Taking a Walk on the Wild Side (Premium)

Over a year ago, I warned that Microsoft was silently enabling OneDrive Folder backup after it had asked me to enable this feature and I had declined the offer multiple times. This claim was met by disbelief. Microsoft would never do something that nefarious, I was told. Perhaps it was something I had done. Maybe I had inadvertently enabled this functionality without realizing it. Most likely, I was just wrong. Or even making it up. After all, no one else was seeing this behavior.

Today, things are different. And as the original canary in this particular coal mine, I’m fascinated by how others react to this issue and the other escalating bad behaviors in Windows 11 (and in Microsoft 365, which escalates the OneDrive nagging even further). It’s fair to say there’s a spectrum of responses that range from indifference to outrage. And that those leaning towards the former are simply OK with using Windows 11 in a Microsoft-recommended configuration. And that those leaning towards the latter are not.

Whatever. As with my partial shift to more Apple consumer products and services this past summer, the enshittification of Windows 11 has triggered a paradox in my brain, forcing me to make choices I never expected to be confronted with. It’s reminiscent of the explanation Arthur C. Clarke gave for HAL 9000’s behavior in 2001, but belatedly in 2010: Forced to implement two contrary commands, HAL went haywire–insane, essentially–endangering the human crew of the ship.

My little version of these events is less dramatic. I’ve been seeking ways to fix or at least workaround the problems I see in Windows 11, and I’ve had some success. But I keep coming back to one idea I’m loath to try, let along recommend: Because most of the bad behaviors are tied directly to our use of a Microsoft account (MSA), perhaps the solution–or, more accurately, the workaround–is to not use an MSA. And the reason I’m reluctant to try this is that while Microsoft has some selfish reasons for forcing this on users, it really is better that most do so. When you sign in with a Microsoft account, you get automatic disk encryption, two-step verification protections, account and PC recovery capabilities, settings sync, and other advantages. For most, using an MSA isn’t just smart, it’s the only choice.

For most. But we’re not “most,” now, are we?

That said, it’s easy to get caught in that trap of thinking you know best, and that (in this case) you can thus handle the security implementations of not using an MSA sign-in with Windows 11. I’ve seen this happen to many people in many situations, and I don’t want to make bad decisions for myself. But more importantly, I don’t want you to make bad decisions. So this is a strategy I’ve mostly ignored.

But it’s been gnawing at me. I’ve been wondering what it would look like to sign-in to Windows 11 with a local account and try and protect the sign-in and the PC properly. To use a non-subscription version of Office, perhaps the recently released Office 2024, and just save files to the Desktop, and not to some OneDrive-backed up folder, by default, and see whether the system harasses me. In short, can I just use Windows 11 the way I want, and do so without giving up anything? Is this something I could–or should–describe for others? Is it something I could even recommend?

I don’t know. But I know how I can find out. And so I gave it a shot on two different computers here in Mexico. In both cases, I used a Rufus-made version of the latest Windows 11 version 24H2 installation media, nuked the PC from orbit–sorry, clean installed Windows 11–and then went through the process of configuring the system and, finally, installing a clean, non-subscription version of Office 2024.

Most of this isn’t new to me, but some was. And while I still have some questions and concerns, and of course uncertainties about future changes Microsoft could make that might later undermine this work, it’s solid enough as-is for me to at least describe what I’ve done.

And it goes like this.

Installing a clean version of Windows 11 using a Rufus-made installation drive may require you to break out some keyboard skills: On both the PCs I’ve used like this, and with other PCs I’ve used in the past, the mouse cursor is not available during Windows Setup and, as bad, when you first boot into the Windows Desktop. So you’ll need to tab around, using keyboard shortcuts, and pressing SPACE or ENTER to select on-screen items. For example, in the Select location to install Windows 11 screen in the Windows Setup first-run experience, there was a lot of selecting partitions, typing ALT + D to delete them, and then repeating until all the Disk 0 partitions were gone, replaced by a single block of unallocated space.

But I’ve done this a lot. And so, I stepped through all that, stepped through the truncated Out-of-Box Experience (OOBE), which noted that there was no Internet connection and allowed me to create a local (“offline”) account instead, thanks to the Rufus customizations. I created a local Windows 11 account with no password–the horror–to ease the coming work, and I quickly found myself at the Desktop with a nearly empty Start menu and no Internet connection.

To solve that issue, I plugged in an Ethernet cable, downloaded the available Windows Updates, in the process gaining access to the mouse and Wi-Fi. So I connected to my Wi-Fi network, unplugged the cable, and let nature takes its course. That is, I installed all the available updates, rebooting as necessary, including the driver-related optional updates you really have to look for. I also updated all the apps in the Store, and as it was getting into some reasonably complete state, I started to think about next steps.

You may have heard that Windows 11 version 24H2 automatically encrypts the disk on install, and that this is somehow a new feature. It’s not: Windows 11 has always automatically encrypted the disk on install when you sign-in with an MSA or Microsoft Work or School Account (WSA), and it can’t automatically do so otherwise: It needs to store a recovery key before it can do that. And sure enough, I can now confirm that this hasn’t changed in 24H2: BitLocker reports that the disk isn’t “activated,” meaning it can’t enable encryption. So I saved a recovery key to a USB disk–you can’t save it to the disk you’re encrypting–and got that done.

With that done, it made sense to add a password to the local sign-in account and then protect it with Windows Hello. This PC supports PIN (of course) and facial and fingerprint recognition, and all three are available once you add the password. So that feels reasonable to me from a security perspective: The PC and whatever data this user account will later contain are protected from physical and electronic threats. If the laptop is stolen, no one can get in.

But what about Office? And the OneDrive-based annoyances?

The cheapest version of Office 2024, Home edition, costs $150 and includes Word, Excel, PowerPoint, and OneNote. This is probably an OK solution for a normal person with a single PC. But that’s not me. And there’s no way I’m paying $150 to access the apps I already get with my Microsoft 365 subscription, and on only one PC. But there are alternatives: Various companies sell Office license keys of dubious legality and legitimacy online, just as they do Windows keys. I used one such service to obtain a Windows 11 Enterprise key back in April. So I purchased a few of these keys, cheaply–this time from a site called gamecard Shop–and installed Office 2024 Professional Plus on one PC and Office 2024 Standard (the equivalent of Home) on the second. Both activated fine, but both are also really LTSC versions of Office using some workaround or loophole to remain activated. And … I don’t know. Dubious, like I wrote. But they do work.

More to the point, they “work” the way I want them too as well: I configure Microsoft Word explicitly in very specific ways, one of which is to save documents locally to the Desktop, and outside of OneDrive. On the PCs I sign in with an MSA, Word whines incessantly about not saving to OneDrive. But on these two PCs, nothing. It just works.

Of course, that could be in part because I’m not using OneDrive: I signed in to Windows 11 with a local account, so there was no sign-in pass-through to OneDrive. I could remove OneDrive, of course–I would prefer to use Google Drive, anyway. But to make sure that this configuration could still make sense for those who use OneDrive but don’t want the constant nagging–or forced Folder backup usage–I had to configure it one on of the PCs. Just to see.

Here, you must be careful: When you sign in to OneDrive with your MSA, it will “use this account everywhere” if you’re not careful: Click “Microsoft apps only” instead. And it will configure it for Windows Hello regardless. During the setup process, it prompted me to use Folder backup, of course. I declined, of course. And then the nagging began, as is the case when you do sign in to Windows with an MSA. So I disabled OneDrive notifications–I don’t usually do that–and hoped for the best.

And I waited. Waited for the harassment to continue. For Folder backup to enable itself. For Word to start haunting me to save to OneDrive.

On the PC I didn’t use with OneDrive–I also stopped it from running at startup, but didn’t try to uninstall it–I see no issues, and I’ve been using that PC for the better part of a month. There’s no harassment at all. No overt messages in Settings, no little animated “Start backup” icons in File Explorer, no Word issues. It’s all good.

On the PC I configured with OneDrive, things are a little worse. Settings prompts me to sign in to my MSA, for example. And File Explorer displays that “Start backup” icon on folders it would really like to back up. But Word has been silent, so far. I’ve only used this PC for a few days, so we’ll see. And I’m looking at you, Folder backup. I don’t trust you at all.

All I can say with certainty is that signing in with a local account is acceptable if you enable/activate disk encryption, use a password, and then enable Windows Hello PIN and/or facial or fingerprint recognition. If you disable OneDrive and ignore it, you won’t be harassed, and that includes in the Microsoft Office apps, which are still available in perpetual license form if that’s what you really want. (Or via the more dubious method I used but can’t recommend, of course.)

I need some time to figure out if there’s some combination of a local account, an active and signed-in OneDrive, and a non-subscription Microsoft Office that only harasses me a little bit: I can live with those “Start backup” icons, but if this thing enables Folder backup, or Word starts bugging me, I will lose my mind. So far, neither has occurred.

In short, this can work, depending on your needs. It works best if you don’t want to use OneDrive at all, go figure. But unless I discover a Folder backup-shaped shiv in the coming weeks, even a configuration that includes OneDrive should be OK for most. But I still find the local sign-in thing vaguely troubling, and I’m trying to sort out why. In the meantime, I’ll keep using these PCs and see how it goes through the remainder of the trip (we have about three more weeks to go).