Setting Up Windows 11 Pro On New Dell XPS 15 9520?

newmann · Oct 6, 2022

I appreciate your post. Right now i am trying to set up bitlocker correctly first.

So I should enable enhanced pins and then continue right?

glasskuter · Oct 6, 2022

If in settings-accounts-if BOTH your MS account and the 'Newmann' account are listed as administrators then you have 2 administrator accounts. Yes be sure and backup your current bitlocker key that was set up under the MS account.

Instead of creating a new local account you could have just changed the MS account to a local account as @Brink had assumed you had done. Since he is the best one to advise you on bitlocker and is already helping you on this, let him tell you which account you should be logged into and the exact steps to take. He may well tell you to delete the local account and then change the MS account to a local account before following his tutorial, but I'll leave that up to him. It would seem to me that if one was going to use bitlocker a MS account would be better than a local account, but since I do not use bitlocker myself I would not advise you under these circumstances for fear of giving the wrong advice as it is entirely too critical and unrecoverable if not done right.

Once you get bitlocker worked out, report back with the next thing on your list and the rest of us will jump in.

TraderGary · Oct 6, 2022

newmann said:
Right now i am trying to set up bitlocker correctly first.

When I got my XPS 9510 (see "My Computer" below) BitLocker was in place and enabled. All I did was choose my C: Drive in File Explorer, Right-Click, and then chose the option "Manage BitLocker". At the Dialog Box I then chose "Back Up Your Recovery Key". I then chose "Save To Your Microsoft Account".

I then went to my Microsoft Account, Chose Devices, Chose XPS-15, and sure enough, there was my Recovery Key.

That's the sum total of all I've done with BitLocker except for enjoying the feeling of security it gives me. :hug:

newmann · Oct 6, 2022

glasskuter said:
If in settings-accounts-if BOTH your MS account and the 'Newmann' account are listed as administrators then you have 2 administrator accounts. Yes be sure and backup your current bitlocker key that was set up under the MS account.

Instead of creating a new local account you could have just changed the MS account to a local account as @Brink had assumed you had done. Since he is the best one to advise you on bitlocker and is already helping you on this, let him tell you which account you should be logged into and the exact steps to take. He may well tell you to delete the local account and then change the MS account to a local account before following his tutorial, but I'll leave that up to him. It would seem to me that if one was going to use bitlocker a MS account would be better than a local account, but since I do not use bitlocker myself I would not advise you under these circumstances for fear of giving the wrong advice as it is entirely too critical and unrecoverable if not done right.

Once you get bitlocker worked out, report back with the next thing on your list and the rest of us will jump in.

I know my local account has administrator under it. I am not sure with the microsoft account because I haven't logged into that one since yesterday.

I could have changed the MS account to a local account and done that? I don't recall anyone telling me I could do this. Someone else and Brink mentioned I believe you could just create a local account while under the microsoft account... or create a local account while under the microsoft account and delete the microsoft account afterwards though. Can that person or Brink confirm this?

I don't recall anyone mentioning you could just change the microsoft account into a local account?

I believe Brink mentioned he uses a microsoft account and also uses bitlocker with the pin enabled at startup. He mentioned I could use either the microsoft account or local account. I wanted to do local account because that is what I did with windows 10 pro on the old laptop. I thought microsoft account probably isn't as secure as local account. But having the bitlocker pin enabled at startup would make either way secure.

Yea the thing is most people who say they use bitlocker, they just use it where when you turn on laptop, you either go straight to the microsoft acccount or the local account and you enter your pin or password and are into your computer. I want a bitlocker pin at the beginning after you start the laptop... so after you press that, then you go into either a microsoft account or local account and you get asked for that pin or password. So it is like 2 password you need to enter as oppose to 1 password. Does that make sense?

So I want to know what is best way to go with this on bitlocker. Because while on the local account, I already did things like removed mcafee and installed windows updates. So if I was to instead use the original microsoft account and log in to that account, would I need to remove mcafee and install windows updates again or not?

So I want to make sure do i go with the local account which I want to use... or use microsoft account which I had to create at setup.

TraderGary · Oct 6, 2022

I should add that the only account I have is my Microsoft Account. My Microsoft Account is secured by both Password and 2 Factor Authentication. I consider that to be secure. I have no use for a local account. My Microsoft 365 subscription is administered through my Microsoft Account and gives me all of Microsoft Office and 1 Terabyte of OneDrive.

glasskuter · Oct 7, 2022

newmann said:
like 2 password you need to enter as oppose to 1 password. Does that make sense? Because I want letters as well in the pin since without it, the pin would be all numbers? I don't see a elevenforum link to this part? But all you have to do is click on that and just click Enabled and that is all?

Yes, you want your own kind of 2 step verification before your computer will login. It is highly unusual for anyone to want to go to such extreme security measures at each logon, but as @Brink posted, it can be done. Do not confuse your account pin/password with your bitlocker pin/key. They are 2 separate things, each independently handled by the TPM.

If you choose to use bitlocker, I agree with @TraderGary (post 43). You are much safer tying this bitlocker key to your Microsoft account in case it is ever forgotten.

The way I see it, @Brink gave you the solution in his post #21. You have to do what it says in BOTH tutorials he listed. And yes, to use letters in bitlocker pin you would have to Allow enhanced PINs for startup in group policy as you mentioned.

newmann said:
if I was to instead use the original microsoft account and log in to that account, would I need to remove mcafee and install windows updates again or not?

No. Once a computer is updated, it stays updated. When you uninstalled McAfee, it was completely removed for all users.

Maybe my take on having 2 accounts will offer some clarification for you. You do not have to have 2 accounts. If you do not want 2, remove one of them. However, like some others here, I have 2 myself (one MS and one local).

Here's the reason I have 2 accounts. 1) It's just there as a means to get into the computer if for some reason I'm ever locked out of my main account and 2) it is a means of troubleshooting if I ever have account related issues in my main account.

If you choose to keep both accounts, the second account would NOT be used on a daily basis. You would have to choose which account you would consider to be your main account since files created in either account are not directly accessible from the other as file permissions prevents it. This is because files are owned by whatever account creates the file.
If you have enabled 'require bitlocker pin before logon' using either local group policy method or the reg file method Brink listed in post #21, ANY user account on the machine will have to enter the bitlocker pin to logon.

newmann · Oct 7, 2022

Okay so I just want to make sure I set up bitlocker correctly. This is all done while logged into the LOCAL ACCOUNT.

I went to the edit group policy and turned on

Require additional authentication at startup
Allow enhanced PINS for startup

Went to manage bitlocker and Change how drive is unlocked at startup. I then entered the bitlocker pin I wanted which contains numbers and letters twice and then confirmed.

1. I then clicked on Back up your recovery key and saved it to a usb flash drive. Do most people here save it to usb flash drive? It doesn't make sense saving it to the laptop? Why would anyone do this since if don't know what your bitlocker recovery key is, saving it as a file on your computer makes no sense? I mean I could imagine you save a copy in the computer and then upload it to the cloud? Do people here save it to microsoft account if you don't use a microsoft account? I always thought this isn't secure since it is an email. Did people ever do this back then even when using local account?

2. After I saved the backup key on usb flash drive, I opened the file up and it tells me to compare the bitlocker identifier with the one on my laptop to confirm it is correct one. Where do I check the bitlocker identifier to compare it?

3. Then I shut down laptop. Then I turned on laptop. It ask me for my bitlocker pin at top left corner. I enter that. Then I have to type in my pin for my local account like i always do and then am logged into my laptop now. So I did this correctly then? However, the thing I am still confused is at login to my local account, why does say pin? I don't even think my local account has a pin... it just has the local account password?

4. If I were to log out of my local account and then log in to my microsoft account, if I were to backup the recover key for that account, it is or is not the same recovery key? I assume it has to be different right since these are 2 separate accounts? But the thing I am still confused is... well I created the local account while under the microsoft account. Can anyone explain this?

glasskuter · Oct 7, 2022

newmann said:
Where do I check the bitlocker identifier to compare it?

When the drive was originally locked you were given a 48 digit numerical bitlocker recovery key. Call it your bitlocker password if it makes it easier to understand it that way. This key is what actually unlocks your drive. It is this key, not a pin, that would have to be used if you ever had to unlock your drive for data recovery. A pin cannot be used in recovery, only this long key. If you did not make note of this key when you originally bitlocked the drive there is no place to check it as you did not choose to store it in your MS account.

newmann said:
Do people here save it to microsoft account if you don't use a microsoft account?

For safety reasons, most do. In fact, the majority of users use a MS account. Because it is so difficult for a user to remember and store such a long key, as pointed out in post #41 and #43 it is strongly suggested the user tie this key to his MS account for safety reasons to make sure the user will always have access to it and never get locked out of his drive.

newmann said:
the thing I am still confused is at login to my local account, why does say pin? I don't even think my local account has a pin... it just has the local account password?

Why it has a pin, I cannot say as I do not know exactly what you did when you set up the second account. While logged into your local account, you can go to settings>accounts>PIN
Off to the right click the forward arrow. Click on remove this signin option. That should leave only a password as a signin option for the local account.
======================================
Regarding your bitlocker pin, it does appear that you now have it set up like you want.

newmann · Oct 10, 2022

glasskuter said:
When the drive was originally locked you were given a 48 digit numerical bitlocker recovery key. Call it your bitlocker password if it makes it easier to understand it that way. This key is what actually unlocks your drive. It is this key, not a pin, that would have to be used if you ever had to unlock your drive for data recovery. A pin cannot be used in recovery, only this long key. If you did not make note of this key when you originally bitlocked the drive there is no place to check it as you did not choose to store it in your MS account.

For safety reasons, most do. In fact, the majority of users use a MS account. Because it is so difficult for a user to remember and store such a long key, as pointed out in post #41 and #43 it is strongly suggested the user tie this key to his MS account for safety reasons to make sure the user will always have access to it and never get locked out of his drive.

Why it has a pin, I cannot say as I do not know exactly what you did when you set up the second account. While logged into your local account, you can go to settings>accounts>PIN
Off to the right click the forward arrow. Click on remove this signin option. That should leave only a password as a signin option for the local account.
======================================
Regarding your bitlocker pin, it does appear that you now have it set up like you want.

I want to know... how do i match the identifier to my laptop to be certain? It says to match the identifier. Where i my laptop does it show this?