Go to ...

RSS Feed

Built-in admin as Microsoft account, why is it still possible?


In one of their worst decisions ever, the Windows and Windows Insider teams now allow the built-in administrator account to use, install and update UWP apps, and also allows that same administrator account to be switched over to a Microsoft account. Both of these “features” appeared in version 1709. Both are illogical, stupid and unnecessary features that should be removed. Worse yet, switching the built-in admin to a Microsoft account is also irreversible. In fact, once it has been switched over, there’s no way to stop using one’s MS account to sign into the built-in admin account!

To begin with, a built-in administrator account should never be used as user’s main account used for daily computing. Anything done to make that easier is simply wrong. I first wrote about this a year and a half ago. Here’s a link to my thoughts at that time (they’ve not changed yet!): This is wrong, Microsoft: Built-in Admin as MSA

There are many users who think “I’m the owner, UAC sucks, I’ll use the built-in admin account“. Just browse your favorite tech forums to find out how common this is.

Let’s say that a user, who in his / her enormous wisdom picks up the built-in admin account as the only personal user account, wants to add an email address to the Windows Mail app, or signs into the Microsoft Store to get an app. Selecting the wrong option in the prompt presented after entering MS account credentials, and clicking Next when asked if the user wants to use that MS account everywhere on the device (see featured image at the top of this page) will switch the built-in admin account to a Microsoft account:

Normally, after switching a normal admin or standard user account to an MS account, the user still has the option to revert that decision, to switch back to a local account:

Even if the user selected Microsoft apps only when asked if he / she wants to use the account everywhere on the device, there would be a link to revert it:

But, when the built-in administrator account gets switched to a Microsoft account, that is forever afterward only reversible through a clean install or restoring an earlier backup from some time before the switch. The link to revert the decision simply isn’t there:

Why? What were you geeks in Redmond thinking when you allowed this? Why is it still possible, over 18 moths after you accidentally allowed it? I mean, it must be accidental from you, I can’t imagine that you would do something so obviously wrong on purpose.

Have you seen on forums how often people forget their account passwords? If a user with outdated security information using the built-it admin as a Microsoft account as the only account on that machine locks him / herself out, there’s a 30-day waiting period before a password reset will be allowed. Even if we forget that, and other security issues, the fact that switching to a Microsoft account cannot be reverted, that is wrong and needs to be fixed.

My recommended fix: stop allowing the built-in admin account to be switched to a Microsoft account. Revert to the old system (1703 and earlier versions), and disable Store apps in the built-in admin account. Case closed!

Kari

Author: Kari Finn

A former Windows Insider MVP, Kari started in computing in the mid 80’s writing code for VAX / VMS systems. Since then, he’s worked in a variety of IT positions. He specializes in Windows image capture, customization, repair and deployment as well as Hyper-V virtualization. Kari is a proud Team Member at number #1 Windows site TenForums.com.

Leave a Reply