Apple makes a nice distinction between their "app layer" (iCloud drive and Messages, etc.) and the OS login. This would work fine for Windows power users, and for the most part Windows has already had this (your "store" login). But to require the cloud to replace your login, the cloud has to be essential to the functioning of Windows and you have to explain the security implications clearly, and it's not clear that any of these things happened.
For instance, almost none of the useful settings from win32 apps sync - migrating to a new PC is painful, your apps don't move, your settings are all missing. It takes weeks, you don't just login to it. So this idea that it makes all your settings sync is maybe 10% true.
The argument for this online account (vs just a container for apps) is that you think a few Windows appearance settings must be synced always, or that you want to save things like your BitLocker keys in the cloud (which probably makes them visible to FBI or whoever else). And the security implications need to be spelled out in plain language. And in the end, it's a pretty bad argument - Grandma doesn't need BitLocker, but the people who do want a clear explanation. A lot of the rest could live in a "Microsoft apps" credential layer: Edge, OneDrive, Office, etc.
I want to feel like I can login to a recovery console and fix a bad partition. I want to keep using the same username across Linux and Windows. I want to recover a router with the old laptop that has actual ethernet, and who knows if it has cached credentials? My Microsoft account is my least used one, and who knows if it is secure?
One last thing: logging in with biometrics is amazing, but why must I use a low-security PIN in place of your pre-existing password?
Please fix it all.
why must I use a low-security PIN in place of your pre-existing password?
FAFAIK, all characters that are allowed in a user password are also allowed in device PIN codes. Knowing Microsoft, I'm sure there's domain policies to alter/restrict this. And the idea behind it is sound: that PIN is tied only to a single device, meaning that even if someone watches you enter your device passcode (or uses a keylogger), they can't go to a different machine or online portal and re-use the captured credentials there.
When setting up the PIN you pick for it to be alphaneumaric (There is a option for it) and it acts just like a password field with a silly name.
The reason why it is tied to device isn't to protect against over the shoulder watchers, it is that the resulting key that is stored in the system is unique from system to system so you can't lift the key from one machine and use it on another. Maybe not as useful for a PIN but does make it harder to use a stored key to replace a biometric key so a compromised key doesn't leave every system you've ever logged into vulnerable to a key-auth attack.
Because nobody would use the same pin for different devices. This is a farcical argument.
Those are some strong words and nothing to back them up. Please, feel free to explain to us in your own words what threat model this device PIN is defending against and how it fails at that.
The argument presented was that a pin is better because it is only for that device. Which is false for 99% or more of users.