Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- A Microsoft account has some advantages, but a local account is fine for Windows 11.
- Microsoft doesn’t make it easy to set up a local account on a new PC.
- There are workarounds, but they depend on which edition you’re running.
When you set up a Windows 11 PC for the first time, you’re required to create a user account that allows you to act as the administrator for that computer. On a PC you’re setting up for personal use (at home or in a small office), the Windows Setup program really, really wants you to use a Microsoft account.
Boy oh boy, does that piss off some longtime Windows users, who simply want to set up a local account with a local password and be done with it.
Also: If Microsoft really wants to fix Windows 11, it should do these four things ASAP
I understand the anger and frustration. This sure feels like Microsoft trying to force its users to set up online accounts so they can extract more revenue from them through advertising and add-on products like Microsoft 365 and OneDrive. And that’s true!
It’s also true that Microsoft has been methodically removing the workarounds people have been using to set up a new PC with a Windows 11 account, forcing them to jump through hoops to get things set up the way they want. (Maybe that’s about to change. We’ll see.)
There are, in fact, legitimate reasons to prefer a Microsoft account over a local account. More importantly, it’s possible to set up a Microsoft account so that your personal information is just as secure as it would be on a PC where you sign in with a local account.
But if you don’t want anything to do with a Microsoft account, it’s possible to set up a local account without spiking your blood pressure.
Also: Microsoft may finally remove its frustrating Windows 11 setup requirement
If you’re a charter member of Team Local Account, you might not believe that, so let’s walk through it, step by step. (And one quick note: The information in this post assumes you own and manage your own computer. If your PC is managed by a corporate IT department, this post doesn’t apply to you.)
Local account? Microsoft account? What’s the difference?
Signing in to Windows 11 with a user account is all about authentication and protecting the resources in your user profile. That’s your data, apps, hardware devices, encryption keys, and so on. Before your PC will allow you to use those resources, you have to prove that you’re really you.
With a local account, you do that by typing in a username (up to 20 characters long) and a password. Those credentials are stored in the Security Accounts Manager database, which is saved on the system drive. When you sign in, Windows checks that database and, if you typed everything correctly, lets you in. (By the way, do not use letmein as a password.)
Also: I replaced my Microsoft account password with a passkey – and you should, too
A Microsoft account has a username in the form of an email address and, at least initially, a password. Those credentials are managed on Microsoft’s servers. When you sign in for the first time using a Microsoft account, Windows creates a token and saves it locally in a secure location, protected by the Trusted Platform Module, or TPM. The next time you sign in, Windows compares your credentials against that saved token and allows you to start using your computer.
From your perspective as a user, the only difference between the two account types is that one username looks like a word and the other looks like an email address. Although the authentication methods differ slightly under the hood, the net effect is the same.
What are the pros and cons of a local account?
Local accounts date back to the earliest days of Windows NT, circa 1993. The internet as we know it today barely existed. Browser? What’s that? Netscape was still a year away from its public debut, and the idea of an online authentication service was science fiction. Every account was a local account unless your IT department had you sign in to a Windows domain on their local area network.
Also: Microsoft announces sweeping Windows changes – but no apologies
Very little has changed with local accounts in the last three-plus decades. A local account has one job. As long as you don’t mistype your username or password, you can unlock all your local resources.
Ah, but if you forget your password … ? Well, sorry, you’re out of luck. Unless, at some point, you remembered to create a password reset disk (which is actually a USB flash drive containing your account’s encryption key) and can remember where you stashed it. But without that, you’re SOL.
Do you have a Microsoft 365 Personal or Family subscription? Do you play games on Xbox Game Pass? If so, you should use the Microsoft account associated with that subscription to sign into Windows. That option gives you single sign-on capabilities to all the apps and services associated with that subscription, and it’s just smart to link the accounts so that signing in to Windows also signs you in to your Office apps, OneDrive, and the rest.
And there’s more!
- On PCs designed for Windows 10 or Windows 11, signing in with a Microsoft account automatically enables full-disk encryption for the system drive, even on systems running Home edition. Your recovery key is stored in OneDrive, allowing you to access your data if you find yourself locked out. On Pro, Enterprise, and Education editions, you can enable BitLocker encryption for secondary drives and removable storage devices, such as flash drives.
- Signing in with a Microsoft account stores a record of your successful activation, allowing you to easily restore your activation (no product key required) if you have to reinstall Windows after making significant hardware changes.
- Windows lets you back up and sync settings across PCs that use the same Microsoft account. That includes personalization settings like your desktop background, saved passwords (including Wi-Fi profiles), language and regional settings, and more. (For a full list, see this Microsoft Support page.)
You don’t have a subscription to a Microsoft service? You might still want a Microsoft account, which lets you sync your apps and settings across multiple devices — as long as you sign in with the same account.
But the biggest advantage of a Microsoft account is its ability to help you recover if you forget your password. Because that account lives on multiple devices, with multiple ways to sign in (biometrics, PIN codes, recovery keys, etc.), you can recover your account easily.
That sounds great, but I can already hear the objection.
Isn’t using a Microsoft account a threat to my privacy?
Not really. Your choice of login name doesn’t unlock any data that isn’t already available through Windows or other Microsoft services.
Let’s scroll through the places where Microsoft and others might be able to access your information:
- Telemetry. This is information about your PC’s configuration, updates, and errors. It’s tied to your machine ID, a unique hash generated from your hardware. There is absolutely no difference in the diagnostic data transmitted from a Windows PC using a local account compared to a Microsoft account.
Also: I’ve been studying Windows telemetry for a decade – here’s the only setting I turn off
- Web browsing. If you use a non-Microsoft browser (Google Chrome, Brave, Opera, etc.), there’s no connection to the account you use to sign in to Windows. Even if you use Microsoft Edge, you can choose to set up a profile associated with a different account from the one you use for Windows.
- App usage. Apps you download and install from the web are not associated with your Microsoft account. Here, too, the account doesn’t have to be the same as the one you use for Windows.
- Non-Microsoft services. Microsoft services can use the same account you use for Windows, but for accounts from Google, Meta, Dropbox, Yahoo, and the like, there’s no link to your Microsoft account. There might be privacy concerns associated with all those services, but they have nothing to do with your Windows account
What’s the best way to use a Microsoft account?
If you have a Microsoft 365 Personal or Family subscription, you should use it for Windows as well. You’re paying for Microsoft’s apps and services, which means you’ve already made an important trust decision, and this is the most convenient way to access those services.
Also: Want Microsoft 365? Just don’t choose Premium – here’s why
If you don’t have a Microsoft 365 subscription but want the benefits of a Microsoft account (encryption, easy recovery, syncing settings across devices), create a new Microsoft account during setup and use it exclusively on your Windows PC. Don’t send or receive email from that account. Don’t use it to download apps. Don’t sign into your Microsoft 365 account with it. The option is on the setup page shown here.
When you’re asked to sign in with a Microsoft account, you have the option to create a new account rather than use an existing one.
Screenshot by Ed Bott/ZDNET
In that configuration, it’s just a username in the form of an email address, with a handful of settings backed up to the cloud.
How to set up a local account on Windows 11 Home edition
On Windows Home edition, you’re limited to only two personal options: a local account or a Microsoft account. The exact same choices are available if you’re running a business edition of Windows and choose the “Set up for personal use” option.
The easiest way to work around that restriction is to create a brand-new Microsoft account as the primary account during setup. Use any address you want — this is a throwaway account, and you’ll delete it later.
Also: 3 ways I safely retire every Windows PC – and why you shouldn’t skip these critical steps
After setup is complete, sign in with your new Microsoft account, then go to Settings > Accounts > Other Users. Click “Add account” and then choose “I don’t have this person’s sign-in information,” as shown here.
To unlock the option to create a local account, click this link.
Screenshot by Ed Bott/ZDNET
That leads to yet another dialog box where you click “Add a user without a Microsoft account,” which finally takes you to the page where you can enter a username and password.
It takes way too many steps to get to this page.
Screenshot by Ed Bott/ZDNET
(Here’s a pro tip. Don’t enter a password here. If you do, you’ll need to answer three dumb security questions. Leave the password box blank. After you sign in for the first time using the local account, press Ctrl+Alt+Delete and choose the option to create a password, which skips the security questions requirement.)
After creating that new local account, it appears on the Other Users page. Click the entry for that account while you’re still signed in with your throwaway Microsoft account. Click “Change account type” and change it from Standard user to Administrator.
Also: The best web hosting services: Expert tested and reviewed
You can now sign out of your Microsoft account and sign in with your new local account. Personally, I recommend that you keep that Microsoft account available as a backup method of signing in, just in case something ever happens to your main profile. But if you would rather be done with it, you can go to Settings > Accounts > Other Users, choose the Microsoft account, and click Remove.
That takes way more steps than it should. But the results are exactly what you want.
How to set up a local account on Windows 11 Pro edition
If your new PC is running Windows 11 Pro, the Windows Setup program asks you to choose whether you want to set up the PC for personal use, work, or school, as shown here. Choose the second option.
This choice is only available with Windows Pro, Enterprise, and Education editions
Screenshot by Ed Bott/ZDNET
On the next page, ignore the box to enter an email address. Click the small “Sign-in options” link beneath that box, as shown here.
Click here to get to the local account options.
Screenshot by Ed Bott/ZDNET
That takes you to yet another page that doesn’t seem to have anything to do with local accounts. Trust me on this.
This option finally takes you to the local account option. Don’t worry — you don’t need a Windows domain.
Screenshot by Ed Bott/ZDNET
It isn’t obvious or intuitive, but click the “Domain join instead” button here. You don’t have a Windows domain, but that doesn’t matter, and the setup program isn’t going to check. This option opens a series of dialog boxes where you can enter a username and password for your local account. When you reach the final page, you can sign in with those credentials and get to work.
Also: The best Windows laptops: Expert tested and reviewed
If all of that seems like too much work, you can take your choice of several third-party utilities that enable a local account option during setup. A free and simple option is Rufus, which creates installation media on a USB flash drive; run Setup from that drive and use the switches to customize your installation.
