worry about. I wouldn't touch that with a 100' ethernet cable.

Thanks! I've seen too much to trust anyone, particularly MS, without skepticism.

I came across this article as I'm weighing whether to keep the Win11 pre-install or reloading with Win10.

https://www.windowscentral.com/one-thing-microsoft-didnt-discuss-windows-11-privacy

 

[AJAshinoff]

That theoretical possibility has existed ever since you plugged in your first modem, sometime last century.

But back in the last century things were more security centered, most things were off and you turned on what you need. Today most things are on unless you figure out what to shut off, and they aren't always visible with a pretty GUI.

 

[USAFRet]

Thanks! I've seen too much to trust anyone, particularly MS, without skepticism.

I came across this article as I'm weighing whether to keep the Win11 pre-install or reloading with Win10.

https://www.windowscentral.com/one-thing-microsoft-didnt-discuss-windows-11-privacy

From the article:

"Microsoft is also enlisting another doubted tech giant, Amazon, to bring Android apps to Windows 11. "
You have to explicitly install that.

"Will installing TikTok on Windows 11 give it access to my file system and contacts? "
If you're using TikTok on your main system, you've given up already.

"Your browser history will sync between Edge on PC and Edge on mobile, as it already does. "
Only if you have the Sync enabled. I do not.


Nothing in that article speaks to your files going back to Redmond, and nothing that has not been discussed for years.

But back in the last century things were more security centered, most things were off and you turned on what you need. Today most things are on unless you figure out what to shut off, and they aren't always visible with a pretty GUI.

MS has always had control of your OS. If they had wanted to slurp up your data, they could have done that at any time.
So far, they have not.

At most, they are relaying diagnostic info.

And in the grand scheme of things, Windows is far down the list of abusers.
Your cellphone
facebook/tiktok/instagram/etc
All the other 8 zillion services that you use, and those that use you.

My personal data has been leaked so many times, that if I were to be able to take advantage of "Free Credit Monitoring" consecutively from all those...it would last long after I'm dead.
OPM, VA, Experian, Yahoo, DMV, etc, etc, etc.
They have rolled over like a $5 hooker FAR more often than MS.

 

[joeldf]

Thanks! I've seen too much to trust anyone, particularly MS, without skepticism.

I came across this article as I'm weighing whether to keep the Win11 pre-install or reloading with Win10.

https://www.windowscentral.com/one-thing-microsoft-didnt-discuss-windows-11-privacy

Interesting article, but there are a few things I'd bring up.

First of all, that was from June of last year, several months before Win 11 was even released as an open beta. The article talks about the privacy and telemetry issue, but that's all left over from Win 10. Also, we've known that local accounts are still allowed. In fact, it was among the last updates to even Win 10 that forced new installs to sign into an MS account. The Amazon app store is available, but it's an option that you have to find it in the MS Store first and download it. If you never do that, what can it do?

That same question came up back when BlackBerry added the Amazon App Store to their BlackBerry 10 devices back in late 2013. Some users wondered about Amazon back then. Answer? Don't sign into the app, and it can't do anything.

MS is a big company for sure, and no doubt they are constantly looking for revenue. In my opinion, I trust MS more than I trust someone like Google. The reason, Google's entire business model relies purely on ad revenue and the selling of user "usage information" (the discussion of whether it's identifiable or not is for another time). MS still makes you pay for a lot of things. Even that first copy of Windows had to be purchased. But, since upgrades have been free since Win 10, they've had to make up some of that lost revenue. They are a business that wants to make money so I can't blame them for that. Still, they also deal with a lot of Corporate America, Universities great and small, and the Government as a whole, and there's a trust there that they can't afford to lose. If they did really start rolling back the OS or messing with installed software from the back-end, there would be howls from all corners of those corporations, universities, and government. It's not really in their best interest to lose that kind of trust. And it can happen quite easily these days. One bad tweet, and stocks will tumble.

In the end though, it is all about what you are comfortable with. I personally don't think there's any more risk with Win 11 than there has been with Win 10 in all this time. But then, I also think there is a lot of mistrust these days that is so very much misplaced... people looking at the wrong boogeyman.

But, that's just me.

 

[USAFRet]

Also, we've known that local accounts are still allowed.

Indeed.

My Win 11 system has 3 accounts.
1x MS account, for those exceedingly rare instances when I need to go into the MS store. (like once, this year)
1x local admin, for admin stuff.
1x local Standard user, for daily use. Like right now.

 

[hotaru.hino]

Not entirely true. I have had instances where Win7, and more WIn10 systems have reverted to a previous state overnight. I always attributed those to situations where something unstable had occurred and MS took the initiative to prevent harm. And MS has had support request capability embedded for quite some time. All it takes is some coding initiate a host reaching out through your firewall. Not sure about you, but I've never read the entire license for every software I'm agreeing to.

I've never had a situation where my computer was reverted to a previous state by itself. And time it reverted to a previous state was because I initiated it.

And sure, there are mechanisms for remote access, but these are typically secured in a way where you still need to give the remote computer permission to access your computer. Every modern OS has this capability, though these are not foolproof and cracks have been found. However, my response is pertaining more towards there being an actual back door into the system. And I define a back door as all Microsoft has to do is send a magic packet and boom, your computer is owned without your permission. Though I guess we'd have to define what "owned" really means, but I don't want to go down this rabbit hole.

As for 11, the supposed requirement to have a MS account to simply use the OS opens the door to intrusion, primarily from MS.

How?

And on a tangent, if you're this paranoid about Microsoft, I suggest using something else, like Linux.

 

[Deleted member 14196]

you can continue to use Windows 10 until 2025, then, if you still hate Windows this much, maybe you can talk Corporate to switch to Linux. lol, yeah, good luck

i have had updates fail to install once in a while, and it reverts to you just before it tried updating but nothing like the OP described

there are ways to debloat windows 10 and 11 too, and get rid of all preinstalled junk, games, store, whatever

edit: I do understand the frustration and I will just use win10 as long as it's supported, then make a decision to stay or leave (go to Linux--i've been learning to install, configure and effectively manage it quite well now, i could switch and still work)

 

[johnbl]

I can only recall one instance that I thought was questionable.
I had to determine why a machine would just reboot while someone was using it.
there were no hardware issues that would cause it. turned out that a USB chip on the motherboard did not work correctly, Windows error reporting was on and a live debugging session was established and who ever(or automated process) debugged the machine found the usb chip was not working and just told the debugger to .reboot the machine. Kind of rude and it happened 3 times but left debugging logs.
This was back in 2012 so it was a long time ago. I put in a USB card and disabled the bad chip in BIOS and the problem never came back.

I am not finding much difference between winodows 10 and 11 except for some extra error checking for certain driver bugs in 3rd party drivers. (3rd party driver directly calling DMA controller rather than using the windows DMA interface, can now call a bugcheck if detected, seems like a reasonable change to prevent bugs)
1.4 billion machines running these windows. I can turn off WER if i want to, I am more worried about cloud storage than microsoft uploading something from WER. (windows 10 does that anyway)

There was a time when people were worried that windows updates would take out their hacks to block license validation. I just don't see that coming up as a issue anymore.

 

[USAFRet]

There was a time when people were worried that windows updates would take out their hacks to block license validation. I just don't see that coming up as a issue anymore.

There was a guy here last year, incensed about Windows 10 updates, and as the discussion went on, wanted to know how to make them stop completely.

Why, you may ask?

Seems he lost a week or two work on a Word doc or Excel spreadsheet.

The system rebooted overnight.

But Mr. Wizard....why would that cause loss of a spreadsheet?
Well....

If you have it open on your desktop.
And never save it. Not even once.
Its been open for 2 weeks.
And have autosave turned OFF in Excel (it is on by default)
And never turn your system off.
And never ever pay attention to Windows updates.
And ignore the little orange icon on your taskbar, telling you the system needs to "Update and restart" to complete the semi annual Feature update.
Ignore that icon for almost a week.

Then, when the system gives up and eventually reboots anyway, wiping out your precious spreadsheet...It is not YOUR fault, but rather the idiots in Redmond.

 

[Eximo]

For a small company, I would be more worried about backup solutions in case any of your wonderful users manages to snag some ransom ware.

As an aside, I did recently get an 11th gen laptop at work. Pretty sure it came with Windows 11, they put 10 on it. I've had many problems, so not sure I would actually go to the effort of swapping it out unless you thought it was absolutely necessary. I work for a relatively small organization, probably in the 150-200 deployed client systems.

My old company would laugh at the level of security here. Windows Enterprise, on-premise SCCM and WSUS servers, full Data Loss Prevention and AV, no user admin rights. All installed software tested. Full internal application monitoring (multiple methods)

 

[hotaru.hino]

The whole thing about losing "a lot of" work when Windows restarts from an update confuses me a little. I mean, I could understand it if you were doing some sort of rendering thing that takes like 48 hours straight and you need something now.

But I've lost "a lot of" work simply me being a dumb-butt and closing the app or shutting down the OS myself or whatever. So as a matter of habit, I press Ctrl + S a lot, even when I don't need it. Like unless you live in a land of apps that always auto-saved your work, this should be like the first habit you develop.

 

[USAFRet]

Like unless you live in a land of apps that always auto-saved your work, this should be like the first habit you develop.

You would think, yes.
Some people, however...

Have seen this sort of thing more than once.

 

[Math Geek]

i know this much, the US gov and many other gov's of the world refused to use win 10 until MS made a special gov edition just for them. it removed all the data mining and other surveillance put in place with it. (and i'm not talking about the china super spying edition made for them)

they are more than happy to let the average person use it but knowing what it was designed to do, they would not allow it on their pc's.

win 11 is simply window dressing on the win 10 spyware edition. if you're comfortable using win 10 as is, then win 11 won't be any different. they are both way more intrusive than you think. if it's been ok for you up till now, then why bother worrying with the new version of MS spyware... err... i mean windows.

sadly there is little you can do unless you customize your install yourself to rid it of much of the gathering. but in the end if it is online, then MS is gathering whatever they feel like on your systems, no matter what you try to do to stop it.

 

[USAFRet]

i know this much, the US gov and many other gov's of the world refused to use win 10 until MS made a special gov edition just for them. it removed all the data mining and other surveillance put in place with it. (and i'm not talking about the china super spying edition made for them)

The DoD simply has a long set of GPO edits. SDC (Standard Desktop Configuration)
It is not a special version.

 

[hotaru.hino]

I wonder, has anyone actually, say, had a computer running Wireshark capturing the packets from a Windows 10 computer, standard configuration, no other apps installed, and analyzed exactly what's going on? Also bonus points if they made the pcap file publicly accessible.