Local Accounts (23H2) (Archived)

There are excellent reasons to sign in to Windows 11 using a Microsoft account–security and convenience key among them–and, of course, Microsoft makes it very difficult to do otherwise. But it’s still possible to use Windows 11 with a local account–sometimes called an offline account–if you prefer that configuration for some reason.

We do not recommend that most people sign in to Windows 11 with a local account as you will have a better–and safer–overall experience using a Microsoft account. Only power users who really know what they’re doing should even consider using a local account. But even then, they should know better.

A local account is a Windows 11 sign-in account that exists only on the PC on which it is created. Microsoft sometimes refers to this type of account as an offline account because it can be created even when the PC is offline: When you initially sign in to Windows 11 with a Microsoft account or work or school account, you must be online so that you can authenticate your user credentials with Microsoft or your organization.

What changes when you use a local account

For the most part, a local account looks and behaves much like a Microsoft account. But some of the key differences include:

No password required. You are not required to protect a local account with even a simple password, making the system far less secure. This is a particularly bad problem if you give the local account administrative capabilities, as a thief could access content in other Microsoft account or work or school accounts configured on that PC.

No two-step verification. Where your Microsoft account (and work or school account) can be–and should be–protected with two-factor authentication, which makes your account and the personal data it protects more secure, a local account is not (and cannot be).

No device encryption (Windows 11 Home only). When you sign in to Windows 11 Home with a Microsoft account, the PC’s storage is automatically protected with device encryption, a full-disk encryption solution that helps protect the documents and other data it contains from being stolen or otherwise accessed by others. When you sign in with a local account, your PC’s storage is not encrypted, and cannot be after the fact because the recovery key for this encryption has to be stored online in a Microsoft account.

If you are using Windows 11 Pro with a local account, you can enable BitLocker drive encryption manually after the initial sign in. This is done via the BitLocker Drive Encryption control panel, which can be found with Search.

You can learn more about BitLocker in the Device Encryption chapter.

No account recovery. Because your Microsoft account is protected by Microsoft, you can recover your account if you forget your password or the account is somehow compromised. There are no such protections with a local account, and if you forget your password or lose it, you’re simply locked out of your PC and whatever data it contains.

No settings sync. When you sign in with a Microsoft account, Windows 11 used a feature called Windows Backup to sync a limited set of settings–accessibility settings, saved passwords, language preferences, and more–to that account in the cloud so that they can be restored when you sign in with that same account on a different PC. This functionality is not available with a local account, which exists on only that one PC.

You can learn more about this functionality in the Windows Backup chapter.

No automatic sign in to apps and Windows 11 experiences. When you sign in to Windows 11 with a Microsoft account, you are automatically signed in to Microsoft Store apps, OneDrive, Widgets, and other Windows 11 experiences as well. You can’t use some apps and experiences with a local account, and while you can sign in to them with a Microsoft account later, you must do so manually–one app at a time–or configure that Microsoft account in Windows 11 Settings. (At which point you should just sign in to Windows with your Microsoft account anyway to gain the additional advantages of doing so.)

Some Microsoft Store apps work without a Microsoft account, and some provide a subset of the functionality you receive when you’re signed in with a Microsoft account. For example, the Microsoft Store app runs without a Microsoft account, and it even lets you download free apps and games without first signing in.

Sign in to Windows 11 with a local account

There are various ways to create a local account and use that as a Windows 11 sign-in account. In Overcome Windows 11 Setup Annoyances, for example, we discuss how you can bypass the Microsoft account sign-in requirement during Windows Setup and configure the PC to use a local account instead.

But in many ways, it makes more sense to initially sign in to Windows 11 with a Microsoft account because doing so will enable device encryption on the PC and associate its Windows 11 license with you via your Microsoft account. Then, you can switch to a local account.

There are two ways to do so: You can convert your Microsoft account sign in to a local account, or you can add a local account as a new sign in account for Windows 11, switch to that, and then remove the initial Microsoft account sign in.

We discuss both methods in this chapter.

Convert a Microsoft account to a local account

The simplest way to switch from a Microsoft account to a local account is to convert your Microsoft account sign in to a local account.

You cannot convert a work or school account to a local account.

To do so, open the Settings app and navigate to Accounts > Your info. Then, select the “Sign in with a local account instead” link next to “Microsoft account” under “Account settings.

When you do, a “Switch to a local account” pane appears.

Here, you are instructed to back up your device encryption recovery key, which was automatically saved to your Microsoft account. You should do so before continuing: Otherwise, it’s possible that a hardware glitch could lock you out of the PC.

Once that’s complete, click “Skip this step” to continue. You will be asked if you’re sure. Click “Next” and then authenticate yourself–by entering your Windows Hello PIN or facial or fingerprint recognition–as prompted. Then, you are asked to create a new local account.

Here, you can enter a username for the new local account–Windows will use the first four letters of your Microsoft account’s email address otherwise–and, optionally, a password (with an associated a password hint).

When that is complete, click “Sign out and finish.” You will be signed out of your Microsoft account and your new local account will appear on the Sign in screen. When you sign in, you’ll discover that most things are where you left them. But you are now using a local account, of course.

You can also convert a local account to a Microsoft account. This works much like the process described above, but you will not need to sign out and then resign in again: Just sign in to your Microsoft account as prompted, optionally enable Windows Hello facial or fingerprint recognition (if available), and create a PIN. That’s it.

Add a local account and remove the Microsoft account

Alternatively, you can switch to a local account using a multistep process by which you sign in to Windows 11 using a Microsoft account, create a new local account, configure it as an Administrator, sign out of your Microsoft account, sign in with the local account, and then delete the original Microsoft account while using the local account. It’s not as complicated or time-consuming as it sounds.

To do so, open the Settings app and navigate to Accounts > Other users. Then, click the “Add account” button next to “Add other user” in the section “Other users.”

In the “How will this person sign in?” window that appears, click the “I don’t have this person’s sign-in information” link. The Create account window appears.

Here, select the “Add a user without a Microsoft account” link. The “Create a user for this PC” window appears.

Enter the username and password you wish, and then click “Next.”

The password is optional, but be sure to configure one. Otherwise, you won’t be able to configure a Windows Hello authentication method–a PIN, or facial or fingerprint recognition–later. Plus, a passwordless local account is completely unprotected. (Because there is no way for Microsoft to help you recover a local account, you will need to answer three security questions if you add a password.)

You will now see the new account listed under “Other users.”

Select the local account to expand the view. Then, click “Change account type.” In the “Change account type” window that appears, select “Administrator” from the “Account type” drop-down and then click “OK.” The “Change account type” window appears.

Now, close Settings and any other open applications and windows and sign out of the Microsoft account. The most obvious way is to open Start, select your user account in the lower left, and then choose “Sign out” from the resulting pop-up menu.

The Sign in screen appears.

Select the new local account in the lower left and sign in: You’ll have to deal with a truncated version of Windows Setup’s Out-of-Box Experience (OOBE) in which you choose the privacy settings for your PC before landing on your clean, new Windows 11 Desktop. Then, open the Settings app and navigate to Accounts > Other users. There, you will find the original Microsoft account you used to set up Windows.

Select that account to expand the view.

Then, click the “Remove” button for the Microsoft account. In the “Delete account and data?” window that appears, click “Delete account data.” After a bit of work, the window will close as the account is removed.