I've used Windows a fair bit over the years, but I've never used anything more modern than Windows 10 until now and am most familiar with Windows 7.
I am pretty sure the laptop will have the Windows 11 Home S installation already on the SSD from the factory but it will ask us to go through a setup process (mainly creating a Microsoft account) when we first turn it on.
I have a few probably-conflicting goals (most important first, more-or-less):
- Disabling S mode is essential - there are a couple of legacy apps I need to install which are absolutely essential for the user.
- As it's for use by a non-techie who I don't live with, I'd like the machine to be as "standard" as possible to reduce the chances of random things breaking when I'm not there to fix them. So I need to be cautious about applying random hacks to accomplish the other goals.
- I don't like the idea of being forced to sign in with a Microsoft account.
- I'd like full disk encryption if possible. Not that the laptop is going to have anything tremendously sensitive on it, and there are other machines in the house without FDE, but this feels like a step in the right direction.
- I'd rather avoid paying for a key to use Windows 10 or 11 Pro, i.e. I'm probably stuck with Windows 11 Home.
Here's what I've gathered from my random web searches so far. Some or all of this may be outdated, incomplete or just plain wrong.
- You can disable S mode, but you need a Microsoft account to do it, or you need to disable secure boot in the BIOS.
- You can maybe play tricks - depending on what's been patched and what hasn't - during the setup process to persuade Windows 11 Home to finish installation without creating a Microsoft account.
- If you don't have a Microsoft account, you can't enable the "device encryption" FDE on Windows 11 Home.
- It may be possible to remove the Microsoft account and add a local account after the initial setup.
- If you have a Microsoft account, you can't log on to the machine without a password.
So, does anyone have any recommendations, thoughts, advice, whatever? (Sadly, given those legacy apps, "don't use Windows" is not really an option.)
My gut feeling is that I'm going to have to swallow using a Microsoft account, because I've got to turn S mode off and disabling secure boot feels riskily non-standard. I'd probably give a simplelogin alias e-mail address when setting up the Microsoft account to be pseudonymous. If this alias address stopped working (e.g. simplelogin goes away), would that matter? Does the e-mail address for a Microsoft account actually need to work in the long term?
The user is almost certainly going to want to use a simple, weak password for logging in, and that makes me uneasy when this is the password to the online Microsoft account. Short of making myself unpopular by insisting on a better password, is there any way round this?
Are there any other nasty shocks I should expect? Like the installer demanding a valid phone number, for example?
I hate the fact that all this crap is being forced on us by Microsoft, but it is what it is, I guess.