Hacker News new | past | comments | ask | show | jobs | submit login
My daughter's school took over my personal Microsoft account (jeffgeerling.com)
1346 points by cuechan 9 months ago | hide | past | favorite | 476 comments

Auth with MS accounts is a giant mess. When I was a city councillor I had a corporate O365 account from the council (used for council email and virtual meetings over teams) and simply trying to sign out of the thing or switch to another account was always fraught (I've got a personal account that's basically just to associate my windows license with and a work account used for azure access). You'd often end up in a state where teams would just refuse to sign in and you'd need to reinstall it to get it to work again.

Trying to be actively signed out is also a mess. You can use the teams app to join teams meetings others have setup and invited you too without teams access yourself. Though of course if you have an MS account teams can see it ends up trying to use it and then saying you don't get teams access via that account and trying to sign out and join the meeting with an account associated with it often just doesn't work. A colleague actually ended up requesting he got an o365 account with teams associated with his corp email because of this issue as he had occasional meetings with external people over teams. We have a corp o365 setup for our ops/admin team that engineering normally doesn't touch but because he had a teams invite sent to his corp email he got dragged into it.

My son has a personal Windows 11 Lenovo laptop and he is signed in with his personal Microsoft account. The laptop went away for repairs because the touchpad no longer worked. When it returned, it turned out they replaced the main board so the bit locker keys needed to be entered again. These are typically stored in your Micsosoft account only they were nowhere to be found. Some help article on the MS website explained that sometimes it could happen that the keys are migrated to a school account. He only ever used his school account from the Teams app. Sure enough, the bit locker keys were there!!

If he would have graduated or otherwise no longer have access to his school account, he would never have been able to recover the drive. Of course he has his important files in cloud storage anyway but it’s very annoying nonetheless

All this discussion makes me glad I'm sticking to local logins for the Windows devices I still have to use. Once that option is gone, I guess that's the end of Windows on my devices.

Yup, Microsoft can't even keep straight their account management, yet they are insisting on depreciating the local-only accounts.

I strictly use the local-only setup. I'm sort of OK if they still leave a relatively trivial backdoor to do this, but if they ever flat require an online account, I'm out, hard.

This is partially due to wanting to avoid the hassle and management of yet-another-forking-online-acct-IDGAF-about, but also because I have some machines controlling industrial processes (CNC machines, custom cutting machines, etc.) that I keep entirely off any network for security & safety reasons (yes, moving anything to/from those machines is all sneaker-net; simple, works, and my shop doesn't yet have the scale to justify that kind of networking/security/admin overhead).

I just hope that MS engineering is not stupid or powerless enough to allow MS marketing & MBAs to fully kill off the local account.

This entire attitude of exploiting customers by requiring spurious internet accounts & connections is making me start to think that the Internet is all a huge mistake. If that approach takes over, the world will literally be worse than before the Internet in every important way (and there are some solid arguments that it already is worse).

> they are insisting on depreciating the local-only accounts

That's just.... Insane. This is going to be a disaster. I'm so sorry, Windows users.

You already need to open the command line and disconnect the internet at just the right moment to be able to install windows 11 without an account. You can't start without an online connection, so it's not as as easy as just airgapping the install from the get go (at least on the normal ISO provided by microsoft). I like windows but that was extremely annoying when I needed Win11 in a VM.

> I'm sort of OK if they still leave a relatively trivial backdoor to do this, but if they ever flat require an online account, I'm out, hard

Sounds like a huge pain to deal with. Why not switch to Linux and be done with it? Genuine question.

Primarily because the CAD app I use (Rhino3D) doesn't have a native Linux version ('tho it supposedly runs on WINE), and the CAM software doesn't seem to have anyone running it on Linux.

Plus, at the outset of another startup, we decided to go Open-Source everything, and tried to setup a real-time version of Linux and the CNC control software. All of it supposedly up and running with only a few dozen steps to setup in the people supposedly running it. Despite decades in networking and a bit of Linux experience, I quickly got swamped in the massive undocumented bugs in setup/config/complile, and brought in a guy who had a full-time Linux shop, and who I knew from working with him previously that he was very good. He thought 'it's a new version, but no problem'. A month later, we still had nothing running and the investor/partner pulled the plug. So the swamp of poorly-documented / undocumented / mis-documented hiccoughs literally killed that startup — death by 1000 cuts.

Sure, it is probably better now, 15 years later. But so is this environment, UNLESS they tie it to another online acct.

So, basically, I'm pretty much now in the business of slinging atoms instead of bits, and the overhead is no fun, and just not worth it (yet). Plus, the overhead of working around the MS carp turned out to be pretty small. Just disable the Wireless at the right time in the W11Pro install (I think it is worse in teh Home version).

Games are the main reason for me. I want max performance on my high end gaming pc and I want all the things to just work, including 7.1 surround sound (and atmos later) and HDR and gsync and all my accessories and all the anticheat etc.

I know valve have done great stuff but is it good enough yet to run everything on a AAA game on 4k ultra with hdr, gsync and 144hz?

HDR no (although it's progressing). 4K Ultra, gsync and 144Hz on a AAA game, yes. Anti-cheat is going to continue being a problem so long as Microsoft allows these kernel level things and devs keep doing it.

Looks like Valve are actively working on HDR support https://www.pcgamer.com/valves-working-on-hdr-for-linux-gami...

I left windows for ps4/5 and mac a decade ago but have been toying with the idea of a beefy proxmox server with pci passthrough for a nice windows gaming setup which going by LTT videos is more then capable enough to run AAA game. It’s still windows but at least it’s a vm and your hardware can be shared with a primary Linux desktop vm etc

Not yet at all anticheet just working but you may be surprised. Where Wine works it can even give higher framerates; rarly lower. Whilst I am sure some accessories are better in windows; an old gameport Sidewinder (ms hardware) works better in Linux.

The internet was not designed to deal with money, or security. The internet is designed strictly for information transfer from one place to another with extreme efficiency.

At that, it still excels and is no mistake. The problem is all the people using it for money.

Very accurate and succinct!

Someone said a long time ago that "The love of money is the root of all evil".

I'm not a follower of any particular religion, but that guy sure got it right on that point! Also, the only time he was recorded being violent was when he kicked the money-changers out of the temple.

How do we kick out the money-changers from the Internet?

Back to the roots of info transfer... it seems the tagging devices+apps tell us that we have achieved critical mass of node/relay density for an underground mesh network to work, if we can get enough people to run it . . .

I have no solutions, I'm not even convinced that my statement really encapsulates the problem in a real way. Humans are very difficult. I'm reminded of that speech made by Hugo Weaving's character in The Matrix, about how the original matrix had been very utopian, with everyone living happy and harmonious lives, and the subjects rejected the illusion on a deep enough level to break it. I don't think one should look to Hollywood for good philosophical thinking, but I think he was onto something there.

If I could make one law get passed, I would outlaw algorithms on social media feeds (edit: and search engine results). Let them collect the data, let them target ads. I don't think those things are inherently harmful, or at least, no moreso than the old ads and surveillance.

But the seizing and algorithmic manipulation of the feeds, with the accompanying incentive that the whole thing fails if it doesn't turn a profit, is far more toxic than the gatekeeping of the old media emperors. The great promise of the internet in the 90s was that consumers of internet media would have complete control over our feeds, and get only the things we want and demand.

We have received the exact opposite, because people with money want to put their money to work, rather than work.

This is the main reason I switched to Linux[1]. Online accounts, that are not in your direct control, shouldn't be connected directly to device sign-ins. Changes to the account, or the details of the account can cause loss of data and the ability to sign-in to your own device.

They are pushing more and more people into the perception of renting a experience rather then owning a device. Its great money for me to help people figure all this out though.

[1]: https://www.scottrlarson.com/publications/publication-transi...

Your article resonated with me. The last straw for me was when MS Edge signed me into itself without my input or permission. I don’t know why that was the last straw but I just felt really violated by that. Thankfully Linux on the desktop has come really far. It truly is a breath of fresh air.

It makes me glad I fled to Linux years ago (after a Windows 10 forced, behind-your-back-after-you-locked-your-computer-and-walked-away-thinking-you-wouldn't-notice update restart made me lose some homework) and never looked back. ¦)

That happened to me as well[1]. Exact same reason why I switched to Linux. It took Windows 11 forced online accounts and an integrating one-drive into the OOBE experience to finally wake me up.

[1]: https://www.scottrlarson.com/publications/publication-transi...

Agree. I also shy away from using google or ms oath for third party services. Partly due to privacy but partly paranoid concerns like this

Or use a back-up im not being sarcastic. People with Macbooks have the same issue.

>>the keys are migrated to a school account.

>>Of course he has his important files in cloud storage anyway

So MS's defective key system is pushing people to keep their files in the MS cloud? When a defect in one product pushes users towards are more profitable/addictive product, that isn't a defect. It sound like the plan to keep users hooked into the MS ecosystem is progressing nicely. Once upon a time it was Apple getting its hooks into users while at school. Now it is MS.

Does one still need an MS account to play minecraft?

You can also backup your Bitlocker key to an USB-Stick or external HDD. When installing Win11 they even ask you if you want to back it up on your MS-Account or an external device.

I print mine out and put it in my safe. It's saved me a few times.

security is getting to be worse than what is protects against. its a daily bane, especially for work stuff as everything is locked down extra hard

they tried to simplify it by tying everything to yubi keys, but just this week some things stopped going to the yubikey and wanted me to auth on my phone like we used to instead.


Cryptolockers at least give you a support email and let you pay to recover your data...

Letting an organization grab control of resources that do not belong to it, without the consent of the actual owners of those resources, is not "security".

"... Of course he has his important files in cloud storage anyway but it’s very annoying nonetheless ..."

That doesn't sound reassuring if the cloud storage is, itself, Microsoft connected ... or even using auth/login mechanisms that connect to the Microsoft account.

It is Google Drive, actually

So good luck with Google customer support when Google's algorithms decide that your login attempt is suspect or your usage violated whatever terms of services they might have buried in their legalize.

Bitlocker is such a freaking user-hostile mess. I know what I'm doing with it and I still screw it up - I have no idea how non-technical people are supposed to have any idea what's going on. They're either totally unprotected or constantly at risk of losing everything even with professional help.

Yeah, the identity side of MS products is really dysfunctional. Every time I try to use teams or azure it ends up in hours of finding out the right procedure to log in or switch an account effectively.

And then you get the people asking naively "why are you getting so mad at them"...

Solution: run Windows in a VM, one machine per account, nuke it from orbit when-not-if something goes awry. Hundreds of hours of frustration prevented from a system that is not even able to have the same UI across all its windows.

Or run apps like Teams in a web browser. Web browsers have good isolation techniques like Chrome's profiles and Firefox's containers.

Teams is written using web technologies so you're getting the same experience as the app.

The problem is that Windows 11 and above (try very hard to) require a Microsoft account, because these orcas of computing want to remind you with every step that you don't own the device you bought. Hence it's simpler/better to just virtualize everything.

Besides, there is a very satisfactory feeling when something doesn't work for whatever reason, you do a quick search and see that apparently you must edit some awfully named HKEY_LOCAL_MACHINE register or rename some <username>/AppData to .old (just had to do this yesterday, wild), and then, when the quick fix doesn't work, instead of trying to look for more fixes you just give up and start cussing until the VM is restored to a working backup.

> The problem is that Windows 11 and above (try very hard to) require a Microsoft account, because these orcas of computing want to remind you with every step that you don't own the device you bought. Hence it's simpler/better to just virtualize everything.

Then they do absolutely crazy weird things!

I recently got a new laptop. My account is `adavis@<domain>.com`, my user name on my old laptop using that account is `adavis`.

What did Windows 11 do when I create my user on laptop. Oh it makes my user name `adavi`, yes it truncated my username.

After scouring the internet, trying a few different things to rename my account to no avail, nothing worked! Until I found a command to bring up an account management window that looked dated to the win 2k era ish (and can't be found via any settings window). It allowed me to create a local account with the name `adavis`. I then logged into it, deleted my `adavi` account then was able to associate my new local account with my Microsoft account.

I once tried doing the prudent thing and give them an individualized email address on a catchall subdomain, now my user name on Windows 11 is "win10". Because why ask for a username if you have an email address, right? Might get interesting when your email is administrator@ or guest@, I don't get the impression that anyone at Microsoft has even the slightest idea what actually goes on in their schizophrenic SSO multiverse.

It only uses the first 5 letters so administrator should be fine (“admin” isn’t a built-in). Guest could be interesting, though.

This issue has been bugging me since Windows 7.

Only "proper" solution is to /not/ sign into your MS account when seeting up the new machine for the first time. Create a local account with the name as you want it, and then only afterwards link it with your MS account (if you have to).

Only problem is, latest Win11 installer does not allow you to create a local account anymore at all. So you need to install Win10, do the work-around-dance, and then upgrade to Win11. I only relaized this after halway through my most recent format.

Every time when I ssh into one of my other boxen, I have to remember now to go 'SSH myname@ip' else windows helpfully defaults to 'mynam@IP'

If you can't bypass the Win11 online account requirement by being offline during install, then try this:

In the "Let's connect you to a network" page, use these steps:

* Use the Shift + F10 keyboard shortcut to open Command Prompt.

* Type the following command to release the current network configuration and press Enter: oobe\bypassnro

Note: The command is a single phrase without spaces.

Note2: This will reboot the machine and restart the installer again (why?? because fu for not wanting a MS account that's why)

I just use a@a.com which is a locked account someone setup for this purpose. It kicks you to local user setup due to being locked.

Here's the way to do it in video form: https://youtu.be/EOUcvgqOV-0 (JayzTwoCents Youtube channel)

I tried exactly this process, and it did not work. The commands were not found by the command prompt. Possibly because I was installing Win11 Home?

I believe Rufus lets you bypass microsoft account setup on windows 11 when creating a bootable USB


In case that might help you:

You can create a file ".ssh/config" in your user directory, just like under linux, and inside of it put "User myname", and ssh will use that as a default and you won't have to specify it with @ everytime.

Well I still have a non-signed-in local account on my Windows 11 Pro install, but of course every time I boot up I get a full screen “finish setting up your device” before I’m allowed to sign in. The only options are “continue” and “remind me in three days”. Better yet, I once clicked on continue by accident and the computer hang for three minutes before I shut it down. Now I only reboot when the machine BSODs, which (I kid you not) happens every three to five days.

Thankfully I only use it for some cross-platform testing and occasional gaming.

> Under Notifications, clear the checkbox next to Suggest ways I can finish setting up my device to get the most out of Windows.

Not a Windows user, but that wording of the setting is making me irrationally angry

That, and the opposite of 'continue' (making this permanent change) being 'remind me in three days' or Google's 'not now' comes with this nasty implication that we're all just foolish users who don't know what's best for us and that we'll eventually come around to what we really want to do.

It really, really irks me.

Thank you! This has been driving me nuts on my Win 10 install.

I have the same issue with "finish setting up your device". I don't understand how this can be legal. In the early 2000 MS got fined for bundling IE as default, but I seriously think they have even more evil patterns now baked into Windows and all it's entangling into 365 etc.

I was thinking the same thing. I heard somewhere that nobody wants to prosecute Microsoft now because their systems are so tied into our our financial and political infrastructure that nobody wants to rock the boat. I also heard that Microsoft uses this as leverage against business that want to speak out against the dark patterns and deceptive practices Microsoft is involved in.

"The New Goliaths: How Corporations Use Software to Dominate Industries, Kill Innovation, and Undermine Regulation"[1] looks like a good book on the subject that I plan on reading.

[1]: https://www.amazon.com/New-Goliaths-Corporations-Industries-...

I absolutely detest Microsoft, but I think that same argument could be made for most of big tech but especially Google, Microsoft, Apple, Oracle or even the link you provided there selling the book, Amazon.

Yes thats true. I think Microsoft is in a special position though because the have the dominate share in the business market. I'm not too interested in focusing on the "Other the bad apples to" as it distracts from the actual problem: "Dark Patterns" and our allowing of them as a society. I take the approach that external manifestations come from our inner states of being from every human on the planet. We allow these things to happen because of where we are at as humans in society, at this current state of our evolution. Maybe it will change someday, maybe not.

> The problem is that Windows 11 and above require a Microsoft account

It is not quite a requirement, I have my Windows 11 Pro running just fine with no Microsoft account. They do attempt really hard to make it look like it's required though. Even going as far as showing a fullscreen app after Windows update that only has options for registering or login, but luckily Alt+F4 closes that abomination.

The last time I tried to do this it was impossible to sign into Office or Xbox on that same PC without logging into a Microsoft Account which subsequently takes over your local login. No way around it other than to not use those apps at all or only running office through a browser. It went like:

Install flight simulator on a Win10 PC with local login only and launch -> sign into an xbox account -> after you enter your name and password, you get a dialog box where you have to agree to sign your Microsoft Account on that PC with two dark pattern options that lead to the same result.

I couldn't find any combination of group policy editor, registry, and services.msc around it. You can either close it and lose access to the game you just paid for, or proceed and then you get your account signed into email and a bunch of other crap you dont want and have to spend hours getting rid of all traces of that account in your system(but it's never 100% gone). Only way to bypass it is to buy the game through Steam.

Between MacOs Linux and Microsoft, Microsoft has the last respect for you as a user and nobody should use it if they don't have to.

Edited. I just didn't even bothered; given the trend, probably Windows 12 or 13 will close the loopholes.

They can never “close the loopholes” entirely, because there are customers that want machines with zero access to public Internet (embedded systems, national security, etc), where a Microsoft account is an absolute non-starter. Closing all the loopholes would be abandoning those market segments (many of which are already trending towards Linux/etc anyway)

I suppose they might make it mandatory unless you have some special version of Windows which is hard to buy (like LTSC). But make it too hard they risk that market. Anyway, now bypassing it involves opening a command prompt window, only the more technical users will do so, and that’s a small enough minority they probably aren’t missing much.

They actually already make a special version of windows for those purposes and it isn't available to the open market. Government editions that have no telemetry, advertising, or integrated cloud products at all.

I know it is a pipe dream but I wish they could be forced to sell this to the general public.

Are you talking about LTSC or something else?

I have looked into buying LTSC. Apparently you need a business (I own a “shelf” company which has never done anything, but legally it counts), and a Microsoft volume license agreement. I looked into the later. Supposedly there is this trick where you order all these useless-but-cheap Identity Manager CALs to cheaply meet the minimum order requirement for a volume license. But I got a bit stuck working out what to order (or even if it was still available through resellers in my country). I lost interest at that point.

I am not Meph504, but I suppose they meant either Windows Enterprise G or Windows Enterprise G N editions, not Windows LTSC editions.

Is Enterprise G the same thing as “China Government Edition”?

Is there a “US Government Edition”? Is it different from the Chinese one?

How does G differ from LTSC?

Yes it is different, and the difference between gov edition and ltsc is that. The gov edition isn't designed for long term support without change, but to increase security of windows and remove all the telemry and forced integrated services from Microsoft.

This info is publicly available so more detailed info should be easy to find.

All the sources I can find say that Enterprise G is China-only. The US Government (among others) doesn’t use it, even for classified stuff.

Telemetry is a bit of a non-issue for many national security applications-they run on special air-gapped networks with zero direct access to the public Internet, Windows can try to phone home to Microsoft all day long, it’ll never get through.

And disabling telemetry doesn’t require LTSC or Enterprise G. All Enterprise, Education and Server editions support “Diagnostic data off” telemetry level. Even if that’s not the default, most enterprises who want that will build their own install images with that setting configured.


> Closing all the loopholes would be abandoning those market segments (many of which are already trending towards Linux/etc anyway)

Sounds more likely to me that they'll just abandon those market segments.

I believe, Microsoft account is a requirement for Home editions, not Pro or above.

Pro now requires it unless you know any loopholes.

> The problem is that Windows 11 and above (try very hard to) require a Microsoft account, because these orcas of computing want to remind you with every step that you don't own the device you bought. Hence it's simpler/better to just virtualize everything.

During the pandemic, a key security component of our remote work architecture was to use Azure AD Conditional Access to restrict users to login in M365 apps from AD joined laptops + some Inutne compliance rules.

A weird situation was that, for a new laptop, we could not login using a domain account, as it was not joined in our domain. We also could not create a local account to join it. Not sure how IT solved that.

Windows 11 allows for the creation of local accounts, it sounds like someone signed in with a azureAD account (work email) joining the azure AD basically drops a lot of default policies on the machine, one of those is disabling local admin.

They can either remove that policy from their azure AD, or remove the machine from the azure ad.

Or update their policies to allow for azureAD joined machines.

I haven't used windows since 2008 and you've just made my day with this post. I have never felt so vindicated.

I haven't used windows for 20 years and yesterday I had a teams teleconference using Firefox on Linux. It works noticeably more poorly than most similar systems (jit.si for the win) but it works.

Teams calls are terrible for non-Windows users. :(

It actually worked decently once I used wired networking. Probably gobbles up bandwidth, typical Microsoft :D

The main problem is that randomly, Teams invite end in some "an unkown error occurred" and when this happens there's no recourse. It never happened with Zoom, Jit.si, Goto Meeting, Google Meet or whatever else I've used.

The absolutely worst of all is WebEx, fortunately it's rapidly disappearing.

If it makes you feel better, I gather they're terrible for Windows users as well

I envy you

Win10 tries pretty hard too, you have to have The Secret Knowledge TM if you just want to use the operating system without sending everything to MS.

Microsoft auth is the leading cause of newly devised cuss-words in the first world.

As someone who has to do that (one work account with my company, one with our customer) the UX is miserable. Notifications work sometimes, delay can be significant and I don’t trust the auto-away feature when Teams run in a browser.

Multi-accounts are really painful with most chat clients I have encountered. It sometimes makes me miss e-mail where the inside/outside distinction doesn’t exist.

This doesn't work perfectly well if you are on multiple calls at the same time.

Desktop Teams allows you to join multiple calls at once, and switch between them is easy.

Web browser teams disconnects you from one meeting to join another. The only solution is to open multiple browser profiles, each for different call, and then manage the 'mute tab' manually. Additionally, web browser edition has something to detect if tab is active, and will downscale / delay video stream if tab is not active. This is extremely annoying when you have meeting active on one monitor, and want to double check what is being discussed on another.

Saying all this, web browser teams at least works. Desktop one stops working because as the whole discussion here points out, accounts get mixed up. I can't join team meetings anonymously because desktop edition thinks I have an account, but when I try to login it tells me my account doesn't have Teams enabled.

Browsers have come a long way in this regard, you are right. Even before containers, I love having a ff profile for work and one for personal stuff, they are ultra portable too.

No, you're not. Specifically, unless you configure things juuuust right, then the alt-tab behavior and the taskbar/dock behavior is different. Not a show stopping "bug", but let's not pretend it's entirely workflow transparent to use it from Chrome.

And in an incognito window, too.

> Solution: run Windows in a VM, one machine per account, nuke it from orbit when-not-if something goes awry. Hundreds of hours of frustration prevented from a system that is not even able to have the same UI across all its windows.

Better solution: don't use M$ product, if you can. Despite the efforts and resources Microsoft spends in improving its products, languages, tools, they are just an enterprise company: very expensive buggy products.

Yeah, this would be my preffered way as well. I dont use any MS products any more in my personal life or my own ventures but if I would, that would be the way. But this is not a global cure. This probably will work fine in a household or small business environment but there are tons of reasons why it most probably probably will not work in a corporate environment.

Or run FireFox Containers and the browser version of apps... works great for MS Accounts

How do you get an instance of licensed Windows to run within the VM?

It's a more or less regular install: a quick search [1].

[1] https://geekflare.com/windows-11-in-virtual-box.

Even better: Use Wine. I am so tired of running a windows VM.

The real solution is not to use systems who allows that.

Of course, the problem is that in the last 38 years [1] plenty of programs have been developed for Windows-only, especially when you have to interact with the state [2]: there are still tutorials out there that require you open a website in Internet Explorer (!) if you want to validate a tax form or whatever other trivial task.

[1] https://en.wikipedia.org/wiki/Microsoft_Windows_version_hist...

[2] All the backroom deals for Windows/Office licenses for state-use certainly helped in this regard, https://www.zdnet.com/article/linux-not-windows-why-munich-i...

So you think Azure is the only "cloud"-platform that can run windows? I talked about Azure not an OS, this has nothing todo with Windows, DOS or Xenix.

How do organisations justify so many lost hours of a day where employees just struggle with Microsoft’s abysmal software instead of doing real work.

Because nobody got fired for buying Microsoft.

Enterprise IT is conservative and full of strange politics that make it really dangerous for an admin team or it department to stick their head out and do something independent other then follow the "mythical industry best practice" and MS is extremely good at manipulating what gets considered "industry best practice" to their advantage and then give just enough discount on the more visible parts of the costs to look cheaper.

And it's a open secret that individual employee productivity don't matter all that much in the kind of back end work where a PC was ever a feasible tool, as what really counts for profitability is the non-pc using frontline staff's productivity, who is far more likely to be issued either no computers or mobile phones or tablet then wintel laptops.

Have you tried the competing software in a business environment, it is pretty easy to see why MS productivity software dominates. For like $12/u/month you get full web and desktop office software, MFA, and AzureAD, which you can use as a SSO indentity provider for free, for one lisc that cost $4/m you can then make use of conditional access policies that give you massive options over how you manage an access all aspects of the tenant.

They now are giving teams (slack knockoff) a free dialing number so it now can be used for phone conferencing without non-organizational people.

Onedrive gives you 1Tb of syncable storage per user, and 1TB per user pool for shared office resources.

I spent years as a google apps advocate, but seriously for the money, no one touchs what MS is offering right now. Google had MS hands down 10 years ago, and let google apps die on the vine. It is a damn shame too, because they were the only ones that have anything comparable.

Having just been put through the switch from google apps + slack to the full ms365 suite including teams I have to agree and disagree.

On paper microsoft absolutely has the best offering. The ms365 suite has everything anyone could ever need. But, in practice it feels more like a downgrade than an upgrade. Teams does everything, and all of it just as poorly. Office does everything, but the web version and collaboration features are so far behind google they are not comparable. Sharepoint and onedrive seem superior to google drive, but in practice there are many papercuts and people struggle to understand where to put documents and how to properly share them.

What microsoft seems to lack is caring about user experience as they slather feature layer after feature layer on top of their products. What google seems to lack is incentive to actually meaningfully improve their product, because I couldn‘t tell you a single meaningful feature they added to g suite over the last five years.

> What microsoft seems to lack is caring about user experience as they slather feature layer after feature layer on top of their products.

That's the problem of selling something to the supervisor and not the actual user. MS has had that corporate world as a cash cow for three decades now. They don't care about the end user they just care that their product looks better in the slide that compares it to the best alternative.

> but seriously for the money, no one touchs what MS is offering right now. Google had MS hands down 10 years ago, and let google apps die on the vine

You're right, for the money MS gives the user a lot of fairly crappy products (other than the office desktop suite). Google was positioned to own this, and they let is drop. It shows what it means to be a product driven company (MS) vs. whatever Google does nowadays (milk search ads?).

There are teams of people in MS whose only job is to think about how to package something for sale. If Google had a single person doing that they would have beat Slack before it got huge, and could have owned office collaboration software as it all moved to the web.

Can you give more details on the "1 TB per user pool for shared office resources"? I always thought there was a user-level limit of 1 TB for OneDrive, and a organization-level limit of 1 TB + (10 GB)*(number of users) for Sharepoint.[0]

And I've never found any documentation as to whether shared OneDrive folders count against the owner's quota, all of the users with permissions quota, or the sharepoint quota.

[0] https://learn.microsoft.com/en-us/office365/servicedescripti...

Firstly this is complex, it depends on what plans and tiers you have, your resell partner, and what region you are in.

But the basics each user gets their own quota of 1 to 5tb,then there is also a shared quota (share point, Ms group storage, powershell online environment, dataverse, etc... ) of 1 to 25tb + (x size per user) the size per user depends on a multitude of factors.

I did not mean to imply that users limits are connected to the shared pool, it is in addition to the user quotas.

I am in a position at $dayjob where I have been mandated to find savings wherever possible. Currently a Google workspace company, I absolutely loathe Microsoft's offerings but after doing my due diligence there is no way I can avoid recommending migration. The pricing is just too good even with the warts, and the extra features are things we already need.

Fuck teams, though. I will leave this company before migrating Slack into teams. Actively recommending that product is nothing short of professional negligence.

And they're about to introduce GPT3/4 text generation into their products... And possibly image generation because why not.

It's just too good to ignore.

The lost hours are totally invisible (most companies wouldn't even allow you to report them. they don't WANT to see them) and the alternative world without lost hours with more productivity can also not be imagined by those in charge.

For all it's terrible bugs and login issues, is there even alterative with similar functionality that would be as "user friendly" (as in: non-tech people would know how to use it as well as they use Microsoft garbage?).

I literally can't think of any alternatives that comes close in functionality OR has the same ease of use for non tech people and wouldn't waste even more time.

> The lost hours are totally invisible (most companies wouldn't even allow you to report them. they don't WANT to see them)

We recently discussed this "shadow work": https://news.ycombinator.com/item?id=34612697

OSX seems fine for most people where I've worked. For the truly intractable Windows addict, maybe ReactOS?


I am a linux guy, always have been. But when I went from a Windows environment company to a Mac company I was absolutely shocked by how much less work I had to do with Mac to get everything working. Authentication, logging in, slack vs teams, just everything worked so much better.

I don't see how that is related to what I wrote?

Mac is not an alternative functionality to: Teams, Outlook, MS Office, etc? It doesn't solve the MS crappy auth system, it doesn't give (large) businesses the same functionality that MS is giving them.

On the Mac, you can use those MS products without it taking over your user account.

You can also use any of various other products that compete with them (Google Apps, iWork, Zoom, etc).

Just because MS makes a specific package that businesses like doesn't mean that they can't use something else if MS is becoming more of a problem than they're worth.

I think Linux + Wine should be fine for most people (with a little guidance, of course).

ReactOS isn't stable enough even in a VM right now – but the progress is nice, and I hope it will be a viable alternative for embedded applications (like ATMs or factory automation stuff). Maybe consumer use one day, too?

I’m blown away by this. I’ve come back to a full MS stack after years away and it’s grim. Machine shave to be restarted once or more times per day. My personal MacBook is restarted every month or two. I used to moan about Apple’s software quality, but maybe we are actually in Isaac Asimov’s accelerating decline to a dark age.

Not to support Windows, but what are you doing that requires restarts multiple times per day?

I leave my personal Windows 10 desktop running for about a month at a time so I don't have to reopen 5 different windows and arrange them across three screens for uni work every evening. It works fine.

Mind you, if it was a Mac I'd not even have to reopen or arrange them after restarting the machine - they'd still be there. Although my work Mac loves to randomise which display gets which windows and desktop background... And randomly pan all bluetooth audio to the left ear once a week. I guess all OS's have their issues.

> I leave my personal Windows 10 desktop running for about a month at a time

My Win10 Home desktop downloads updates when I'm not looking - and sometimes when I'm actually using the thing - and then reboots all on its own. I have no control over this; there have been occasions when the reboot has happened while I was working.

It happens roughly once a week.

I've been using this method for years and it works great. It uses a windows debug feature to launch cmd instead of the reboot scheduler. You never see the cmd window, as it's launched by SYSTEM. This prevents Windows update from scheduling a reboot, otherwise the system function as normal. You do need to reboot periodically, but now it's on your schedule.

Source: https://lazyadmin.nl/it/how-to-stop-automatic-restart-win-10...

You can use Reboot-Blocker to prevent that: https://udse.de/reboot-blocker/

> what are you doing that requires restarts multiple times per day?

Outlook, Teams, Chrome, COMRAD (radiology RIS), Spotify and InteleViewer (DICOM viewer). Without restarts Spotify stops working, the software loses track of what day it is (it assumes the day prior) and things get slow or unresponsive.

Maybe it’s the software and not the OS. I run all those except COMRAD on a Mac ok though.

Mac and multi display and window location is a special hell. My father is a heavy Photohop user and palette organisation is a daily battle with multi screen. When screens wake up windows and palettes reorganise if the system detects one screen and not two briefly. It’s a big drain on productivity.

Yea I dont support Microsoft either but I do have to run it on multipule machines for work and I don't need to restart unless to switch into Linux. It sounds like one of your apps has a memory leak or something. Do you check task manager for resource hogging?

> Do you check task manager for resource hogging?

Awkward… no, I haven’t dug into it at all. I now will.

"My applications, not written by Microsoft, are broken. Obviously, it's Windows fault".

We have 80k Windows users we have to force to reboot every couple of weeks to make sure updates to all the software take (yeah...that's a problem but a different problem). If you're rebooting once a day, you have problems other than Microsoft.

I only restart on patch Tuesdays, you have a different problem than Windows.

Because as someone who has done support for a 28000 person organisation, 27500 of which are using mostly Microsoft products on windows for 90% of the time and 500 of which are using Mac or Linux and doing other stuff I can tell you that at least 50% of the security incidents and second line support issues came from those 500 users.

This seems like a clear case of selection bias. People with Linux and Mac are probably devs and technical people who will obviously utilize a much broader range of functionality of their machines and thus encounter more edge cases.

Ye clear selection bias. Most users can't describe a problem in enough detail to get to "2nd line" support in the first place.

You more or less need to be a dev-ish person to prove IT is at fault. The lusers have to live with the unplug the computer and reboot workarounds.

A few years ago, there was a video game developer who pointed out the disproportionate number of bug reports that came from their Linux players, and how grateful they were for it. The majority of the bugs reported by Linux users were not Linux-specific, and frequently had detailed descriptions of expected via observed behavior, exact steps to reproduce, core dumps, etc. Because the bug reports were coming from a group who is used to making effective bug reports, they could be used more effectively.

Did those 500 users also happen to be the ones that weren’t adequately supported because they were seen as problem children?

If my org doesn’t give me a supported way to do absolutely necessary thing X, then I’ll find my own way to do it.

As I said they took up about 50% of the second line support capacity for the entire organisation. So yes they were properly supported, unless you want a dedicated tech to hold the hand of every exec, dev and bioinformatician.

While it is entirely possible the problem here is those execs, devs and bioinformaticians. There do seem to be many other common factors than the macs here.

Maybe they all need nonstandard software? God forbid, maybe they need administration permissions, but the org doesn’t want to give it to them, so they end up calling in every other day to get something unlocked (I know that’d be true for me).

Maybe it’s the problem solving skills of the IT team when it comes to mac, so people keep coming back with the same issues (good ones are Outlook/Teams being permanently broken, or VPN not connecting).

On the whole, I’d steer away from any explanation that would require all 500 mac users to be idiots.

Or the technical infrastructure doesn’t support them well. Or the support team doesn’t know MacOS or Linux, so it becomes a lot harder to provide support. There could be many reasons.

No, they're just really difficult to support.

MS makes it very easy to secure and admin at massive scale. You can roll out policies and updates to hundreds of thousands of machines with like 1-2 admins, and the other 8 IT people manage 200 Linux and Mac machines.

Oh, so it's not the users at all, it's that you have tools to manage Windows and didn't set up tools to manage anything else even though they exist; like a Linux admin complaining that Windows is unmanageable because ansible doesn't work well on it.

You're maliciously misunderstanding. The tools available to manage Windows are simply either much, much better, or much better value.

And everything just works out of the box with like... 3 lines of PowerShell.

You can replicate some of it with Ansible, sticky tape and a few spare weeks, but it's not the same at all.

I'm actually Linux admin, grew up with open source and spent my career serving pages and automating myself out of a job. I dislike Microsoft as much as the next guy, but for enterprise use they are _next fucking level_.

They also make it really easy to screw things up. I work at Microsoft, and a few weeks ago they rolled out a botched group policy change for our whole org that somehow deleted all O365 apps and Docker from most people’s machines. The best part is you’d try to launch, say, Excel and you’d get an error about it being removed for being possibly malicious.

Because they think that they must use Windows no matter how bad it is.

Windows is no more bad than macOS or any distro of linux.

> At least my [...] Windows licenses are still working—but could the school revoke that access too?

This, at least, is a thing I have never even had to consider as a remote possibility on Linux.

Sure. But every OS has its flaws. They are all good and bad in their own way.

This statement says next to nothing but may give the impression that it does to anyone who doesn't think twice on what it actually says. OS X and OS Y both have their good and bad sides but not necessarily near similar in terms of features and execution.

It's not an argument not should it be used as such.

Saying an OS is bad is offering nothing when it’s factually incorrect.

It’s not an argument nor should it be used as such.

Microsoft's dark patterns philosophy and how that translates into real-world user experiences is the worst I have ever seen. And since they are implementing these dark patterns into the OS it has the potential to make using Windows very difficult. I understand that, with knowledge, you can get around that.. But I dont see why anyone would want to any more.

Apple is really bad too, but there not as bad in the dark patterns market at least in the OS. But they are way strict with their walled garden approach to everything so I wont support them either.

Linux can be buggy at times, but I feel much safer using this OS then I do Windows or MacOS because Microsoft and Apple don't really seem to care to much about the ramifications of their end-user hostile decisions.

What are the ramifications of apples “end-user hostile decisions” aside from the walled garden on iOS? And having to click security -> run anyway for unsigned apps?

I think how their approach to usability and security actually translates to a lack of user-freedom. We had a discussion recently about activation lock on hackernews. On paper and in the world of security, its a great mechanism to prevent theft. But it also causes friction for device re-use with people that don't understand they need to decouple their online identity from their device, this has a negative impact on recycling. It also seems like Apple wants to herd people into purchasing new devices sooner than they should, when the should be doing all they can to make devices last.

This is also related to trying to control the circulation of replacement parts by attempting to force independent repair centers to regulate how parts are distributed. Apple takes more of a "You don't know what you are doing, so we have to guide you in the right direction" approach that doesn't sit too well with me. Apple can be wrong, a lot, about how their decisions effects people's freedom to decide how to implement there own security and ways of retiring devices. Apple should be in the business of making hardware and making it usable. Not being a parent, deciding how people are going to use and secure their devices. Maybe leaving that to an impartial organization that works with apple. Too many conflicts of interest for me.

Considering many of those employees are doing bullshit jobs, it probably doesn't really matter at the end of the day.

Windows is only $5m a year and legal threats if your time is free

Wow, that's only $416k/mo.

Which is like, wow, half a mil a month, but... also alarmingly little!~

Apparently the backward compatibility monster is not the size it used to be?

Now I understand why Win11's designers used Macs... wow the moat got small

Well depends on the size of the company and how much of the microsoft ecosystem you buy.

Try and talk the C-suite and Accounts people at $NonTechBusiness into using LibreOffice or Google Docs instead of Excel and Outlook and let me know how you go.

"Because it's cheap." Lots of "leaders" don't see much further than that...

If that were the reason, the year of Linux on the desktop would have happened 20 years ago.

Linux was not and is not cheap at all. Downloading it might be free, but the initial price doesn't matter compared the cost of running it for a whole organization.

We are literally in a threat complaining that the cost of Windows is wildly higher than the cost of buying a box copy of the software. So yeah, in this context Linux is free.

this is true; they look at dollar amounts first and do not look at quality; repeated over and over by people .. and it feels nobody seems to even care.

because it actually works

you can try to find as many edge cases,

but at the end of the day I just log into the account that's inside domain and everything:

email, teams, network accesses, auth thru web apps goes thru that domain account

Is moving a personal account to a different country an insanely obscure edge case?

Because I tried to do that recently with O365 and I literally couldn't move my subscription without killing the old one and creating a new one.

Every other software service I use somehow managed to make it easy: fill in the new billing details. Done.

But not Microsoft. Billing and fulfilment details are on different pages, there's no obvious way to get from one to the other, and if you want to change country you can't.


I have literally received (temporary) work visas for other countries, travelled, etc etc with greater ease than moving some online accounts I have (Apple).

Even having physical copies of The Economist follow me, with the same subscription, was easier.

Optimisation for maximising profit, yay!

They don't consider any alternative to be viable.

Because on your work computer you just login with your work office 365 and not your personal one and then the above is not a problem whatsoever?

This is a buyer beware of some security policies.

I just want to point out that this entire described scenario, by a company with decades and decades of security products being shoehorned into "just good enough" cloud infrastructure....

Sure the security folks will say hardened infrastructure with fine grained least privilege is doable ... if you're at greenfield ... maybe. But the issue with lots of IT orgs is that they are MESSY, and fine grained least privilege is fragile. Messy + fragile = not good things.

I agree with least privilege as an aspiration, but security is a top-down authoritarian entity in organizations, and fundamentally they don't care if their policies disrupt your daily work process. IMO this is because most security orgs don't provide solutions.

Specifically, by solution I do not mean "picked an enterprise security product bam we have a solution", I mean you have a security architecture and then have the people with bandwidth to help boots on ground devs get the job done quickly so security isn't a blocker).

They have actually made a lot of improvements to this process recently allowing for multi tenant login in a single browser.

If you use firefox, you can use each other the container types to host different login accounts, it makes it easier than switching between private windows and doesn't require you to enable extensions on your private tabs

Container tabs with MS and AWS has been a huge help for me at work.

> Auth with MS accounts is a giant mess.

It is indeed a giant mess.

If you go to live.com and click on the hamburger icon at the top, then under 'Apps' click on the "To-Do" app, you will be asked to enter the password for your work account, even though you are on live.com, not on office.com, and you are currently logged in with your personal account.

The only way to get past this is to click "use another account" then log in again with your personal account (even though you are already logged in!!).

This bug has been present for months now.

First mistake is using any of the Microsoft knock off services whose primary purpose is to trick “deciders” in the C-suits and in halls of bureaucratic hell that can confirm that the box for things like “to do” functionality is checked on their list. Every single Microsoft service, including email, several decades later, is still deep into subpar.

This is partly because loginHint is broken on microsoft/azure sign in

Same on Gmail. I’m not logged in on my private account as I don’t use it anymore, but it always suggests to log me in on the private account when accessing, even though I am logged in on a corporate account, which is the only one I’m actively using at the moment. Silly.

I don't get your scenario but I have to say I never had any issue with using multiple Google accounts on the same browser. I used to have 5+ accounts logged in at once (personal + work + school) and it always worked flawlessly, switching between accounts was always a breeze using the drop down menu on the top right, and not just for Gmail but any Google apps. Microsoft on the other hand gave me endless issues when trying to use just 1 personal account and 1 work account on the same browser.

It’s much worse than just auth too. Microsoft’s security policy around email is so bad that using Office 365 email should be considered a security problem.

They’re actively enabling phishing because they choose to rollback standards support.



It’s not just MS, auth is a mess everywhere. Everyone wants to own your identity and we’ve ended up with an insane web of trust.

The many standards around identity management makes the web more complex. Most of us have many identities and we end up with a multidimensional web of tokens and cookies.

I think at some point something will have to give. This seems like a space where some more provider consolidation or collaboration would help.

Security is so important to get right, yet too easy to get wrong.

Because of a quirk of my employment, my AAD account was deleted and recreated, which means I now have two Azure DevOps accounts with the same email, one of which is unlicensed (and not attached to an AAD identity). It is fairly random which one it tries to sign me in with, and every once in a while clicking on a link in ADO will sign me out because it got confused about who I was. It’s insane, and there’s no way to nuke the old account.

I have the same issue. I’ve had a support call with an engineer about this and they have no idea how to fix this. If you sort the user list ascending it lists the one account and if you sort descending it lists the other. So changing the sorting should at least show _some_ license.

I mean, this sounds to me exactly like what happens when trying to mix normal Google accounts and Google Workspace ones, especially if the admin enabling all the service is not yourself. It's not just Microsoft, this is a problem all these service providers have because they can't cope with hybrid use

I've got a number of Google accounts, two work ones (associated with different domains with distinct permissions and access to things, using drive, gdocs, Gmail and GCP with both) and a number of personal ones (some of which are associated with a Google workspace that I use for email under my personal domain) and it all works just fine for the most part. Groups and GCP console can sometimes get stuck on one account but Chrome with profiles can side step that one.

Doing the same thing with MS accounts has been an utter nightmare by comparison.

With Google you change the ID in the URL and you're in whatever account you want. All the urls usually have /u/<id> where ID starts at 0 with the first account you're logged in into, 1 the second etc.

But what happens when you are using a Google product not served from the browser?

This is obviously done on purpose. In the same way that Google ties users to Android devices when you add a Gmail account, MS takes every opportunity to assign their online account whenever they catch you off guard (installing a local Teams app instead of joining through the browser, signing into Minecraft at your school etc.). At this point you need to go through all the steps of dissociating your account from these devices. Sometimes they will reassign them after an update, so you need to watch out.

For that reason I never use MS online apps on my private devices and whenever I need to sign in online, I always use the private mode or a dedicated Firefox container.

Although I agree that companies (Microsoft, Google, etc.) deliberately seek to authenticate you across the web, I do not think that the general mess with Microsoft authentication is on purpose.

It looks like generations of implementations (and likely generations of product management and development teams) layering on top of each other, "replacing" the "old" systems only to do the half of it, and integrating with acquired products.

Seen from outside, it just doesn't look like there exists a single team that understands the authentication and permission system end-to-end.

> I do not think that the general mess with Microsoft authentication is on purpose.

Microsoft has been dealing with online identity almost since the consumer web exists. MSN launched in 1995, Outlook was the poster child of webmail, ActiveDirectory is the behemoth of enterprise user management.

I don’t see Hanlon’s razor relevant when it’s on one of their core competency. They at least committed to throw part of their users under the bus to pursue their goals.

As I see it, Microsoft has become so incompetent as an organization that they can no longer be said to have core competencies.

Ye exactly. The intent was probably to make their spyware login front work good. It would speed up adaption.

I think some people are mixing up Hanlon's razor with "if it is bad, the malice part can't be on purpose".

I have the same experience!

In my case, my personal and professional Microsoft addresses are the same (same email, different accounts) which means that in many cases I end up in impossible situations when the login screen doesn’t correctly guess if I want to sign in personal or with my “work” account. I also do client work for organisations where I need to sign into their O365 and honestly the only way to manage all that is to keep a dedicated browser “per account”.

Teams is a different story, I avoid account switching because exactly like you describe, sometimes I need to uninstall it in order to sign out.

A perfect use for Firefox container tabs!

It's the only way I can keep my personal, work, and alma mater email separate and not falling into login loops.

Using same email address is deliberately asking for problems.

I once got enrolled to a school and they asked my email. Didn't know it was for teams access.

Now, 4 years later I still get to choose wether I want to login in their tenant or mine everytime.

Microsoft solution? Change my email on the personal account.

Not kidding.

Can you 'leave' the organization here? https://myaccount.microsoft.com/organizations

That sucks. If your email provider supports +suffixes you may be able to work around it that way.

You have only seen the tip of an iceberg. Try working as an IT-consultant. You have a half trillion different accounts. You can't work in multiple spaces while using the app. So you have to use a browser. Then, the problem is that you get logged off more or less instantly if the tab is not active.

We also have some (a lot) problem with Teams, to the point that I started recommending my colleagues to use it from a browser and nuke cookie and other data every time the authentication stopped working.

Basically when we login we need to use the "personal account" but sometimes it will not ask what account to use and automatically choose the wrong one, and once it gets stuck in this state i didn't find a way to fix it.

Using Edge (Microsoft flavored Chrome) and the account personas will let you keep these M365/O365/Live identities separate, in the same way Chrome does a first class job of keeping Google Accounts separate.

Arguably, if you're one of the 85% of SMBs in O365/M365 instead of Google Workspaces, or if your "Login with..." personal account is Microsoft instead of Google or Apple, you should be using Edge.

> Auth with MS accounts is a giant mess.

I agree. It is surprising that we don't see similar issues more often. It is *so* confusing to both users and the developers, to the point where it's too easy to make some naive mistakes. And it is one of most critical parts of the systems!

Only reliable way of multiple SSO for Microsoft stuff I've found is:

- Use different browser profile for each account

- 2nd and subsequent account - use Teams in the browser - in the respective browser profile (teams.office.com).

Teams in the browser is not substantially different than the desktop app.

Unfortunate, it sounds like a mess and a half. Does any one know. If I found myself in the same situation would creating different windows accounts, one for each teams/azureAD account help keep them separate?

This gave me flashbacks I was happy to forget about. Microsoft's SSO is nuts, at least with the browsers I used at the time. Might work better with Edge.

After spending three months trying to migrate legit accounts to MSFT Auth, I agree with this comment completely. Their account migration approach is broken from the start, but more importantly, there is absolutely no customer support. What should have been a 5 minute phone call turned into a 3 month long chat and email nightmare, with multiple support reps telling me there was nothing they could do.

Apple is not really any better. God help you if you accidentally lock your Apple ID, you will be subject to a month-long wait before it can be fixed. Why that long? No idea. Nobody at Apple has any idea why it couldn't just be 2 days, and they will frankly admit to you that it makes no sense, then spout some meaningless 'because of GDPR regulations' nonsense that has absolutely nothing to do with GDPR regulation.

This really goes to show what depending on online authentication from a large corp can do.

Even worse, Microsoft is now trying to force online accounts onto Windows machines.

Google already does it with Android. Which means for some reason if you lose access to your email, you are locked out of not only your online accounts but your local devices also.

We really need to separate authentication from services and devices. With strong safe guards around that account and an actually support system.

Yeah, that shit is why I took a brand-new NVIDIA Shield back to the store immediately after getting it home - it literally cannot be used without signing into a Google account. I bought it thinking, "hey nice, I can use this 4K Android home theatre device without Google being involved, since it's from NVIDIA and thus hopefully free of all that crap". I even did my homework on this: no material included with the product, nor NVIDIA's online product page, indicated that an Android account is strictly required to actually use the product. I ended up doing some more searching after returning the product, and finally found a singular customer support page that happens to mention it. Gotta love it...

> and finally found a singular customer support page that happens to mention it

That's the kind of results Google should be surfacing, but it lost the game, it is so useless now for precision searching.

> That's the kind of results Google should be surfacing

Indeed and when I try it, it does surface it when I search for Does Nvidia Shield require an Android account? [1] For comparison, ChatGPT also gets it right. [2]


[1] https://imgur.com/a/cLpFj6i

[2] https://imgur.com/a/x6AP0jf

The first generation is 8 years old at this point.

Google should be surfacing things which paint google in a bad light?

It does. "Google search sucks" returns what you'd expect.

What GP is getting at is that Google Search breaks down often when you're looking for a very specific result, but one that is uncommon enough. Instead, you're often diverted to a "related" query result without them telling you.

If you search "What is the world record for crossing the English Channel entirely on foot?" Google would respond with swimming, boats, pedalling etc but miss the ones where people crossed on foot through the Channel Tunnel.

An improbable search is almost impossible to do on Google. They will replace it with unrelated but similar results. Even when you specify a strong condition, it will just ignore it and return the exact opposite. It's no better than LLM hallucination.

There are pairs of words that are very similar, but semantically different. Like "latitude" and "longitude" or "first name" and "last name". Google's model can't make fine distinctions between related (like latitude and longitude) and semantically equivalent (like last_name and family_name). You search for a semantic match, it will give you a related result that is exactly not matching your search.

Google should be surfacing what its policies actually are, period. If those policies paint Google in a bad light, it should reconsider them, not be coy about them.

What is the business case for that?

Why does an Android TV device requiring a Google account paint Google in a bad light?

If I’m all-in on the Google/Android ecosystem, this is a positive! It works even better!

The alternative is that the people behind the Nvidia Shield are intentionally user hostile / acting with malice, in cooperation with Google?

The idea that the account requirement is positive or negative is a hugely subjective one. The fact is it’s needed. Whether it’s positive or negative is largely irrelevant. The fact should be surfaced.

Search engines, even evil ones, should surface useful information.

I was looking at a media center/gaming emulation device and to be honest i dont see the benefit of these android based TV devices or Apple TV anymore.

You can buy a good mini-pc for a couple hundred bucks and its much more powerful and flexible. You can run windows or linux etc and hook up any keyboard, controller, remote, and do whatever you like.

> You can buy a good mini-pc for a couple hundred bucks and its much more powerful and flexible. You can run windows or linux etc and hook up any keyboard, controller, remote, and do whatever you like.

More flexible, yes, but are you really getting more powerful than an A15 for that price, especially when running a general purpose OS?

That last point is really hurting why media PCs disappeared: you’re paying considerably more - a whole number multiple - for an experience which isn’t designed for a TV, and in return you get the fun of playing sysadmin when you’re trying to relax. Most people are not going to pay a significant premium so they can deal with drivers and trying to figure out why their HDR isn’t working. Device lifetime theoretically could counter that out but I’m skeptical that hardware won’t be what sets the timing for that in either case, and the dollars per year metric isn’t favorable there.

Performance-wise? Yeah, I bet you could. A Ryzen 5 mini PC is well under $200 and will probably have hardware acceleration for 4k60. If you're the sort of person that already has SFTP plugged into your "media backup drive", Kodi on a cheap low-power box is kinda a no-brainer.

There are certainly better push-button solutions on the market, but arguing in the AppleTV's favor for performance is probably a phyrric victory at-best. If you want an AppleTV, get an AppleTV - if you want a streaming box for your ripped Blu-Rays and legally-dumped retrogames, you can build it yourself for roughly the same price.

> Ryzen 5 mini PC is well under $200 and will probably have hardware acceleration for 4k60.

The cheapest one Google knows about is an AliExpress no-name brand at $159 and that’s because it includes no storage or RAM, and uses a 3750H which benchmarks at less than half the speed. Once you add memory, it’s over $200. It does match the Apple TV on 4K@60 HDR support so I’d assume it must have hardware support.

Amazon has a couple of off-brand Intel devices, also around $200 for around half the Apple device’s performance.

Again, if you really want a PC you certainly can make it work but the reason it’s unpopular is that you’re paying a lot more – this is starting at 150% for hardware which is unlikely to last as long – and you then have to support a full PC, buy remotes, etc. If you enjoy that as a hobby, sure, but it’s hardly surprising that most people buy something which just works out of the box.

There exist general purposes OSes that don't just fall apart randomly, you know. For instance if I have a problem with my Kodi box, I just reboot and choose the previous generation in the NixOS boot menu.

Judging by the threads on those proprietary embedded devices, I think my setup passes the "just works when you want it to" test even better than those appliance things, which market an illusion of stability but are doing the same mutable update dance behind the scenes (with the added complication of corporate whims).

> There exist general purposes OSes that don't just fall apart randomly, you know. For instance if I have a problem with my Kodi box, I just reboot and choose the previous generation in the NixOS boot menu.

As someone who started using desktop Linux and supported it professionally before the turn of the century, yes, I’m aware and you’ll note that I never claimed otherwise. The reason I mentioned general purpose operating systems is that they’re not optimized for non-keyboard/mouse UI and you’re more likely to get in a situation which requires more work to sort out via the CLI.

The other concern I raised was drivers. Support for hardware video decoding, colorspaces & depth, high-quality sound, etc. is certainly technically possible but also something which not-uncommonly ends with angry rants. If you are passionate about open source and eager to take on that responsibility, great, but it’s not a popular choice.

The focus of those points feels completely irrelevant to the reality of my using a general PC to drive my TV. They seem to simultaneously assume the use of a generic point and click operating environment, while rejecting the additional functionality that would necessitate doing so.

My Kodi box boots straight into Kodi. I have a mini wireless keyboard on it (Rii X8?), but the alphanumeric functionality isn't particularly used and it could just as easily be a video game controller or even an IR remote.

There is no "situation which requires more work to sort out via the CLI", beyond when I deliberately choose to make changes to the system. If I ever did want to pop out of Kodi and run a general desktop + browser - say for sports streams - then the additional input hassle would be due to doing something I couldn't do with an appliance anyway. You can't really characterize this as a drawback.

And sure if some driver functionality doesn't exist, then obviously you can't use it - you set your expectations to what is available and how much you want to tinker. And the real answer to "angry rants" is to use an operating system with reliable change control, so that if you start tinkering with something, it cannot end up in a broken state when you want to use it to relax.

Look, I’m not saying you can’t use a PC for a TV if you want. I was specifically responding to the assertion that it was both cost-competitive and better performing when neither is true. It certainly allows you to do different things but it’s unclear how many people care about those more than the extra cash.

How is it not more cost effective and better performing AND nore flexible than an Nvidia shield or similar? Im not talking about Chromecasts here.

IMO there's this weird tendency for technologists to create a model of "normies" with no bespoke interests or self-actualization, and then argue that they're following fully-fleshed-out "normie" incentives rather than the actuality of advertising and product placement.

Also I find it a bit disingenuous when people argue for the "less expensive" options that put you at the mercy of streaming companies. My amd64+Kodi+zfs+VPN setup certainly isn't the cheapest, but neither is a corporate puck with several monthly fees for streaming services. If one wanted to be entertained for the least money possible, I suspect that would just consist of using your current laptop/computer running a general purpose OS to play dodgy streaming sites. But most people seemingly want something more than that (which ties back in to my first paragraph).

As a technologist who’s run a fully fledged media PC since the days of Xbox Media Centre (before XBMC or Kodi or even Plex I think) with both Windows and Linux flavours, along with a USB IR remote control and wireless keyboard options… I simply got fed up of things randomly not working every year or two when a major upgrade was required, and the amount of effort that typically became required at the exact point that I was exhausted and just wanted to relax.

So I gave in, switched to Plex, paid for a Plexpass lifetime account, and bought embedded devices that could stream content off my server.

I have way less flexibility now that I’m on an AppleTV 4K. I also continue to get occasional headaches (e.g. recently the remote control randomly stops being able to control the volume), but the size of the headache is limited to pulling out a different remote control / turning all the things off and on again. Mental effort not required.

I have a laptop that goes into the 4x2 HDMI splitter, and I occasionally whip that out if there’s a real desperate need. But it’s the absolute last resort. It’s just easier to use the ATV.

It’s not that I lack the ability to produce a better PC based solution today, it’s that I lack the interest, and the $200 ATV is good enough that I’d rather throw money at the problem than time.

Here’s the statement I was responding to:

> dont see the benefit of these android based TV devices or Apple TV anymore.

My point was simply that an Apple TV is significantly cheaper ($100-120 vs. the $200+ PCs people mentioned) and it has roughly a factor of two better performance. Now, it’s inarguably less flexible but most of that flexibility doesn’t help with things many people want to do, which was the original point: people buy these because “spend less, everything you actually use just works” is actually a pretty good sales pitch.

You can get a streaming stick with the remote for like $50. It will come with all the stupid DRM in place required to stream 1080p/4K/HDR whatever and it'll be designed to be used from 10 feet away with a remote. Plus it'll use like 3W of power.

Setting that all up on PC is much more of a chore.

Yes sure, but i was talking about OPs nvidia shield, which costs like 200 bucks and it also has gaming capabilities.

If all you want is netflix and youtube then of course a 50$ chrome stick is fine.

I'd be interested to hear how you'd get the usability to be as good as an operating system designed to be used with a remote running apps designed to be run with a remote.

Having to use a mouse and keyboard is a pain point for me when I use my desktop on my TV from the couch. For the mouse I use the trackpad on a ps5 controller, so the mouse isn't so bad.

Possibly you could: * Not require passwords for everyday operation of your computer * Boot into some sort of launcher designed for televisions * Have a fairly narrow set of apps and services that work well with your setup. For example I don't know how you'd use Netflix or Disney plus with a remote on Linux.

I've been running Kodi for over a decade now. It starts on boot, so all I have to do is start the desktop. Remote works with an open source Anroid app, it also allows streaming from Kodi to your phone and vice versa. Youtube works fine, never tried Disney+/Netflix, I'm not sure that's possible.

Kodi has YouTube? YT was the only reason I didn't just set up a Pi 4 or whatever. Already got one LibreELEC system for the home theatre, but wanted YT for the "daily driver" TV display. I assumed any YT plugin for Kodi would be persistently behind API changes and often not working, etc... is my assumption wrong? Would be great to hear if so haha

You need to setup your own set of API keys (fairly easy) but it canl break for a week or so at a time when YT make changes that need updates for but it's reasonably rare (one every couple of years).

I've never added API keys and it mostly works fine, need to retry a link sometimes (youtube a/b testing things I guess?) and I imagine it can't play age-gated videos.

YouTube nerfed their api in a way that using third party clients is from hard to impossible. Things like requiring users to register api keys etc.

I use NewPipe and choose to stream to Kodi. That has worked fine for the last few years, even with an outdated Kodi YouTube plugin.

You can configure linux to directly boot into Kodi with zero interaction very easily[1]. If you pickup a machine with an IR sensor (some Intel NUCs for example) then you can configure it to use a remote[2]. RPis have HDMI-CEC which mean you can use your TV remote[3]. With that said I just use a mini keyboard[4] as it's the easiest and moat versatile for me, definitely not the most user friendly for people who don't know the keys though!).

Admittedly I only have local media and YouTube (via a Kodi Plugin)and don't use any streaming services so Kodi fulfils my needs perfectly.

1. https://kodi.wiki/view/HOW-TO:Autostart_Kodi_for_Linux

2. https://kodi.wiki/view/Remote_controls

3. https://pimylifeup.com/raspberrypi-hdmi-cec/

4. http://www.riitek.com/product/k08x.html

No regular user wants to maintain this. Not everyone wants to tinker with Linux.

There exist a couple of wireless media keyboards with integrated trackpads like a large one from logitech or microsoft or some small ones from obscure chinese companies on amazon. There are also remotes that you can connect over bluetooth.




The obvious response to this is that the non-techy family members wouldn't be able to use it, but honestly most home entertainment setups are already crazy complicated, whereas everyone knows how to use a PC (for now)

Mash any of the four buttons on the Apple TV remote until the TV turns on, then use the top third of the remote as a touch surface to pick the app logo you want (Netflix, Youtube, etc.). If your iPhone is in the same wifi, a notification will tell you you can use it to type instead of the on-screen keyboard if you get into a free text field like for search. Apple products have their faults, and they are expensive, but that experience is as simple and smooth as it gets.

We also have an old laptop attached to the TV. We set that up in the lockdowns so we could use a webcam on the TV and a wired microphone on the coffee table to "get together" with friends and family, still use it occasionally for Dungeons & Dragons with friends who live too far away to visit often. The Apple TV doesn't support webcams, but wins at everything else, hands down. Even for desktop-y stuff, streaming my Macbook or my girlfriend's iPad to the Apple TV is less hassle.

Desktop ergonomics just don't work on the couch, at least for us, even with a nice-ish wireless keyboard with touchpad. Having a touchpad remote with just four buttons that have very predictable functions and a simple mobile-ish UI is nice, even to me, and I'm a desktop power user otherwise. Desktop OSes are for work, school or uni, most people aren't inclined, encouraged and/or enabled to explore and play in those, so they don't get them the way desktop power users do and tend to expect everyone else to, or the way people get mobile UX.

If you want something nearly everyone can pick up quickly, even older children and some seniors, make it touch-based, responsive, give it proper apps and the same core animations mobile phones have and you're 80% there.

Apple TV is useful as a homekit controller if you care about that sort of thing.

That’s about it though.

This is probably not a helpful answer for most people, but the Shield has an unlocked bootloader, and it's popular enough to have lots of custom ROMs that you could flash that don't have that problem.

Oh no way? Nice, good to know if I ever have one again.

Good for you.

Nvidia Shield was great, but they upgraded the user interface and shat ads all over it.

Don't mix up poop and chocolate - while Google's accounts aren't really that great (the whole GSuite mish-mash of nonsense doesn't really help), they are several orders of magnitude better than whatever MS is trying to do here. You have a million different ways to permanently screw yourself with a MS account, especially since they basically kept all the "account types" hidden while applying over them a veneer of homogeneity. You can basically use any Google account everywhere a Google account is required, but personal and corporate MS accounts are basically two different things that reuse some infrastructure while not being compatible the slightest. Even when logging in in Windows, there are a dozen ways to enroll a MS account, and most if not all of them are not compatible with each other. There's always a very high chance of getting your Windows account messed up, not accessible, or impossible to log in to.

> You can basically use any Google account everywhere a Google account is required

This is not true if it is a Google Workspace (or whatever they are calling it now) account. Learned this the hard way when getting YouTubeTV. To be fair, it was just a couple of hours of frustration and annoyance but still, for whatever reason, the workspace accounts that you pay for are second class citizens.

I had to abandon my Google workspace account with my main email domain after they booted the free GSuite status (I migrated before they changed their mind unfortunately). Not only is that account gimped because it is a Google Workspace account (with little things all over that refuse to work with those style accounts at all) now it's even more gimped because it has no active subscription tied to it.

I can't downgrade it to a personal account without deleting the account and recreating it, but there's not even a guarantee that will work. Deleting the account will also mess up family photo albums and other items. Photo storage is full but I'm also unable to pay for storage without adding a subscription to the account. It's so risky to try and fix it that I just had to migrate to a new google account, re-purchase all my android apps, and just ignore that account forever.

A Google Workspace account does not work for Nest. I signed up for the free Google-email-but-with-your-domain thing more than a decade ago. A bit more recently but back when I was still a Google fanboy I bought a Nest thermostat and was astonished that my account could not be used for Nest.

> Google already does it with Android.

I have seen this on HackerNews multiple times. I bought a Google Pixel this past week and set it up. I have not logged into a Google Account. Maybe if you give the phone internet access during setup, it doesn't give you the local account option. But I can attest that Google has not (yet?) closed the "offline account" loophole.

Do you mean when using Google email? I don't see how being locked out of my personal email would lead to me being locked out of my Android, even if I would log into Google Play Services with an account (which I have not but let's go with the common lay person scenario).

Its honestly shocking to me how fragmented Microsoft's authentication system can be and how many quirks it has. Knowing how enterprise software is built, you know under the hood their auth system is complete fragmented mess. Every login looks the same but is subtly different so you can literally log into one service if your account is setup a certain way and that would instantly screw you when it comes to logging into 5+ other services.

This is a giant mess. Frankly, i don't understand how they architected it. If i open a word, excel or ppt document from another companies SharePoint because they added me as a guest, Microsoft promptly signs me out of the desktop office 365 apps and then says that i am using unlicensed office365.

How was this missed when designing the security and authentication systems?? This is basic foundational stuff!

That's easy to answer: It is not architected, it is organically grown.

Product A adds a sign in. Product B from another team adds another sign in. Product C,D,E do the same. Each team has some special magic sauce that makes their system work better with their product, but worse with all others.

Now the corporate infighting starts, as management squeezes all these sign-in systems together, and everyone looses if any other but their system wins. So some compromise is created, based more on political prowess than technical requirements. The result is an API from hell, taking fragments from everyone, even if they conflict. Everyone pushes and pulls their existing systems until it fits in the compromise, trying to minimizing damage. Weird cracks appear everywhere.

we've all seen the organizational charts meme:


Remember how each organization builds a solution based on their organogram. Look at microsoft in the meme. Look at the sign in mess. Understand.

I predict strange, probably exploitable and surely unsolvable problems in the MS sign-in system for at least the next decade, just like their programming practices of the '90s had entirely predictable security consequences for a decade when the internet appeared.

The org chart comic from its original source, instead of a random reupload captioned in Spanish and heavy on the image artifacts: https://bonkersworld.net/organizational-charts

> Now the corporate infighting starts

Typical for Microsoft, reportedly: https://bonkersworld.net/organizational-charts

And it's crucial to understand we're well past the point where any one (or likely even a small team) knows all the places that Microsoft auth is entangled with. Thus unknown, undesirable interactions occur just because it's too big for someone to know that the interaction would occur.

This is exactly spot-on. 20+ years of this and you have a mess of gigantic proportions.

I have found guest accounts in general to be barely supported. I can’t manage my 2FA for my guest account in other organizations, can’t control which account to log in with (MS seems to decide based on which resource I’m navigating to), and anytime I have an issue it pretty much takes the AAD admin removing and re-adding me to fix it. It was clearly an afterthought feature.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact