Windows Insider Blog recently announced the removal of local-only installs on Windows 11.
“We are removing known mechanisms for creating a local account in the Windows Setup experience (OOBE). While these mechanisms were often used to bypass Microsoft account setup, they also inadvertently skip critical setup screens, potentially causing users to exit OOBE with a device that is not fully configured for use. Users will need to complete OOBE with internet and a Microsoft account, to ensure device is setup correctly.”
In practical terms this means they removed the command line workarounds oobe\bypassnro and start ms-cxh:localonly in the Windows 11 Insider Preview Build 26220.6772 (KB5065797) in the Beta and Dev Channels, an indication these changes are likely to make it to a production release candidate soon.
However, making it more difficult to provision offline accounts comes with additional risks aside from the obvious privacy risk. The removal of offline installs will only result in end users seeking alternatives as organizations of all sizes rely upon offline installation of Windows for numerous purposes ranging from kiosks to secure air-gapped networks.
Users who want to use Windows without a Microsoft account currently report it is possible to add the following registry values during setup by entering the command prompt (Shift+F10):
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE /v BypassNRO /t REG_DWORD /d 1 /f
shutdown /r /t 0Additionally, many users will simply resort to third-party solutions. After Microsoft started pursuing these changes in Windows 21H2, Rufus, a popular USB formatting utility, built an option to re-enable offline account creation in Windows. As they do not support Insider builds, it is unknown if their workaround is still functional.
We encourage administrators to be cautious when creating a dependency on any third-party library in sensitive environments as supply chain risks continue to grow and evolve each year.
