In Defense of Requiring a Windows 11 Online Account Sign-In ⭐

Microsoft has been pushing customers to sign into Windows with an online account for years. This sets enthusiasts on edge. But it’s the right choice for just about everyone. Including those who bristle at what they see as an affront to their sensibilities.

I mention this now because Microsoft has finally started implementing a long-feared and long-rumored change to Windows 11, starting with the Dev and Beta channel releases in the Windows Insider Program yesterday: It is “removing known mechanisms for creating a local account in the Windows Setup experience (OOBE).” To be clear, this means that:

• When you set up Windows 11 interactively (perhaps having just purchased a computer or after using Reset This PC), the OOBE lets you sign-in using an online account, meaning a Microsoft account (MSA) or a so-called Microsoft Work or School account (Entra ID). But there are workarounds that enable you to sign in with a local account, as documented in the Overcome Windows 11 Setup Annoyances chapter in my book the Windows 11 Field Guide.

• The changes in these Insider builds will soon be implemented in Windows 11 versions 24H2 and 25H2, the only supported versions of the system for individuals. So they will eventually become part of the Windows 11 disk images (ISOs) we download from Microsoft and the Windows 11 installation media.
• The workarounds I document in the book will no longer work.
• It’s not yet clear whether Rufus and other third-party tools will be able to bypass these changes and enable OOBE-based local account creation.
• It doesn’t matter. (More on this point below.)

This change is the latest in a series of steps that Microsoft has taken over the years to better secure Windows and make it easier for customers to connect with OneDrive, Microsoft 365, the Microsoft Store, and its other online services. And yes, I know that those two things seem contradictory in some ways. But I think nuance is an important part of this discussion.

And it is a discussion we’ve been having for years even though it impacts almost no one in the real world. I cover local accounts in the book, of course, and thanks to the ongoing enshittification of Windows 11, I documented what you can and do to secure a local account effectively in Windows 11. This was mostly an experiment, in the sense that I will not sign into Windows with a local account and strongly recommend no one else does either.

And that’s the thing. This issue, such as it is, only impacts technical enthusiasts, and I mean that pretty much literally. There’s always someone with some bizarre reason why they’re the exception that disproves that assertion. Or they just don’t like Microsoft limiting their choices. Or whatever. Generally speaking, this is the right thing to do for just about everyone.

Looking at this from the perspective of the technical enthusiast that I, too, am, I feel like we have an unspoken contract with Microsoft. We respect that Microsoft makes design choices that benefit the mainstream user base even when we may disagree with those choices. But that respect is predicated on Microsoft likewise respecting our desire to do what we want. Meaning, in this case, that we should be able to sign into Windows 11 with a local account.

And we can. Even if these changes literally result in the end of workarounds that today enable us to boot up a fresh install of Windows 11 and create a local account sign-in during the OOBE, we can still use a local account with Windows 11. And we can do so without there being an online account sign-in on the PC.

What’s changing is that getting to this configuration will require extra steps.

That is, we will need to sign into an online account during the OOBE, get to the desktop, create a local sign-in account in Settings, configure that account as an Administrator, sign out of the online sign-in account, sign into the local account, get to that account’s desktop, and then remove the online sign-in account from the PC in the Settings app.

And I have two primary thoughts on that scenario.

• Microsoft has not violated our unspoken contract.
• As technical users, we should understand that we will sometimes need to do a bit of work to get to the configuration we want when that configuration is downright dangerous for most people.

This conversation is almost always reduced to being about MSAs because that is the online account individuals use, but this is really about both online account types. No matter: Signing into Windows with an online account is safer. And that’s true for everyone. Why?

• An online account can be protected with two-step verification (2FA) and is more secure.
• An online account doesn’t require yet another password to remember.
• An online account can be recovered if it is compromised.
• An online account automatically backs up some settings to the cloud which enables automatic credential and password sync for Wi-Fi networks and more.
• When you sign into Windows 11 with an online account, the disk is fully encrypted, ensuring that no one can access the data it contains if the PC is lost or stolen. This doesn’t happen with an offline (local) account because you have to store a recovery key, and that happens automatically with online accounts.
• While I don’t like that Microsoft enables OneDrive Folder backup without a prompt and ignores the user saying no to this feature, using OneDrive for documents and other files ensures that content is synced to the cloud and using an account that is secure and can be recovered per above. This, too, is a protection in the event of PC loss of theft: In addition to ensuring that others can’t get at that data, this ensures that you can, using another PC or device.
• Offline (local) sign-in accounts can be configured with no password, which is obviously insecure.

I eagerly await your quibbles, but I’m also not listening because an online account is the right choice for everyone using Windows 11. And beyond the points noted above are two categories of advantages for online accounts that straddle a line between the needs of most users and those of Microsoft:

• Convenience. An online account sign-in passes through authentication to Microsoft services that many users use and rely on, including OneDrive and Microsoft 365.
• Lock-in. This convenience and the power of defaults help ensure that many customers will look first to Microsoft’s services.

This, too, is a contract of sorts. We can complain about the presentation, I guess, but Microsoft has the right to promote its services. This is a company, not a charity. As long as it doesn’t cross the line, which it does in some cases, we just have to accept that and move on.

When I sign into Windows 11 with my MSA, I get file system access to the contents of my OneDrive. I get instant access to the Microsoft Store and all the apps I’ve downloaded and purchased. I get access to the Xbox app and my Game Pass Ultimate subscription. I get access to my Microsoft 365 subscription rights in Word, Excel, and the other Office apps. When I use Edge, I get access to all the configurations I’ve made (that it syncs) and passthrough authentication to Microsoft online services that include Copilot and whatever else. For those in the Microsoft ecosystem, whether it’s just a toe or a full-body immersion, this MSA sign-in is both convenient and secure.

But maybe you don’t want even a toehold in this ecosystem. You use Windows for your own reasons, don’t want anything else Microsoft-related, and you’re smart and you know how to secure a PC.

You’re fine. You can still use Windows 11 with a local account. That is not changing.

And to be clear, because I hear the slippery slope argument coming, having invented it in the first place: I don’t believe Microsoft could remove local account support from Windows. I can imagine a scenario in which creating this type of sign-in account gets even more tedious, but not one in which it is removed. Should such a change ever occur, it will be in some distant future in which connectivity is as accessible and free as oxygen, and the thing in which it occurs is not Windows. We’ll all be retired by then.

My advice is simple. Just use an MSA. If you can’t or won’t, just sign-in with the MSA you do already have, keep that account secure, and then create the local account you want, also being sure to keep that thing secure. This isn’t rocket science. But it’s also not worth complaining about.