Microsoft Has No Right to Demand Microsoft Accounts

To keep things short and sweet, a manifesto:

    1. The CrowdStrike Incident
      A faulty CrowdStrike Falcon update on July 19, 2024 caused a global Windows outage by crashing the system’s kernel driver on approximately 8.5 million PCs, triggering Blue Screens of Death. CrowdStrike’s Windows sensor runs at kernel level, whereas on macOS, it operates entirely in user space using system extensions—avoiding such crashes (The Verge, WSJ). This raises the question: did CrowdStrike need kernel access on Windows because Windows is inherently less secure?
    2. Microsoft Azure Misconfiguration
      Just hours earlier, Microsoft Azure suffered a major outage caused by a configuration error (FT). Many initially thought the CrowdStrike crash was a continuation of Microsoft’s issues. In the chaos, I personally received an email at 2AM stating my password had been reset from a suspicious phone number. Upon logging in, I found it unchanged—and with no sign-in activity logged.
    3. National Security Risk
      AJ Grotto, former White House cybersecurity director, publicly labeled Microsoft a national security liability due to its repeated security lapses, poor transparency, and ineffective remediation (BornCity, The Register).

 

 

 

 

  1. 4. Breach Failures
    Microsoft has failed to stop espionage campaigns from both Russian and Chinese actors, delayed public disclosures, and even failed to determine how attackers gained access to Azure environments. Their failure to reliably protect user environments undermines the credibility of Microsoft accounts as a secure safeguard.

We can argue about antitrust, memory-safe languages, OneDrive bloat, or decentralization another day. But here’s a concrete first demand:

Microsoft must not require a Microsoft Account to use Windows.

This mandate is unjustified. Microsoft hasn’t earned the trust needed to bind PCs to its identity system and cloud infrastructure. Windows 11 Home and Pro now require users to sign in with a Microsoft Account during initial setup, often together with an internet connection—effectively locking out users without access or consent (Learn.Microsoft, Windows Central).

This requirement can render a fresh device unusable if Microsoft services are inaccessible—through outages or misconfiguration. This isn’t resilience—it’s fragility.

Yes, there are workaround methods to bypass this requirement, but suggesting users rely on hacks is akin to telling them to jailbreak their iPhones—the existence of loopholes doesn’t justify the overreach.

Congress should investigate this practice. Requiring internet connectivity and an identity account to activate a general-purpose computer is a major overstep. Until Microsoft earns the trust to secure its own systems reliably, it should not force users to trust it more.