Go to ...

RSS Feed

This is wrong, Microsoft: Built-in Admin as MSA


In Windows 10 versions 1703 and earlier, it was impossible to associate the built-in administrator account with a Microsoft account. It was also not possible to run any UWP apps except Settings apps when signed in as the built-in administrator. Version 1709 changed this: it is now possible to use UWP apps with the built-in admin account, and to associate that account with an MS Account. As it’s not possible to switch the built-in admin back to a local account, nor even to change the associated MSA, I really must to say this to you, fellow geeks in Redmond: This is not OK, Microsoft. It should never be possible to associate the built-in admin with an MSA. Please fix this ASAP!

Back in 2015, trying to help a fellow TenForums.com member I accidentally found a loophole: If a Windows 7 user uses the built-in admin account as a normal user account having no other user accounts (not a good idea!), and then upgrades to Windows 10 opting into a Microsoft Account, the built-in admin account in Windows 10 becomes an MS Account without any ability to switch it back to a local account, or even change the associated MS account’s email address.

I thought this was accidental, a scenario not noticed by Redmond coders. Here’s a quote from my reply to OP:

The loophole you found, activating the built-in admin in previous version and then upgrading to Windows 10 using it seems to override all default security restrictions on the said built-in admin account, making it possible to connect it to a Microsoft account. However, as this is meant never to happen, once you have converted the built-in admin account to a Microsoft account it is no longer possible to convert it back to a local account. It is absolutely impossible, that is why the Your account page does not even show the Sign in with a local account instead option.

In Windows 10 version 1709 Microsoft made things worse. A user can now use any UWP app when signed in as the built-in admin. As those apps allow signing in with a Microsoft account, if the user makes wrong selection the whole built-in admin account will be switched to a Microsoft account without any possibility to switch back to a local account or change the Microsoft account in question:

This is really bad! Overlooking possible security issues, there’s no need ever to use the built-in admin as MSA, especially when it is absolutely, completely and profoundly impossible to remove this association, and switch back to local account. That’s because the link to switch back to a local account is simply non-existent!

Clicking Next, as shown in the preceding screenshot where, for instance, the user sets up the Calendar app when signed in as built-in admin, switches the built-in administrator over to a Microsoft account:

Alas, there’s no way to switch the built-in admin account back to a local account, nor is it possible to change the associated Microsoft account. Again: the link to switch to a local account (as shown for any normal user account) is missing.

Think about a worst-case scenario: The built-in admin account has been accidentally switched to a Microsoft account, using a Microsoft account email address that gets compromised or deleted. Not wanting to go into further detail, I’ll just say: “This is extremely bad, Microsoft!”

In my opinion, Microsoft should restore this as it used to be before Version 1709 came along. There’s no reason why the built-in admin account needs access to UWP apps, and it should remain impossible to switch the built-in admin account to a Microsoft account. The built-in admin account should be used only for system maintenance, and not as a normal user account. Thus, there’s no need to associate it with a Microsoft account, ever.

Kari

Author: Kari Finn

A former Windows Insider MVP, Kari started in computing in the mid 80’s writing code for VAX / VMS systems. Since then, he’s worked in a variety of IT positions. He specializes in Windows image capture, customization, repair and deployment as well as Hyper-V virtualization. Kari is a proud Team Member at number #1 Windows site TenForums.com.

Leave a Reply