That's a good base assumption, but IOT LTSC licenses are still out there if you look and trivial to use with a self-hosted KMS if you feel like you and MS are square on that. Almost all of that stuff is not in LTSC and 10 LTSC is still good through 2029.

Do we have confirmation that it’s a must to upload the key if you use an MS account with Windows? Is it prove that its not possible to configure Windows to have an MS account linked, maybe even to use OneDrive, while not uploading the BitLocker key?

Btw - my definition of “possible” would include anything possible in the UI - but if you have to edit the registry or do shenanigans in the filesystem to disable the upload from happening, I would admit that it’s basically mandatory.

Yes, they push the MS account stuff very hard. I've found Windows so actively hostile to the user that I basically only use Linux now.

I used to be a windows user, it has really devolved to the point where it's easier for me to use Linux (though I'm technical). I really feel for the people who aren't technical and are forced to endure the crap that windows pushes on users now.

> logging into MS Teams

I mean, this is one application nobody should ever log into!

Teams inside a VM it is, then.

All "Global Reader" accounts have "microsoft.directory/bitlockerKeys/key/read" permission.

Whether you opt in, or not, if you connect your account to Microsoft, then they do have the ability fetch the bitlocker key, if the account is not local only. [0] Global Reader is builtin to everything +365.

[0] https://github.com/MicrosoftDocs/entra-docs/commit/2364d8da9...

Only because others you communicate with may not have ADP turned on, which is a flaw with any service that you cannot control what the other end does or does not do, not unique to Apple/iMessage outside of using something like Signal.

They just entirely ignore them instead.

If your security requirements are such that you need to worry about legally-issued search warrants, you should not connect your computer to the internet. Especially if it's running Windows.

and use ECC memory

> IBM estimated in 1996 that one error per month per 256 MiB of RAM was expected for a desktop computer.

From the wikipedia article on "Soft error", if anyone wants to extrapolate.

Given enough computers, anything will happen. Apparently enough bit flips happen in domains (or their DNS resolution) that registering domains one bit away from the most popular ones (e.g. something like gnogle.com for google.com) might be worth it for bad actors. There was a story a few years ago, but I can't find it right now; perhaps someone will link it.

At google "more than 8% of DIMM memory modules were affected by errors per year" [0]

More on the topic: Single-event upset[1]

[0] https://en.wikipedia.org/wiki/ECC_memory

[1] https://en.wikipedia.org/wiki/Single-event_upset

It's "HN-likely" which translates to "almost never" in reality.

I can't believe it took this long.

We have mandatory identification for all kinds of things that are illegal to purchase or engage in under a certain age. Nobody wants to prosecute 12 year old kids for lying when the clicked the "I am at least 13 years old" checkbox when registering an account. The only alternative is to do what we do with R-rated movies, alcohol, tobacco, firearms, risky physical activities (i.e. bungee jumping liability waiver) etc... we put the onus of verifying identification on the suppliers.

I've always imagined this was inevitable.

Uploading your encryption keys is not just "any sort of feature".

What part of "We can't have nice things" do you not understand?

It only became off by default after those "daily rage sessions" created sufficient public pressure to turn them off.

Microsoft also happens to own LinkedIn which conveniently "forgets" all of my privacy settings every time I decide to review them (about once a year) and discover that they had been toggled back to the privacy-invasive value without my knowledge. This has happened several times over the years.

The defenders of Microsoft are right?

How?

There is no point locking your laptop with a passphrase if that passphrase is thrown around.

Sure, maybe some thief can't get access, but they probably can if they can convince Microsoft to hand over the key.

Microsoft should not have the key, thats part of the whole point of FDE; nobody can access your drive except you.

The cost of this is that if you lose your key: you also lose the data.

We have trained users about this for a decade, there have been countless dialogues explaining this, even if we were dumber than we were (we're not, despite what we're being told: users just have fatigue from over stimulation due to shitty UX everywhere); then it's still a bad default.

Stored locally.. until it's uploaded by OneDrive or Windows Backup?

Uploading your encryption keys up to someone else's machine is not a sensible default

This is ridiculous.

There are a lot of people here criticising MSFT for implementing a perfectly reasonable encryption scheme.

This isn’t some secret backdoor, but a huge security improvement for end-users. This mechanism is what allows FDE to be on by default, just like (unencrypted) iCloud backups do for Apple users.

Calling bs on people trying to paint this as something it’s not is not “whiteknighting”.

If you want maximum commodity and as many things to "just work" as possible out of the box, go for good old plain Ubuntu.

If you care a little more about your privacy and is willing to sacrifice some commodity, go for Fedora. It's community run and fairly robust. You may have issues with media codecs, nvidia drivers and few other wrinkles though. The "workstation" flavor is the most mature, but you may want to give the KDE version a try.

If you want an adventure, try everything else people are recommending here :)

There are so many distros that it really depends on your use-case and it's hard to make a generic suggestion. Ubuntu is a common recommendation for first timers, mainly because as the most popular distro you'll easily be able to Google when you need help with something, and it also uses the most popular package format (.deb). There's also Linux Mint which is basically Ubuntu but with some of the latter's more questionable choices removed (e.g. snaps) and minus the big corp owner. By using one of these you'll also be learning skills relevant to Debian (which Ubuntu is derived from) which is a solid choice for servers.

Regardless of which distro you choose, your "desktop experience" will be mostly based on what desktop environment you pick, and you are free to switch between them regardless of distro. Ubuntu for example provides various installers that come with different DEs installed by default (they call them "flavours": https://ubuntu.com/desktop/flavors), but you can also just switch them after installation. I say "mostly" because some distros will also customise the DE a bit, so you might find some differences.

"Nicest desktop experience" is also too generic to really give a proper suggestion. There are DEs which aim to be modern and slick (e.g. GNOME, KDE Plasma, Cinnamon), lightweight (LXQt), or somewhere in between (Xfce). For power users there's a multitude of tiling window managers (where you control windows with a keyboard). Popular choices there are i3/sway or, lately, Niri. All of these are just examples, there are plenty more DEs / WMs to pick from.

Overall my suggestion would be to start with something straightforward (Mint would probably be my first choice here), try all the most popular DEs and pick the one you like, then eventually (months or years later) switch to a more advanced distro once you know more what your goals are and how you want to use the system. For example I'm in the middle of migrating to NixOS because I want a fully declarative system which gives the freedom to experiment without breaking your system because you can switch between different temporary environments or just rollback to previous generations. But I definitely wouldn't have been ready for that at the outset as it's way more complex than a more traditional distro.

Something with KDE. Never used KDE extensively because I hate non-tiling WMs, but something like Kubuntu would give you a more windows-esque experience by default. Here's the download link:

https://kubuntu.org/download/

Bon appetit!

That's literally like asking "What car has the best driving experience?". There is no one answer.

If you want something that "just works," Linux Mint[1] is a great starting point. That gets you into Linux without any headache. Then, later when bored, you can branch out into the thousands[2] of Linux distributions that fill every possible niche

[1] https://linuxmint.com/

[2] https://distrowatch.com/dwres.php?resource=major

If you're a developer, try NixOS. The code based configuration can be daunting but LLMs are very good at writing it.

Last time I needed to install Windows 11, avoiding making a Microsoft account required (1) opening a command line to run `oobe/bypassnro`, and (2) skipping past the wifi config screen. While these are quick steps, neither of those are at all "easy", since they require a user to first know that it is an option in the first place.

And newer builds of Windows 11 are removing these methods, to force use of a Microsoft account. [0]

[0] https://www.windowslatest.com/2025/10/07/microsoft-confirms-...

> it was really easy to set up without a Microsoft account.

By "really easy" do you mean you had a checkbox? Or "really easy" in that there's a secret sequence of key presses at one point during setup? Or was it the domain join method?

Googling around, I'm not sure any of the methods could be described as "really easy" since it takes a lot of knowledge to do it.

And how do you know the keys are never uploaded if you don't have an account?

I’m not sure if you misunderstand how macOS accounts work or how FileVault works.

There are two ways to log into macOS: a local user account or an LDAP (e.g. OpenDirectory, Active Directory) account. Either of these types of accounts may be associated with an iCloud account. macOS doesn’t work like Windows where your Microsoft account is your login credential for the local machine.

FileVault key escrow is something you can enable when enabling FileVault, usually during initial machine setup. You must be logged into iCloud (which happens in a previous step of the Setup Assistant) and have iCloud Keychain enabled. The key that wraps the FileVault volume encryption key will be stored in your iCloud Keychain, which is end-to-end encrypted with a key that Apple does not have access to.

If you are locked out of your FileVault-encrypted laptop (e.g. your local user account has been deleted or its password has been changed, and therefore you cannot provide the key to decrypt the volume encryption key), you can instead provide your iCloud credentials, which will use the wrapping key stored in escrow to decrypt the volume encryption key. This will get you access to the drive so you can copy data off or restore your local account credentials.

Apple gives users the choice during set up assistant, no reason Microsoft can't.

I bet he learned a valuable lesson

Indeed. Third Party Doctrine has undermined 4th/5th Amendment protections due to the hair brained power grab that was "if you share info with a third party as art of the only way of doing business, you waive 4th Amendment protections. I ironically, Boomers basically knee-capped Constitutional protections for the very data most critically in need of protection in a network state.

Only fix is apparently waiting until enough for to cram through an Amendment/set a precedent to fix it.

Good PINs are ones you're not allowed to brute force. You can easily configure an iPhone to wipe itself after too many wrong guesses. There's a single checkbox labeled "Erase Data", saying "Erase all data on this iPhone after 10 failed passcode attempts."

You bet I have that enabled.

They can also hold you in a jail cell until the end of time until you give it up, in many places.

"enemy of the state" depends a lot on the current state of the state.

Eg in England you're already an enemy of the state when you protest against Israel's actions in Gaza. In America if you don't like civilians being executed by ICE.

This is really a bad time to throw "enemy of the state" around as if this only applies to the worst people.

Current developments are the ideal time to show that these powers can be abused.

That is a strange viewpoint. Are we calling everyone who wants some control over their computers enemies of the state?

Maybe he's just trying to avoid Candy Crush Saga

https://news.ycombinator.com/item?id=46700219

Criticizing the current administration? That sounds like something an enemy of the state would do!

Prepare yourself for the 3am FBI raid, evildoer! You're an enemy of the state, after all, that means you deserve it! /s