useless
pre-7th gen i5’s
I’ve got systems with second and third gen i5s that are handling Windows 10 just fine, seems like what the school really needs is some SSDs.
Linux would definitely run better, so that’s worth it too.
If this school is heavily embedded im the Google ecosystem, ChromeOS Flex is an option. FydeOS is similar but without the Google Account requirement.
Not to mention data recovery
Interesting timing, these practices are about to be super illegal under Oregon’s SB1596 right to repair bill that just passed
If you’re at that point of not trusting a company, the best practice would be to avoid using their devices or connecting them to your network.
There are plenty of other ways to track and identify users, a company could conceivably bake whatever the hell they want into the operating system and doesn’t need to rely on you creating an account with them to achieve that objective.
I used the term “unhealthy paranoia” due to the logical fallacy that is at play.
Then don’t?
If you still want to use Windows and use their encryption solution, manually enable Bitlocker and store the recovery key yourself.
There are also third party encryption options.
There are dozens of more probable scenarios that could have the same outcome. Mitigation is as simple as keeping at least one backup, a recommendation as old as home computing.
Ironically, the problem you describe most commonly applies to systems with Intel Optane storage technology, so it’s hardly even a Microsoft Issue.
Hi, repair shop owner here.
Automatic Bitlocker encryption has been a thing since TPM 2.0 devices hit the market in 2018.
If a device is UEFI, Secure Boot is enabled, TPM 2.0 is present, and the user signs in with a Microsoft Account , then the disk is encrypted and the recovery key is saved to that Microsoft Account.
If those conditions aren’t met, automatic encryption doesn’t happen.
As long as they know their Microsoft Account Identifier, users can easily get to that key through the first search engine result for “bitlocker recovery key”: https://support.microsoft.com/en-us/windows/finding-your-bitlocker-recovery-key-in-windows-6b71ad27-0b89-ea08-f143-056f5ab347d6
We don’t really have a hard time with it - if a user provides their login PIN, a short terminal command will let us grab a copy of their key before BIOS updates or battery disconnects.
I have had very few cases where folks suffered data loss because of Bitlocker. Most of them were HP Laptops that used Intel Optane accelerated SSDs - encrypting what is effectively a software RAID0 is a recipe for disaster.
The other few had an unhealthy paranoia where they were reluctant to share anything about themselves with Microsoft, yet still decided to use a Microsoft operating system. While setting up the computer, they created a new Outlook.com email (instead of using their primary email), made up a random birthday, and did not fill in any recovery options like a phone number or secondary email. With the password (and sometimes even email) forgotten, they created a situation where they could not prove the online account was theirs and therefore could not get to the recovery key that had been backed up.
I do think that Microsoft should have this as an opt-in feature during the out of box experience, which is how Apple has it set up for Filevault and how most Linux distributions are set up. Ultimately, most users will still mash “next’ through the process and later blame the computer.
I have had quite a few clients have their laptops stolen after car breakins. Their biggest stressor was the possibility of thieves having access to the data on those machines, and the fact that we knew their systems were encrypted with Bitlocker brought them a lot of relief.
The automatic encryption and subsequent backup both took place because you were using a Microsoft Account
Settings > System > Notifications > Suggest ways I can finish setting up my device to get the most out of Windows
Disable this, there are a few others in that area you might consider disabling too
I’d rather edit every single post / comment to say “Fuck u/spez” but I don’t know how to use the API to do that and I don’t have the time to commit to that project :/
Working in IT Support, the fact that Outlook refers to webmail and two distinct email clients makes understanding user’s problems a nightmare.