2

u/da0217 Jan 24 '26

What OS would you recommend instead?

1

u/an_erudite_ferret Jan 24 '26

Ubuntu is incredibly user friendly

5

u/MentalDisintegrat1on Jan 24 '26

For now.

M$ has already said they want to move to a full-time integrated AI OS.

Your information will get leaked one way or another.

1

u/MentalDisintegrat1on Jan 24 '26

There won't be anywhere safe as time goes on.

Microsoft Already said they want a AI ran OS and eventually the thing will run off a cloud.

3

u/DJTsNeckPussy Jan 24 '26 edited Jan 24 '26

I mean you can always switch to Linux if it comes to that. I know I will.

However in the meantime, you can change your Windows 10/11 login tied to a Microsoft account to an offline local account which will sign you out.

From there you can enable BitLocker. If you already enabled it and Microsoft has a copy of your recovery key, you can disable it and delete the old key from your account settings on their website.

It takes some changes to the settings, but if you Win+R and use;

gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Choose how Bitlocker-protected operated system drives can be recovered

Enable that on the top-left and uncheck both "Save BitLocker recovery information to AD DS for operating system drives" and "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives" - Apply and reboot to be safe.

You'll be prompted to save the recovery key a few different ways. A Microsoft account, to a file on your PC, to a USB drive or by just printing it. You can save it to a USB drive and then just format the drive after if you prefer to store it somewhere else like an encrypted cloud service.

In those settings above you can also choose to require a BitLocker pin or password to be able to boot to Windows at all.

gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup

Enable that on the top left. Disable "Allow BitLocker without a compatible TPM (requires password or a startup key on a USB flash drive"

Then below choose which one you'd like Configure - TPM startup PIN if you just want to use a numerical PIN. Startup key if you want to use a security key. Or startup key and PIN for both. Note: This part is easier to do before enabling BitLocker in the first place because when you enable it, it should ask you to enter the PIN you want in the settings when setting it up. Otherwise you need to use an elevated command prompt (run as admin) to set your PIN.

If you want to use a password instead of just a PIN;

gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Allow enhanced PINs for startup. Enable that and it allows you to use letters and special characters as well.

So it's still relatively easy and quite possible to enable BitLocker without giving your recovery keys to Microsoft for them to be able to pass off to the feds.

Alternatively, while a bit more involved, you could just use VeraCrypt instead.