How to Create a Local-Only Account During Windows 11 Setup (2025 Update)
- William Lawyer
- May 22
- 3 min read
Microsoft is doubling-down on its push for cloud-connected sign-ins, but MSPs often need the flexibility to deploy machines that use local credentials only—whether for air-gapped environments, imaging labs, or devices bound to third-party identity providers.Last month Microsoft removed the well-known oobe\bypassnro trick, yet the community has already uncovered a simpler workaround. Below is a quick primer you can share with customers or reference in your own deployment runbooks.
Why the Change?
End of “bypassnro.” Beginning with Insider build 26200, the command that let users skip the network check (and, by extension, the Microsoft Account requirement) has been disabled. Microsoft says the goal is to ensure every new install finishes “with internet connectivity and a Microsoft Account.” (windowscentral.com)
Immediate backlash—and a new bypass. Just 24 hours after the announcement, researcher @witherornot1337 discovered a replacement command that launches the old Windows 10 local-account wizard directly, shaving minutes off the Out-of-Box Experience (OOBE).
The New One-Liner: start ms-cxh:localonly
Begin Windows 11 setup as normal until you reach the Microsoft Account sign-in screen.
Press Shift + F10 to open Command Prompt.
Type (or paste):
start ms-cxh:localonly
A classic user-creation dialog appears. Enter a username, password, and security questions.
Click Next; Windows jumps straight to the privacy settings page and then to the desktop—no reboot required.
How It Compares to the Retired oobe\bypassnro Method
Aspect | oobe\bypassnro (removed) | start ms-cxh:localonly (new) |
Steps required | Two reboots plus full OOBE flow | Single command; no reboot |
Skips network step? | Yes | No – launches local wizard directly |
Works on build 26200+? | No | Yes (for now) |
Likely to be patched soon? | Already patched | Microsoft hasn’t commented, but history suggests this is temporary |
Practical Use-Cases for MSPs
Imaging & gold-master creation – speed through first-run setup when building reference images.
Air-gapped / sensitive systems – keep endpoints off the public internet and outside Microsoft’s telemetry.
Temporary or loaner devices – avoid linking personal Microsoft IDs to hardware that will be wiped later.
Third-party identity stacks – environments that rely on Azure AD/Entra ID Hybrid Join or non-Microsoft SSO can stay clean of consumer MSA artifacts.
Caveats & Risk Management
May stop working without notice. Microsoft can disable URI handlers or block ms-cxh:localonly in future Insider builds—and in production rings soon after. Plan alternate provisioning paths (e.g., unattend.xml, MDT task sequences) in case this loophole closes. (windowscentral.com)
License & policy compliance. While creating a local account isn’t prohibited, verify that customer security baselines or regulatory frameworks (HIPAA, CJIS, etc.) don’t mandate cloud-based account recovery or MFA features available only through Microsoft Accounts.
Reduced cloud integration. Devices set up this way won’t auto-sync OneDrive, store BitLocker keys in the cloud, or enable Consumer Windows Backup. Factor those changes into user-education and support docs.
Future servicing impacts. Certain Windows 11 features—Copilot, Widgets, Microsoft 365 integration—depend on an MSA/AAD login. End users may later ask why those experiences are missing.
Recommendations for Integrated Technical Solutions Clients
Standardize & script it. Incorporate the command into your imaging process with a PowerShell wrapper that detects setup screens and injects the URI automatically.
Document the fallback plan. Keep an updated SOP that explains both this shortcut and the longer registry-edit approach, so techs aren’t blocked if Microsoft shuts the door.
Educate stakeholders. Explain to non-technical decision-makers why a local account improves privacy in certain scenarios and what trade-offs to expect.
Monitor Insider release notes. Assign a service-desk analyst to track Windows build changelogs for any mention of account-setup changes, and test each preview in a VM before rolling new images.
Closing Thoughts
Microsoft’s account-first stance isn’t going away, but for MSPs who need speed, control, and offline capability, the start ms-cxh:localonly trick is the fastest option available today. Use it while it lasts—and make sure your deployment playbook includes contingencies for the day it disappears.
Have questions or need help integrating this into your imaging pipeline? Reach out to Integrated Technical Solutions—we’re happy to assist.