What are your reasons for attaching your MSA after OOBE?


So I know Paul recommends creating a local account when you set up a PC for the first time and then adding your Microsoft account later. For folks who do that, what are your reasons why?

Now, I don’t mean “because I don’t use a Microsoft account” or “because I plan to join it to my home domain”. I specifically mean, if you plan to skip the Microsoft account step in OOBE and then go and attach it later.

I personally agree, and I have my reasons, but what are yours?

Full disclosure: I work in Windows and my team is trying to streamline the setup experience for consumers.

Comments (21)

21 responses to “What are your reasons for attaching your MSA after OOBE?”

  1. wunderbar

    I don't go through the hassle of not logging in with MSA, but the thing that bothers me the most about it is that the hostname you get when you set up a computer is a nonsense DESKTOP-RANDOMSTRING or LAPTOP-RANDOMSTRING and even if you change it after, it doesn't always update in onedrive/online tools, so you're stuck figuring out which nonsense name is for which computer. If you use a local account, change the hostname, and then link a MSA it appears correctly 100% of the time.

    That's truly the biggest thing. Other than that I personally don't care. Heck, just give me the ability to set a custom hostname when setting the computer up. That'd fix that entirely.

    • nerdile

      In reply to wunderbar:

      That's mine too ^_~ Good to know I'm not the only one!

    • waethorn

      In reply to wunderbar:

      Why does it still use NetBIOS-style all-caps names too? I mean, like who still has network gear from the 1980's anyway??

      • Bill Strong

        In reply to Waethorn:

        In Microsoft's use case? A lot of big customers are still running custom software on old machines, in addition to new machines.

        • waethorn

          In reply to Bill_Strong:

          Give me a break. If they're using hardware that doesn't support proper lowercase-supporting DNS names, it's long-due time for an upgrade. NetBIOS is ancient. It predates the Internet. It's time to move on. Just like with floppy drives.

    • Paul Thurrott

      In reply to wunderbar:

      It's not a hassle, it's easy. And the thing you describe is one reason why you should do it that way.

      • nerdile

        In reply to paul-thurrott:

        Are there other reasons you have in mind? ;)

        • Paul Thurrott

          In reply to nerdile:

          Yeah, there are. I wrote about this already here:


          Do not sign-in with Microsoft (yet)

          When prompted during Windows Setup to “sign in with Microsoft,” I decline and instead configure a local account (called Paul) with no password. You do this by choosing “Offline account” and then bypassing the “Sign in with Microsoft instead?” display by choosing “No.”

          Why: You can very easily convert an offline account (which is a terrible name for what this really is, a local account) later, and I prefer the cleanness of the directory structure this creates (C:UsersPaul). Plus, I prefer to make some configuration changes before signing in to my Microsoft account, and the PC will be rebooting several times. It’s easier and faster to get through this without worrying about a password or PIN. But once that’s done, I will sign-in to my MSA and it can then sync whatever settings I’ve previously configured (like the desktop wallpaper, saved passwords, and so on).

  2. waethorn

    folder name in Users subfolder

    • SWCetacean

      In reply to Waethorn:

      Exactly this: I don't want my User folder to be named after the first 5 characters in my MSA email address. It would be easier if I could set my User folder name during setup, or even better, at any time. If I have to log out for the change to take effect so be it.

      • waethorn

        In reply to SWCetacean:

        I wouldn't want to have it noticeably do it, or even prompt for it. The state should be saved and just migrated over to the new account credentials silently, and on the fly.

    • waethorn

      In reply to Waethorn:

      Just to add: Why can't the folder name be synchronized to the actual user name, or at least something close to it?? This has been an issue since forever with Windows. Can't you just invisibly sign out of the Windows account while the folder is changed and sign back in automatically without needing to re-authenticate?

  3. AnOldAmigaUser

    The first account I create on a new computer is always a local account, and since it is the administrator by default, I never add an MSA to it. After that, I add my account, and any family member that might use the computer as local accounts to get the subfolders in Users consistent, and then attach MSA's if they use the computer. The other reason I use MSAs is that they can then use the home network to connect to shares on other computers that are used as file servers.

  4. justme

    Several reasons, most of them already covered. I'd rather make configuration changes before logging in with an MSA given Windows's propensity to reboot during an install. I prefer the directory structure too, as others have already mentioned. I uninstall almost every app except the store and calculator, and I very rarely sync anything (in general, I dont use the cloud). Once the OS is set up the way I want with the cruft gone that I want removed, I'll log in and get any updates to the few apps I cant uninstall. For me personally, there is very little reason to ever run with an MSA.

  5. curtisspendlove

    Paul (and others below) have covered my reasons, but the big one for me is initial device configuration.

    I have a very specific set of software I install on (most of) my machines. This is based largely on a batch file which utilizes some utilities (such as chocolatey) to get my preferred dev setup. (It also goes through and tweaks a bunch of settings, including shutting off Dev services, database engines, and other daemons by default if it is also a gaming rig. I also have a couple other batch files that spin up / shut down applicable daemons for various types of development...e.g. my nodejs prep script starts MySQL, Docker, and a few other services.)

    I’m also a redneck, and therefore in a fairly low bandwidth situation. ;) It is irritating to have a crap ton of cloud services competing for the bandwidth during the rest of the setup and configuration (the .bat script specifically installs cloud services at the end so I can be up and running while everything else downloads—which generally takes several days to finish).

    I link my MSA to my local account after the initial process with the batch file is complete. At that point I’m fine with OneDrive, et al kicking in and working its magic.

    P.S. I think it is awesome that you are doing this research and disclosing it is for fine-tuning the process. This helps us give some proper feedback. :D

  6. robincapper

    I do it so have a local admin account (for installs etc) and run my Microsoft account as standard user

  7. Patrick3D

    #1 Reason: at work we create a local admin account during setup to avoid needing to have the machine online. We don't want updates to automatically install during the OOBE phase, we just want to get the OS and apps installed so we can get the machine in the customer's hands as fast as possible. Once a machine is ready we then run through updates if there is time.

    #2 Reason: it is bad security practice to login to a customer machine with an IT administrator account due to the increased risk of the machine having viruses (customers are typically computer illiterate, do ignorant things.) Better to use a local account that if compromised can't immediately affect other machines on the network, than a network account that has privileges, even if limited.

    #3 Reason: this ensures there is a local admin account we can login to if the machine is failing to connect to the network after having been deployed.

    At home I just use my MSA account to see if Microsoft made any improvements to the OOBE, the answer is always NO, of course.

  8. Bill Strong

    I use unRaid. When logging into shares, I could never get the right magic combination for MSAs to work. Local accounts just work. I haven't tried adding a MSA afterward, I still need to do so, but if they don't, I simply won't use them. I will only use them per app.

    • nerdile

      In reply to Bill_Strong:

      Hmm. If unRaid depends on integrated Windows authentication, then you'd need to use an AD domain or have local accounts that have locally stored passwords. If you set up your account to sign in with the MSA password instead of a local password, then it wouldn't work. But you can associate the MSA without replacing the local password, and that should work.

      • Bill Strong

        In reply to nerdile:

        unRaid is a Linux distro for NAS, docker and VM purposes. It shares files over SMB by default, with support for AFS, NFS and FTP.

        unRaid just uses SMB 3 protocol with samba. No AD or anything else. unRaids's UI doesn't support the @ character in the user name, so there is an error prone command line and config file setup detailed in unRaids forums to make them work that I never managed to make work.

        Conversely, local accounts just work, so the first time I ran into the problem, I simply downgraded my account to a local account. No more problem.

  9. andrewtechhelp

    The biggest reason for me: If I sign in with an MSA out of the box, my user folder gets named 'andre' (the first 5 letters of my MSA email address). My name is Andrew, not Andre and therefore I create a local account with the name 'Andrew' and then link it to my MSA later so that my user folder is correctly named 'Andrew'.