Does Windows 10 still require the CTRL ALT DEL before signing in for security reasons or was that setting was only used on legacy Windows machines such as Win2000, XP, or 7?
Windows has never (well, since at least xp) required ctrl-alt-del, unless you joined it to a domain (typical in a corporate environment), or you configured the group policy to enable it. There has always, particularly for Home edition, been the default setting to just go to the login screen (although later versions required you to press space or some other key to get to it from the spotlight screen, but that too is configurable)
Yes, it's still available. Convenience over additional layers of security over the years have pushed features like this out of the picture, at least for mainstream users. You can still however enable them using either regedit or gpedit.
If you want to enable CTRL + ALT + DEL at login you can do so by doing this;
My last bit of advice (which I've now removed and replaced with this) was for entering credentials on secure prompt, something different to your particular question. This should enable CTRL + ALT + DEL at login.
1. Either press WIN + R on your keyboard, or right click Start Menu and press Run
2. Type in netplwz
3. Goto Advanced and then check the box which says 'Require users to press CTRL + ALT + DEL'
That should be it. You can also go a little bit further and remove the last logged in user from the login screen so that anyone who accesses your computer does not get the last account used at login screen. This slightly increases both security and privacy. It's not a silver bullet as it's very easy to bypass the login screen anyway, even with CTRL + ALT + DEL enabled. But these features do add a little bit of protection either way for all eventualities where you're not faced with a determined attacker trying to get into your system.
Make sure you have set a password for your local account and NOT your Microsoft account if you are signed into that before following the steps. Enabling this feature can override your current login method ie using PIN or Microsoft account. If you haven't setup your local account you might get locked out if you cannot provide credentials for other login methods. There is an 'security' issue with configuring local accounts after setting them up iniatially through Microsoft account which can prevent you using your PIN. Sometimes Windows cannot recognise credential changes after migration to local accounts. Make sure you know your local password.
I spent some time a while ago finding Linux bootable media tools that worked in order to create a boot disk to go in and wipe the admin password. Thanks to dual booting Windows with Ubuntu I was able to get back in and create recovery media which allowed me to access the partition with Windows installed and remove the password, but that involved going through several different steps most of which were fairly long-winded (as operating Linux from CLI often is and because most programs don't have GUI like Windows). It wasn't fun.
If you're not sure if you have access to your account locally should you not be able to connect with your Microsoft account make sure you have a password reset disk at hand, or a security tool like Offline NT, Lazesoft or Passware to reset local admin accounts if you get locked out. Alternatively you can setup the Administrator account as backup or create another account with admin priveleges. Enabling this feature could lock you out if you dont have full local access.
Last edited by supermammalego; 15 Jun 2020 at 20:24.
What I do, is I setup a user account or username, the one that creates or points to the User Profile folder and for the Display Name or Full Name, I just enter my first name only. So only my first name shows up on the logon screen.
The actual username or account name does not show.
I’m the only one using the laptop anyway so there no other accounts are showing on the login screen.
The purpose of hiding user accounts on the computer becomes especially necessary in some environments because it means a person trying to gain access has only one account to find. If you are the only account on the computer and you are an admin, the job of finding that account to gain access to it is now done. You've essentially provided a bread crumb trail to the account with the highest priveleges. If there are several users on the computer, each with their individual priveleges set, it then becomes a case of seeking out the admin accounts. The point being that if there aren't any accounts shown at login there is never a trail leading back to accounts being used on the computer.
All that being said, you can run forensic and security tools to access Windows in offline mode ie when the OS is not running and there is absolutely nothing you can do about this if someone has physical access to the computer. They can then access the OS like it was running and get whatever they want, including manipulating system files to ensure the system is completely open should they want to boot into the actual OS itself. You can however encrypt the entire drive which will render these tools fairly obsolete, providing there are no traces which could lead to exploitation. In this regard a computer turned off is often the most secure because there is nothing in memory to investigate
Yes, I do have Bitlocker enabled with TPM and PIN as well. So yes, Pre.Boot Authentication with BitLocker.
Also as I mentioned, my login info is setup like this:
1. Username or User Account is with random characters and numbers (This account is used by Windows to create my User account profile).
2. Then my Display Name or Full Name, I entered only my First name (for privacy reasons).
When I boot my Windows system, Bitlocker Preboot comes up, then my Windows login screen which only displays my First Name. Nothing else. Even when I just lock my screen, only the Display Name is shown (my First name), but not the User Account ID.
So the User Account is hidden from the login screen, but only my Display Name is shown.
Regarding Bitlocker attacks, also known as DMA attacks, I have most of the protections in place for this.
Preboot PIN and disabling Sleep mode. And of course, I always shutdown my machine when not in use.
Quote