tiny11builder icon indicating copy to clipboard operation
tiny11builder copied to clipboard
verified publisher icon ntdevlabs

Local account creation broken?

Open wjk opened this issue 2 months ago • 1 comments

Hey there! I love your program, and I plan on relying on it to build Windows 11 machines for privacy-conscious users who cannot tolerate the Microsoft account requirement (and its mandatory tracking of everything the user does on their computer).

However, I read here that Microsoft is soon going to deliberately break all the techniques used to avoid having to sign in with a Microsoft account to use Windows. This is completely unacceptable for one of my clients, a practicing lawyer, who must observe strict confidentiality rules on his computers. From what I can tell, the unattend.xml-based methods do not use any of the “usual” local-account workarounds, but I need to be certain that they won’t break also. (Your script sets BypassNRO in the Registry, and I know for certain that that technique will no longer work.) According to Microsoft, the unattend-file rule used to bypass the Microsoft account requirement (HideOnlineAccountsScreens) has not (yet) been deprecated. I expect that this specific command is widely used by IT admins in tightly controlled corporate environments, and forcing those users to use Microsoft accounts as well would open them to huge liability. However, there is the chance that that page simply hasn’t been updated yet, and I need to know for certain one way or another.

Another technique I sometimes use is to configure an unattend file with more settings, specifically to create a local user account (using Windows Vista-era techniques), and bypass the OOBE completely. However, this technique requires writing sensitive information into the system image, and I want to avoid doing this unless I absolutely must. Unfortunately, I noticed that the SkipMachineOOBE and SkipUserOOBE elements, which I use to bypass the OOBE completely, are no longer documented by Microsoft, which may mean that the HideOnlineAccountsScreen is not long for this world either.

Can you share anything regarding these concerns? Thanks!

wjk avatar Oct 07 '25 15:10 wjk

I am not a programmer and I have got no clue about future solutions. All I have to offer is a practical workaraound. Local accounts can still be created based on this month's ISO (version 25H2). Save that and use it to set up machines with a local account in a few years. Unless Microsoft gets the batshit crazy idea to prevent local accounts from installing crucial security updates, this should carry you to version 26H2 and further.

nriemenschneider avatar Oct 10 '25 15:10 nriemenschneider