Windows 11

How to setup and Manage user accounts, passwords, and credentials in Windows 10 or windows 11?

How to setup and Manage user accounts, passwords, and credentials in Windows 10 or windows 11?

Before you can begin working with a device running Microsoft Windows 10, you must sign in with the credentials for a user account that is authorized to use that device. User accounts are an essential cornerstone of Windows security and are key to providing a personalized user experience. As an administrator, you determine which user accounts are allowed to sign in to a specific device. In addition, you can configure user accounts on a Windows 10 device to accomplish the following goals:

  • Control access to files and other resources.
  • Audit system events, such as sign-ins and the use of files and other resources.
  • Sync files and settings between different computers when signing in with the same account.
  • Sign in automatically to email and other online services.
  • Require each user to provide additional proof of their identity (also known as multi-factor authentication) when signing in for the first time on a new device.

The credentials associated with a user account consist of a user name and password that serve as identification and, in theory, ensure that no one can use the computer or view files, email messages, and other personal data associated with a user account unless they’re authorized to do so.
If your computer is in a seemingly secure location where only people you trust have physical access to it, you might be tempted to allow family members or coworkers to share your user account. We strongly caution against using that configuration and instead recommend that you create a user account for each person who uses the computer. Doing so allows each account to access its own user profile and store personal files and user preferences within that profile. With fast user switching, a feature described in this chapter, you can switch between user accounts with only a few clicks.
With the right hardware and some initial setup, you can sign in and sign out without having to enter your full credentials. The Windows Hello feature allows you to sign in using biometric information, such as facial recognition or a fingerprint reader. In this chapter, we also explain how you can use the Microsoft Authenticator app on a trusted mobile device to sign in to a Microsoft account or Azure AD account without having to enter a password.

CREATING AND MANAGING USER ACCOUNTS

When you configure Windows 10 for the first time on a new computer (or on a PC with a clean installation of Windows), the setup program creates a profile for one user account, which is an administrator account. (An administrator account is one that has full control over the computer. For details, see “User accounts and security groups” at the end of this chapter.) Depending on what type of account you select during setup, that initial account can be a Microsoft account, an Azure Active Directory (Azure AD) account, or a local user account. A fourth user account type—an account on a local Active Directory domain—is available only on a managed network after this initial local account is created and you join the machine to the domain. (For information about the differences between these account types, see the next section, “Choosing an account type.”)
If you upgrade to Windows 10 from Windows 7 or Windows 8.1 and you had local accounts set up in your previous operating system, Windows migrates those accounts to your Windows 10 installation. These migrated accounts maintain their group memberships and passwords.
After signing in for the first time, you can go to Settings > Accounts to create new user accounts and make routine changes to existing accounts. The Your Info page provides an overview of your account, similar to the one shown in Figure 11-1.

Figure 11-1 The Your Info page offers an overview of your user account along with tools administrators can use to manage all accounts associated with the current device.
You’ll find different options and settings in Accounts depending on the type of account you use (Microsoft account, Azure AD account, or local account), whether your account is a member of the Administrators group, and—if your computer is joined to a domain—group policies in effect. On a computer joined to an Active Directory domain, all management of user accounts beyond basic tasks such as selecting a picture is normally handled at the domain level.
You’ll find some account-related settings under the User Accounts heading in the old-school Control Panel, which is shown in Figure 11-2. Several of these settings duplicate functions that are available in Settings > Accounts.

Figure 11-2 Visiting this old-school Control Panel page is rarely necessary, as most options for creating and managing accounts are available in the modern Settings app.
You can add a new account only from the Accounts page in Settings. You can remove an account or change its type from that location or its Control Panel counterpart.
All the esoteric options along the left side of the User Accounts page, as well as the Change User Account Control Settings option, are available only in Control Panel.
Choosing an account type
As we mentioned earlier, Windows 10 supports four different account types.
Microso account
When you set up a new account on a device running Windows 10, the default options strongly encourage you to sign in using a Microsoft account. You’ve probably used Microsoft accounts for years, perhaps without even knowing it. If you’ve signed up for a Microsoft service, including Outlook.com (or its predecessor, Hotmail), Microsoft 365 Family or Personal, Skype, or Xbox Live, you already have a Microsoft account. Every email address that ends with hotmail.com, msn.com, live.com, or outlook.com is, by definition, a Microsoft account.
During setup, you can enter the email address associated with an existing Microsoft account, or you can create a new email address in the outlook.com domain. However, you do not need to sign up for a Microsoft address to create a Microsoft account; you can set up a Microsoft account using an existing personal email address from any email provider, including Gmail and other nonMicrosoft services.
Signing in with a Microsoft account allows you to synchronize PC settings between multiple computers. If you use more than one PC—say, a desktop PC at work, a different desktop at home, a laptop for travel, and a tablet around the house—signing in with a Microsoft account lets you effortlessly use the same desktop background, stored passwords, account picture, accessibility configuration, and so on. The synchronization happens automatically and nearly instantly.
Some features in Windows 10, including OneDrive and family settings, require the use of a Microsoft account or an Azure AD account. It’s possible to use OneDrive and other services that depend on a Microsoft account even if you sign in to Windows with a local account. However, in this configuration, you must sign in to each service individually, and some features might be unavailable or less convenient to use.
Under normal circumstances, you’ll associate a single personal email address with your Microsoft account and use that address to sign in to Windows. But because every Microsoft account supports up to 10 email aliases, you can use any alias associated with your primary address to sign in using your Microsoft account.
To manage Microsoft account aliases, go to https://account.live.com/names/Manage and sign in with your Microsoft account. Under the Account Aliases heading, click Add Email to create a new alias or use an existing personal email address as an alias. (Click Add Phone Number to use a mobile phone number as a username.) After verifying the added email address, you can make it the primary address and, if you wish, remove the old address. (Every alias uses the same password as the original account.)
Under the Sign-In Preferences heading, you can also change the settings for email aliases so that a specific alias can’t be used to sign in to your Microsoft account. That precaution allows you to use aliases to send and receive email but prevents them from being used to access your Microsoft account.

Local account

A local account is one that stores its sign-in credentials and other account data on your PC. A local account works only on a single computer. It doesn’t require an email address as the user name, nor does it communicate with an external server to verify credentials.
This type of account was the standard in Windows for decades. In Windows 10, Microsoft recommends the use of a Microsoft account rather than a local user account for PCs that aren’t part of a managed business network. But using a Microsoft account is not a requirement; local accounts are still fully supported.
You might prefer a local account if your home or small business network includes computers running Windows 7 or earlier (that is, versions that do not explicitly support the use of Microsoft accounts). For details, see “Sharing files, printers, and other resources over a local network” in Chapter 13, “Windows networking.”
In addition, some folks have privacy and data security concerns about storing personal information on the servers of a large corporation, whether that infrastructure is managed by Microsoft, Google, Apple, Amazon, or another cloud provider. Signing in with a local account minimizes the amount of information your PC exchanges with Microsoft’s servers.
You can switch between using a Microsoft account and a local account by going to Settings > Accounts > Your Info. On this page (shown earlier in Figure 11-1), click Sign In With A Local Account Instead. Windows leads you through a few simple steps to create a local account, which you’ll then use for signing in.
If you’re currently signed in using a local account, the link on that page reads Sign In With A Microsoft Account Instead. Click that link to replace your local account with a Microsoft account. As part of making the switch, you need to enter your local password one more time. A few screens later, you’re connected to an existing Microsoft account or a new one you create. From that time forward, you sign in using your Microsoft account.

Azure Active Directory account

The third type of account, available during the initial setup of Windows 10 Pro, Enterprise, or Education, is a work or school account using Azure Active Directory.
Azure AD offers some of the advantages of a Microsoft account, including support for two-factor authentication and single sign-on to online services, balanced by the capability of network administrators to impose restrictions using management software. These accounts are most common in medium-size and large businesses and schools.
Organizations that subscribe to Microsoft’s businessfocused online services—including Business or Enterprise editions of Microsoft 365 (formerly known as Office 365), Microsoft Intune, and Microsoft Dynamics CRM Online—automatically have Azure AD services as part of their subscription. Every user account in that service automatically has a corresponding Azure AD directory entry.
You can connect an Azure AD account to a new Windows 10 installation during the initial setup of Windows 10, as we explain in “Performing a clean install,” in Chapter 2, “Installing, configuring, and deploying Windows 10.”
You can also associate a Windows 10 device with Azure AD after it has been set up to use a local account or a Microsoft account. To accomplish this task, go to Settings > Accounts > Access Work Or School, and then click Connect. The resulting dialog box, shown here, gives you two options:

The default option allows you to continue using your Microsoft account or your local account to sign in to Windows and simply connects your Azure AD account for easier access to Microsoft 365 services, including Exchange Online email and OneDrive for Business. If that’s your goal, click Next and follow the prompts.
If you want to reconfigure the PC so that you sign in to Windows using your Azure AD account, don’t enter an email address in the Set Up A Work Or School Account dialog box; instead, click the Join This Device To Azure Active Directory link at the bottom of that dialog box. That option opens the dialog box shown in Figure 11-3. After you sign in using your Azure AD credentials, you have one final chance to confirm that you want to sign in with your organization’s credentials and allow administrators to apply policies to your device.

Figure 11-3 Enter credentials from an Azure Active Directory account, such as a Microsoft 365 or Office 365 Enterprise subscription, to join the device to that directory.
After connecting a Windows 10 PC to Azure AD, you can view and edit your user profile by going to Settings > Accounts > Your Info and clicking Manage My Account. You can use the options on the Profile page to request a password reset and manage multi-factor authentication settings. The Applications tab includes any apps that have been set up by your administrator for single signon.

Active Directory domain account

In organizations with Windows domains running Active Directory services, administrators can join a PC to the domain, creating a domain machine account. (This option is available only with Windows 10 Pro, Enterprise, or Education editions.) After this step is complete, any user with a domain user account can sign in to the PC and access local and domain-based resources. We cover this account type more fully in Chapter 17, “Managing business PCs.”

Changing account settings

With options in Settings and Control Panel, you can make changes to your own account or to another user’s account.
To change your own account, go to Settings > Accounts > Your Info, shown earlier in Figure 11-1. Even quicker: Open Start, click or tap your account picture at the top of the column of icons on the left, and then choose Change Account Settings.
Here, you can change your account picture, either by browsing for a picture file or by using your webcam to take a picture. If you sign in with a Microsoft account, the Manage My Microsoft Account link opens your default web browser and loads your account page at https://account.microsoft.com. On that page, you can change your password or edit the name associated with your Microsoft account. Click other links along the top of the page to review your subscriptions and Store purchases, change your payment options, and get information about other devices associated with your Microsoft account. You can also set security and privacy options, which we discuss in more detail later in this chapter.
If you have added one or more users to your computer, you (as a computer administrator) can make changes to the account of each of those users. (For information about adding users, see “Adding a user to your computer” later in this chapter.)
To change a user’s account type, go to Settings > Accounts > Family & Other Users. (On a PC where you’ve signed in using Azure AD, this setting is Other Users.)
Click the name of the account you want to change, and click Change Account Type. Your choices are Standard User or Administrator. For details, see “User accounts and security groups” later in this chapter.
If the person signs in with a Microsoft account, there are no other changes you can make. (You can’t make changes to someone else’s Microsoft account at https://account.microsoft.com.) For users who sign in with a local user account, you can make a few additional changes, but you must start from User Accounts in Control Panel (shown earlier in Figure 11-2). Click Manage Another Account, and then click the name of the account you want to change. You can make the following changes:

  • Account Name The name you’re changing here is the full name, which is the one that appears on the sign-in screen, on the Start menu, and in User Accounts.
  • Password You can create a password and store a hint that provides a reminder for a forgotten password. If the account is already password protected, you can use User Accounts to change the password or remove the password.
  • Account Type Your choices here are the same as in Settings > Accounts: Administrator (which adds the account to the Administrators group) or Standard User (which adds the account to the Users group).

If you sign in with a local user account, you can make the following additional changes to your own account (that is, the one with which you’re currently signed in) by clicking links in the left pane:

  • Manage Your Credentials This link opens Credential Manager, where you can manage stored credentials that you use to access network resources and websites. Note that the saved web credentials are only usable in Internet Explorer and the legacy Microsoft Edge browser. The new Microsoft Edge, based on the Chromium engine, has its own store of saved credentials and ignores this one.
  • Create A Password Reset Disk This link, available only when you are signed in with a local account, launches the Forgotten Password Wizard, from which you can create a password reset tool on removable media. As an alternative, recent updates to Windows 10 allow you to recover from a lost password using answers to reset questions.
  • Manage Your File Encryption Certificates This link opens a wizard you can use to create and manage certificates that enable the use of Encrypting File System (EFS). EFS, which is available only in Pro and Enterprise editions of Windows 10, is a method of encrypting folders and files so that they can be accessed only by someone who has the appropriate credentials.
  • Configure Advanced User Profile Properties This link is used to switch your profile between a local profile (one that is stored on the local computer) and a roaming profile (one that is stored on a network server in a domain environment). With a local profile, you end up with a different profile on each computer you use, whereas a roaming profile is the same regardless of which computer you use to sign in to the network. Roaming profiles require a domain network running Windows Server Active Directory services. Microsoft accounts and Azure AD accounts use a different mechanism to sync settings.
  • Change My Environment Variables Of interest primarily to programmers, this link opens a dialog box in which you can create and edit environment variables that are available only to your user account; in addition, you can view system environment variables, which are available to all accounts.

Deleting an account

As a local administrator, you can delete any local account or Microsoft account set up on a Windows 10 PC, unless that account is currently signed in. To delete an account, go to Settings > Accounts > Family & Other Users (the Family option is unavailable, and this category is called simply Other Users, if you’re signed in using an Azure AD account), and click the name of the account you want to delete. Then click Remove. Windows then warns about the consequences of deleting an account, as shown in Figure 11-4.

Figure 11-4 Before you click Delete Account And Data, be sure you have saved any local data you don’t want to lose.
After you delete an account, of course, that user can no longer sign in. Deleting an account also has another effect you should be aware of: You cannot restore access to resources that are currently shared with the user simply by re-creating the account. This includes files shared with the user and the user’s encrypted files, personal certificates, and stored passwords for websites and network resources. That’s because those permissions are linked to the user’s original security identifier (SID)— not the user name. Even if you create a new account with the same name, password, and so on, it will have a new SID, which will not gain access to anything that was restricted to the original user account.

MAKING THE SIGN-IN PROCESS MORE SECURE

As we noted in the previous section, every account on a Windows 10 PC is backed by a set of credentials, comprising a username (which might or might not be in the form of an email address) and a password. You can use those credentials to sign in to your account on a Windows 10 PC: At the sign-in screen, select your name (if it’s not already selected) and then enter a password.
Signing in with a strong password can be inconvenient, especially when it’s long and consists of a mix of upperand lowercase letters, numbers, and special characters. The degree of difficulty becomes even more extreme when you need to enter that strong password on a device where the physical keyboard is unavailable.
To make the sign-in process more convenient without sacrificing security, Windows 10 supports several options you can use in place of your account password. Figure 11- 5 shows the full range of alternatives, which you can find by going to Settings > Accounts > Sign-In Options.

Figure 11-5 Some choices on the Sign-In Options page require additional hardware. For example, the two Windows Hello biometric options are available only if you have a compatible infrared camera or fingerprint reader.
The first three options on the list apply to Windows Hello, a feature that augments the Windows 10 sign-in process with a form of hardware-based security. Additional sign-in options on this page include tools for managing physical security keys, setting and changing account passwords, and signing in by swiping and tapping on a photo.
If you set up more than one option for signing in, you can choose a method other than the default by clicking SignIn Options on the sign-in screen. This ability might come in handy, for example, if Windows Hello fails to recognize your face or fingerprint. Icons for each of the options you set up then appear as shown next; click or tap one to switch methods.

Note that these alternative sign-in options also work for some applications, including the Microsoft Store.
In the following sections, we explain how to set up and manage each of these sign-in methods. We start with the most important secure sign-in option of all, which isn’t available in Settings.

Adding security with multi-factor authentication

The single greatest advantage of signing in with a Microsoft account or an Azure AD account, as far as we’re concerned, is support for multi-factor authentication, which provides security for your PC and its data. (This feature is often called two-factor authentication, or 2FA, but it can also be referred to as two-step verification.) It takes just a few minutes to set up, and the result is a layer of protection that prevents a stranger from using stolen credentials to impersonate your identity.
The most common form of 2FA uses an authenticator app installed on a mobile phone to provide a secondary form of proof of identity when necessary. In that case, the two factors are the classic “something you know” (your password) and “something you have” (the mobile device that you’ve set up as a trusted device). The combination of those two factors creates a hurdle that will stop all but the most determined attackers.
To turn on this feature for a Microsoft account, go to https://account.live.com/proofs and sign in. On that page, you can add approved contact info for receiving security requests and turn on two-step verification.
For devices that are connected to an organization using Azure AD, an administrator must enable multi-factor authentication; after that step is complete, users can manage security verification from the Azure AD My Account portal. Start at https://myaccount.microsoft.com, signing in with your work or school account, and then click Additional Security Verification, under the Security Info heading; you can go directly to the page from https://bit.ly/AzureAD-2FA.
For Windows 10, the identity verification process works best with the Microsoft Authenticator app, which is available on Android and iOS smartphones from each platform’s store or from https://www.microsoft.com/authenticator. This app handles authentication for Azure AD and Microsoft accounts; it also supports most third-party accounts, including those from Google, Facebook, and Amazon.
The Authenticator app supports fingerprint- and facebased approvals on compatible hardware and works with several types of smart watches.
When 2FA is turned on, you’ll need to use that additional factor to prove your identity in situations that Microsoft defines as requiring extra security, such as when signing in on a new device for the first time or making changes to account settings; typically, this involves approving a prompt on a previously verified device, such as the Microsoft Authenticator app on a smartphone.

Using Windows Hello

The Windows Hello feature allows you to configure your Windows 10 PC as a trusted device that you can unlock using biometric hardware or a device-specific PIN. In this configuration, your credentials are stored in encrypted form on the device; to sign in, you unlock those credentials with a PIN or biometric identification (using your fingerprint or face).
To set up Windows Hello, you first have to confirm your identity by correctly entering your credentials. After passing that test, you can add a PIN and, with the right hardware support, register your biometric information.
When this enrollment process is complete, you can skip the password and sign in to Windows 10 by entering your PIN or supplying what Microsoft engineers call your “biometric gesture,” using facial recognition or a fingerprint reader.
The device you sign in on acts as an authentication component because you established your identity when you set up the device; your additional information (the PIN or your biometric data) is associated with the enrolled device and is not stored on a remote server. This arrangement prevents so-called shoulder surfing attacks, where someone tries to steal your password by watching your keystrokes as you sign in. Because Windows Hello uses a device-specific PIN, other people can’t sign in to your account unless they also steal your computer.
A new Windows Hello option, introduced with Windows 10 version 2004, allows you to configure a device so that the only available options use the Windows Hello PIN or biometric information; in this configuration, your password is not available as a sign-in option. To enable this option, go to Settings > Accounts > Sign-In Options and turn on the Require Windows Hello Sign-In For Microsoft Accounts switch.

Setting up a Windows Hello PIN

Windows 10 encourages you to set up a PIN when you create a new user account for the first time. If you skipped this step during Setup or you want to change the PIN you use for signing in to your computer, go to the Sign-In Options page and click Add under the PIN heading. After entering your password to confirm your identity, you enter numbers in a dialog box like the one shown in Figure 11-6. The minimum length is four digits (0–9 only), but your PIN can be as long as you want. If you prefer something more complex and harder to guess, select the Include Letters And Symbols option.

Figure 11-6 A PIN serves as a convenient alternative for signing in to Windows and verifying your identity in apps and services. You can choose a PIN that’s longer than the minimum of four characters.
To sign in using a PIN, type the numbers on your keyboard. Beginning with version 1703, keypresses in the numeric keypad area of the keyboard register as numbers while you type in the PIN box on the sign-in screen, regardless of whether Num Lock is set; in earlier versions, those keys acted as arrow keys if Num Lock was off. If your computer doesn’t have a keyboard, a numeric pad appears on the screen so that you can tap your PIN. (If the numeric pad does not appear, tap in the PIN-entry box.)

Using Windows Hello for biometric sign-ins

With the proper hardware, you can sign in simply by swiping your fingerprint or, even easier, showing your face in front of your computer’s camera. (On some nowdeprecated Windows 10 Mobile devices, iris recognition is also supported. This option is not currently available on any PCs.) You might also be asked to verify your identity when making a purchase or accessing a secure service. When Windows Hello recognizes a fingerprint or face, it greets you by briefly displaying your name and a smiley face on the sign-in screen before going to your desktop.
To use Windows Hello for biometric sign-ins on a PC, you need one of the following:

  • A fingerprint reader that supports the Windows Biometric Framework; if this hardware isn’t built in to your computer, you can add a USB-based fingerprint reader.
  • An illuminated 3-D infrared camera such as those found on Surface laptops and tablets from Microsoft, as well as other advanced devices; note that a standard webcam will not work.

To set up Windows Hello, go to Settings > Accounts > Sign-In Options. Under Windows Hello, click Set Up for the biometric device you want to use. Windows asks you to enter your PIN to verify your identity. After that, you need to enter your biometric data. With face recognition, that involves staring into the camera; to set up a fingerprint reader, follow the prompts (as shown in Figure 11-7) to swipe your fingerprint several times, until Windows Hello has recorded the data it needs.

Figure 11-7 Setup for Windows Hello guides you through the brief process of scanning and storing your biometric data.
If you’re setting up fingerprint scanning, you can enroll additional fingers so that you don’t have an alternative if the finger you normally use is, for example, covered with a bandage. Click Add Another after you complete registration for a fingerprint. To add another fingerprint later, return to Settings > Accounts > Sign-In Options and click Add Another. You can also associate an additional fingerprint with a different user account on the same device. Sign in to the alternate account, and set up the second fingerprint there. When you restart, you can choose your account by choosing the fingerprint associated with that account.

Using a picture password

This option is a bit of a misfit on the list of sign-in options. The picture password option appeared first in Windows 8 and was designed for small tablets and mobile phones. It doesn’t offer the same level of security as Windows Hello (which is the main reason we don’t recommend using it), but the option survives for users who like the idea of personalizing the sign-in process.
With a picture password, you can sign in on a touchscreen using a combination of gestures (specifically, circles, straight lines, and taps) that you make on a picture displayed on the sign-in screen. The easiest way to get comfortable with a picture password is to go ahead and create one.
To get started, go to Settings > Accounts > Sign-In Options. Under Picture Password, click Add. Verify your identity by entering your password to display an introductory screen where you can choose a picture. You then get to select one of your own pictures to appear on the sign-in screen. When you’re satisfied with your selection, click Use This Picture.
On the next screen that appears, you specify the three gestures you’ll use to sign in. These gestures can consist of circles, straight lines, and taps. After repeating the series of gestures to confirm your new “password,” click Finish.
To sign in with a picture password, you must perform the same three gestures on the sign-in screen, in the same order, using the same locations, and in the same direction. You don’t need to be that precise; Windows allows minor variations in location.

Setting or changing a password

When you set up a Microsoft account, you’re required to create a password. Similarly, if you add a local user account to your computer, Windows 10 requires you to specify a password. Earlier versions of Windows did not have this requirement, however, so if you upgrade from an earlier version, you might need to add passwords for existing local accounts.
To set or change your Microsoft account password, go to Settings > Accounts > Sign-In Options. Click or tap Change under Password. If Windows Hello is set up, you first need to enter your PIN or supply biometric authentication. Next, you must enter your existing password to confirm your identity. Windows then asks you to enter your new password.
Changing the password for a local account requires an extra step: You must specify a password hint. The password hint appears after you click your name on the sign-in screen and type your password incorrectly. Be sure your hint is only a subtle reminder because any user can click your name and then view the hint. (Windows will not allow you to create a password hint that contains your password.)
You can also set or change the password for the local account of another user on your computer. To do so, open User Accounts in Control Panel, click Manage Another Account, and click the name of the user whose password you want to change. Then click Change The Password or (if the account doesn’t currently have a password) Create A Password.

Managing a physical security key

A security key is a physical device built around encryption hardware that supports the Fast Identity Online (FIDO2) standard. These keys, which typically plug into a USB port or connect via Bluetooth or NFC, can be used as a second identity factor to sign in to a Microsoft account or reset a password. Security keys also work with password manager programs and are supported by every major browser that runs on Windows 10, which in turn allows you to use one of these devices for 2FA support on popular web services. In this scenario, you’re typically prompted to tap the security key after entering your credentials. With the addition of a PIN, you can use a security key for passwordless sign in.
Windows 10 doesn’t directly support security keys for signing in, but you can use it to manage a hardware key. Go to Settings > Accounts > Sign-In Options, click Security Key, and then click Manage. Tap the hardware key to select it and then use the options shown in Figure 11-8 to add or change the security key PIN or remove saved credentials from the key and get a fresh start.

Figure 11-8 You can use a physical security key as a second factor for signing in to web services, including Microsoft accounts. Use these controls to change the PIN or remove stored credentials.

SIGNING OUT, SWITCHING ACCOUNTS, OR LOCKING YOUR COMPUTER

When you step away from your computer, you want to be sure you don’t leave it in a state in which others can use your credentials to access your files, sign in to websites or services using saved passwords, read and reply to email messages, or otherwise interfere with your digital identity. For security’s sake, you need to sign out, switch accounts, or lock your computer:

  • Sign Out With this option, all your programs close, and the lock screen appears.
  • Switch Account With this option, also known as fast user switching, your programs continue to run. The sign-in screen appears, ready for the sign-in credentials of the person you select.
  • Your account is still signed in, but only you can return to your own session, which you can do when the user who is currently signed in chooses to sign out, switch accounts, or lock the computer.
  • Lock With this option, your programs continue to run, but the lock screen appears so that no one can see your desktop or use the computer. Only you can unlock the computer to return to your session; however, other users can sign in to their own sessions without disturbing yours.

To sign out, switch accounts, or lock your computer, open Start and click or tap your picture above the column of icons on the left. That displays a menu with Lock and Sign Out options; on a device with more than one user account set up, it also includes a profile picture and username for other available accounts. On a computer that’s joined to a domain, Switch Account appears instead of individual account names. You can then enter an account name on the sign-in screen.

Using Dynamic Lock

Windows 10 version 1703 introduced a new way to lock a computer, called Dynamic Lock. With Dynamic Lock, your computer automatically locks when it becomes separated from your phone, such as when you step away from your desk with your phone in your pocket or purse. To use Dynamic Lock, follow these steps:

  1. If you haven’t already done so, pair your Bluetooth-enabled phone to your computer.
  2. Open Settings > Accounts > Sign-In Options.
  3. Select the Dynamic Lock check box.

After following these steps, Windows polls your phone several times each minute. (This does place a small hit on your phone’s battery life.) When it discovers that the phone is no longer in range, the computer locks. Be aware, however, that locking doesn’t occur instantly; Windows polls your phone only periodically, and it takes some time for you to get far enough away so that your phone is out of range.
How far is “out of range”? That sensitivity depends on several factors, including the signal strength of your two devices and the number of walls and other obstructions between the devices. A registry value sets the threshold, but calibrating it takes some experimentation. Rafael Rivera has created a tool for working with Dynamic Lock threshold values; you can read about it at https://bit.ly/DynLock.
Unfortunately, Windows 10 does not offer a corresponding dynamic unlock feature. When you return to your computer, even with phone in hand, you’ll need to sign in using one of the usual methods: Windows Hello, password, PIN, or picture password.

SHARING YOUR PC WITH OTHER USERS

Personal computers are usually just that—personal. But there are situations in which it makes sense for a single PC to be shared by multiple users. In those circumstances, it’s prudent to configure the shared device securely. Doing so helps to protect each user’s data from inadvertent deletions and changes as well as malicious damage and theft.
When you set up your computer, consider these suggestions:

  • Control who can sign in. Create accounts only for users who need to use your computer’s resources, either by signing in locally or over a network. If an account you created is no longer needed, delete or disable it.
  • Use standard accounts for additional users. During setup, Windows sets up one local administrative account for installing programs, creating and managing accounts, and so on. All other accounts can and should run with standard privileges.
  • Be sure that all accounts are protected by a strong password. This is especially important for administrator accounts and for other accounts whose profiles contain important or sensitive documents. Windows 10 requires a password on all local accounts. If you have local accounts that were migrated from Windows 7, make sure they’re all password-protected.
  • Restrict sign-in times. You might want to limit the computing hours for some users, especially children.
  • Restrict access to certain files. You’ll want to be sure that some files are available to all users, whereas other files are available only to the person who created them. The Public folder and a user’s personal folders provide a general framework for this protection. You can further refine your file-protection scheme by selectively applying permissions to varying combinations of files, folders, and users.

Adding a user to your computer

To allow another user to sign in on your computer, you as administrator must add that user’s account. Go to Settings > Accounts > Family & Other Users, shown in Figure 11-9. (In Windows 10 version 1803 and earlier, this setting is called Family & Other People.) There, you’ll find controls for adding and managing two separate sets of accounts. Those you add as family members are subject to restrictions that an adult member of the family can manage using a web-based interface. (For details, see the next section, “Controlling your family’s computer access.”) Accounts you create under the Other Users heading have all the rights and privileges associated with their account type: administrator or standard.

Figure 11-9 Under Other Users, you can add a local account or a Microsoft account. Family members must have a Microsoft account.
To add a user who’s not a family member, under Other Users, click Add Someone Else To This PC. Windows then asks for the email address of the new user. If the email address is already associated with a Microsoft account, all you need to do is fill in that address and click Next, and the new user is ready to go. (The first time the new user signs in, the computer must be connected to the internet.) If the email address you provide is not associated with a Microsoft account, Windows provides a link to sign up for a new Microsoft account.
What if you want to add a local account? At the first screen—when Windows asks for an email address— instead click the link near the bottom: I Don’t Have This Person’s Sign-In Information. In the next dialog box, ignore the offer to create a new Microsoft account and instead click Add A User Without A Microsoft Account. That leads to the dialog box shown in Figure 11-10.

Figure 11-10 It takes some persistence, but you can resist the entreaties to use a Microsoft account and instead set up a local user account; eventually, you get to this dialog box.
That option opens a different dialog box where you can specify a user name and password for the new user. You’re also required to choose and answer three security questions for the local account. (If your computer has only local accounts set up, you go directly to this final dialog box, skipping the two that guide you toward a Microsoft account.) Click Next, and your work is done.

Controlling your familyʼs computer access

Previous versions of Windows had a feature called Parental Controls (Windows Vista and Windows 7) or Family Safety (Windows 8), which allowed parents to restrict and monitor their children’s computer use.
Windows 10 offers similar capabilities, but the implementation is completely different. Those earlier versions stored their settings on your PC, but in Windows 10, family settings are now stored and managed as part of your Microsoft account.
This architectural change has some obvious benefits:

  • You don’t need to make settings for each member of your family on each computer. After you add a family member on one PC, you manage their settings in the cloud, and those settings apply to all the family PCs where they sign in.
  • You can manage each family member’s computer use from any computer that’s connected to the internet.

Family settings have one requirement that some might perceive as a disadvantage: Each family member must have a Microsoft account and sign in with that account.

What can you do with family settings?

  • Monitor each child’s computer use. You can see activity reports that tell you what your children search for on the web and which sites they visit, which apps and games they use, and how much time they’re signed in to each Windows 10 computer they use.
  • Block inappropriate websites. When you enable this feature, Microsoft-curated lists of sites that are blocked or explicitly allowed are used by default, but you can supplement these lists with sites you want to always block or always allow.
  • Control each child’s use of apps and games. Based on age ratings, you can limit the apps and games a child can download and purchase. You can also block specific apps and games from running.
  • Set spending limits for Store purchases. You can add money to a child’s account and remove other purchase options.
  • Restrict when your children can use the computer, and for how long.
  • Check on the health and safety of devices used by family members.
  • Locate family members on a map, if they are using an Android phone with Microsoft Launcher installed.

You can add a family member using the online management interface or from within Windows 10; go to Settings > Accounts > Family & Other Users, and click Add A Family Member. Windows asks whether you want to add an account for another organizer or for a member; the difference is that an organizer can manage family settings, whereas a member’s activity is governed by family settings.
You then enter the family member’s email address; if a Microsoft account is not associated with that address, Windows gathers the needed information to set one up. Because all family settings are managed online using Microsoft accounts, there is no option to use a local account.
Family members must sign in and grant permission for organizers to view their activity and see their location on an Android device.
As the organizer, you perform all other management tasks online. Click the Manage Family Settings Online link under the Your Family heading or visit https://account.microsoft.com/family to get started. Figure 11-11 shows a portion of the interface for setting up both daily limits and the times during which a family member can use a Windows 10 PC or an Xbox One console.

Figure 11-11 With Screen Time settings, you specify an allowable range of times for a child’s daily use of Windows 10 PCs and an Xbox One console.
After you select a Microsoft account for the new family member, Microsoft Family sends an email invitation to that person. (If you use the web-based interface to add a child’s account, you can sign in on the child’s behalf using their credentials.) A new family member can sign in to your computer right away, but family settings take effect only after that family member opens the email message and clicks the Accept Invitation button. (Until that happens, the word Pending appears next to the family member’s name on the Family & Other Users page.)

Restricting use with assigned access

Assigned access is a rather odd feature you use to configure your computer so that a single designated user (one you’ve already added to your computer) can run only a single modern app. When that user signs in, the specified app starts automatically and runs full-screen. The user can’t close the app or start any others. In fact, the only way out is to press Ctrl+Alt+Delete (or press the Windows button and power button simultaneously), which signs out the user and returns to the sign-in screen.
The use cases for this feature are limited, but here are a few examples:

  • A kiosk app for public use
  • A point-of-sale app for your business
  • A game for a very young child

If you can think of a use for this feature, click Set Up Assigned Access at the bottom of the Family & Other Users page.

INTRODUCING ACCESS CONTROL IN WINDOWS

We’ve saved this fairly technical section for last. Most Windows users never need to deal with the nuts and bolts of the Windows security model. But developers, network administrators, and anyone who aspires to the label “power user” should have at least a basic understanding of what happens when you create accounts, share files, install software drivers, and perform other tasks that have security implications.
The Windows approach to security is discretionary: Each securable system resource—each file or printer, for example—has an owner. That owner, in turn, has discretion over who can and cannot access the resource. Usually, a resource is owned by the user who creates it. If you create a file, for example, you are the file’s owner under ordinary circumstances. (Computer administrators, however, can take ownership of resources they didn’t create.)
To control which users have access to a resource, Windows uses the SID assigned to each user account. Your SID (a gigantic number guaranteed to be unique) follows you around wherever you go in Windows. When you sign in, the operating system first validates your user name and password. Then it creates a security access token. You can think of this as the electronic equivalent of an ID badge. It includes your user name and SID, plus information about any security groups to which your account belongs. (Security groups are described later in this chapter.) Any program you start gets a copy of your security access token.
With User Account Control (UAC) turned on, administrators who sign in get two security access tokens —one that has the privileges of a standard user and one that has the full privileges of an administrator.
Whenever you attempt to walk through a controlled “door” in Windows (for example, when you connect to a shared printer), or any time a program attempts to do so on your behalf, the operating system examines your security access token and decides whether to let you pass. If access is permitted, you notice nothing. If access is denied, you get to hear a beep and read a refusal message.
In determining whom to let pass and whom to block, Windows consults the resource’s access control list (ACL). This is simply a list of SIDs and the access privileges associated with each one. Every resource subject to access control has an ACL. This manner of allowing and blocking access to resources such as files and printers has remained essentially unchanged since Windows NT.
UAC, which was introduced in Windows Vista, adds another layer of restrictions based on user accounts. With UAC turned on, applications are normally launched using an administrator’s standard user token. (Standard users, of course, have only a standard user token.) If an application requires administrator privileges, UAC asks for your consent (if you’re signed in as an administrator) or the credentials of an administrator (if you’re signed in as a standard user) before letting the application run. With UAC turned off, Windows works in the same (rather dangerous) manner as pre–Windows Vista versions: Administrator accounts can do just about anything (sometimes getting those users in trouble), and standard accounts don’t have the privileges needed to run many older programs.

Permissions and rights

Windows distinguishes two types of access privileges: permissions and rights. A permission is the ability to access a particular object in some defined manner—for example, to write to an NTFS file or to modify a printer queue. A right is the ability to perform a particular system action, such as signing in or resetting the clock.
The owner of a resource (or an administrator) assigns permissions to the resource either programmatically (through management software) or interactively using its properties dialog box. For example, if you’re the printer owner or have administrative privileges, you can restrict someone from using a particular printer by visiting the properties dialog box for that printer. Administrators set rights via the Local Security Policy console. For example, an administrator could grant someone the right to install a device driver. (The Local Security Policy console is available only in the Pro, Enterprise, and Education editions of Windows 10. In the Home edition, rights for various security groups are predefined and unchangeable.)

User accounts and security groups

The backbone of Windows security is the ability to uniquely identify each user. While setting up a computer —or at any later time—an administrator creates a user account for each user. The user account is identified by a user name and is normally secured by a password, which the user provides when signing in to the system. Windows then controls, monitors, and restricts access to system resources on the basis of the permissions and rights associated with each user account by the resource owners and the system administrator.
Account type is a simplified way of describing membership in a security group, which is a collection of user accounts. Windows classifies each user account as one of two account types:

  • Administrator Members of the Administrators group are classified as administrator accounts. By default, the Administrators group includes the first account you create when you set up the computer and an account named Administrator that is disabled and hidden by default. Unlike other account types, administrators have full control over the system. Among the tasks that only administrators can perform are the following:
  • Create, change, and delete user accounts and groups
  • Install and uninstall desktop programs
  • Configure automatic updating with Windows Update
  • Install an ActiveX control
  • Install or remove hardware device drivers
  • Share folders
  • Set permissions
  • Access all files, including those in another user’s folder
  • Take ownership of files
  • Copy or move files into the %ProgramFiles% or %SystemRoot% folders
  • Restore backed-up system files
  • Grant rights to other user accounts and to themselves
  • Configure Windows Firewall
  • Standard user Members of the Users group are classified as standard user accounts. A partial list of tasks available to standard user accounts includes the following:
  • Change the password and picture for their own user account
  • Use desktop programs that have been installed on the computer
  • Install system and driver updates using Windows Update
  • Install and run apps from the Microsoft Store
  • Install approved ActiveX controls in Internet Explorer
  • Configure a secure Wi-Fi connection
  • Refresh a network adapter and the system’s IP address
  • View permissions
  • Create, change, and delete files in their document folders
  • and in shared document folders
  • Restore their own backed-up files
  • View the system clock and calendar, and change the time zone
  • Set personalization options, such as themes, desktop background, and so on
  • Select a display dots-per-inch (DPI) setting to adjust text size
  • Configure power options
  • Sign in in Safe Mode
  • View Windows Firewall settings

Assigning an appropriate account type to the people who use your computer is straightforward. At least one user must be an administrator; naturally, that should be the person who manages the computer’s use and maintenance. All other regular users should each have a standard user account.
Security groups allow a system administrator to create classes of users who share common privileges. For example, if everyone in the accounting department needs access to the Payables folder, the administrator can create a group called Accounting and grant the entire group access to that folder. If the administrator then adds all user accounts belonging to employees in the accounting department to the Accounting group, these users will automatically have access to the Payables folder. A user account can belong to one group, more than one group, or no group at all.
In large networks based on Active Directory domains, groups can be a valuable administrative tool. They simplify the job of ensuring that all members with common access needs have an identical set of privileges. We don’t recommend creating or using groups other than the built-in Administrators and Users groups on standalone and workgroup-based computers, however.
Permissions and rights for group members are cumulative. That means that if a user account belongs to more than one group, the user enjoys all the privileges accorded to all groups of which the user account is a member.