We hear a lot about Windows and the push for always online, ever present Microsoft accounts. Every day, Microsoft is patching yet another thing that can get you an old-fashioned local account like on Mac or Linux. But why does everyone make a fuss about it? Why is Microsoft trying so hard to convince people to use Microsoft accounts?

Today, I want to examine what the benefits of a Microsoft accounts are, but also critically analyze some of the criticism that Microsoft gets from enthusiast users. Microsoft accounts aren’t all bad, but most people don’t get the same benefits by ignoring them. How can you reap similar benefits without Microsoft’s involvement? Should you even do so?

Why does Windows push Microsoft accounts?

Microsoft gets a ton of criticism from online communities and on social media about the efficacy of having a Microsoft account. Before we dive into that, it’s important to understand why Microsoft pushes accounts so hard and some of the benefits that having one can get you.

Firstly, Microsoft accounts are unified identities typically created by system administrators to control what employees or users do on company-owned devices. Windows comes with group policies which let admins control what people do with their computers and protect them from basic threats.

Read more about Microsoft accounts in Microsoft’s Learn documentation.

One great example is the role that Microsoft accounts play with the Windows encryption solution Bitlocker. Bitlocker utilizes TPM to ensure the encrypted computer wasn’t tamped with and protects the computer from theft. In this chain, Microsoft accounts store a recovery password to allow admins or user to move their data or unlock it in the event of an emergency. The recovery password is necessary so employees aren’t locked out of their computers.

There is no debate about how important full disk encryption is and Microsoft is not exactly innocent in keeping Bitlocker behind a paywall in the past. Solutions like Bitlocker block people who steal your computer and actually make that password you use for Windows something meaningful. The only time Bitlocker should be turned off is as an absolute last resort.

Something to remember is the majority of Windows users will capitulate and sign up for a Microsoft account, both because they are encouraged to do so and consumer-facing benefits like syncing settings and Xbox integration. I would venture to say less than 5% of global Windows users are clamoring for life without Microsoft accounts. IT admins use them, it has benefits to the average user, and provides recourse in the event they forget their password or cannot access their computer.

Why Microsoft Is Tough to Trust

Now that I’ve weeded out the haters, it’s time to complain about online accounts. The primary reasons to avoid using a Microsoft account come down to privacy concerns and how aggressive Microsoft is against making one.

First, Microsoft is one of the most privacy invasive companies in Big Tech. The data collection in Windows is so bad they have received fines from various governmental agencies for not properly preserving our privacy. What’s just as concerning is Microsoft has been guilty of violating users’ privacy with Windows in the past.

The other major problem is Microsoft’s vested interest in collecting and using data, personal or otherwise. Ever wonder why Microsoft forces Bing into Windows Search? It’s because they profit heavily from even accidental clicks as it’s monetized traffic to Bing’s ad network. While Microsoft is far behind giants like Google and Facebook, they have been aggressively making partnerships with major online advertisers to expand their ad network with Netflix’s ad-supported tier, Criteo, and Taboola.

Another angle is the financial incentive Microsoft has to forcing people to create accounts. It’s a way to boost their user numbers, Bing searches, and advertising deals. That’s why Windows is littered with advertisements–to feed the corporate beast. But more importantly, locking in the business and enterprise users. Beyond Windows, Microsoft has leveraged their influence to get even the US government hooked through cybersecurity upgrades and assisting military technologies. Microsoft has also provided AI tools for military purposes in the case of Israel.

Microsoft’s earnings are very misleading as the total revenue from search in fiscal year 2024 is a made up category and leaves up to debate what “traffic acquisition costs” are.

Finally, Microsoft has been very aggressive towards those who rebel against their advice. Among the hostilities include watermarking unsupported Windows 11 installations and patching out various workarounds to using Windows 11 without an online account. If only a small percentage of users are doing this, why is Microsoft so concerned? If so, then maybe more people or businesses are abusing these exploits than we think.

Among the deceased include:

As of time of writing, this can be bypassed by opening Command Prompt using Shift + F11 and entering the following:

start ms-cxh:localonly

With a company that makes billions of dollars, it’s inevitable there’s going to be some evil within Microsoft. But with workarounds, they are undesired by nature and they are not sustainable for internet denizens and IT professionals to use. Command prompt exploits of Windows 11 are helpful, they are workarounds at the end of the day. So instead, I propose a different strategy: we’re going to turn to a different feature of Windows and the way Microsoft intended.

Unattended Installations

Microsoft may block workarounds, but there’s one form of customer they’re much more careful with messing around with–the enterprise (most of the time anyway). Using a feature of a standard Windows USB, you can essentially put your Windows installation on auto-pilot while you can spend your time doing something else.

The benefit of unattended installations is you aren’t just bypassing the Microsoft account enforcement; you’re bypassing clicking anything in the installation altogether. Best of all and unlike the workarounds that you might see on social media, this is a fully documented process by Microsoft intended for IT departments. The documentation requires us to write our own autoUnattended.xml, but there’s a tool for that further down.

Creating an Installation Media

The first thing we need to do is create a Windows 11 installation USB drive. To do so, you use your Windows machine to build a USB drive using the Windows Media Creation Tool from Microsoft’s website. An alternative is to use Rufus, which employs its own customizations. If you want more customization beyond what Rufus does, you will need to write your own. Downloading either, just follow the on-screen instructions to wipe your USB drive of choice and turn it into a Windows stick.

Once you have your newly acquired Windows USB, the next step is to generate an autounattend.xml to put inside. It’s basically a file that dictates things to the Windows installer and does them during the Windows installation process.

In the IT world, this is often done to pre-download applications onto a fleet of identical computers. For our usecase, we can also use our autounattend.xml to remove preinstalled programs, handle Windows product keys, and bypass Windows account requirements.

Writing a XML file from scratch is not fun in the slightest, but there’s a website for this: Schneegans.de’s Unattended Generator. What is a schneegan? Apparently, it’s a snow goose.

Go to Schneegans and start configuring your install. It offers additional options as well that might interest you.

  • Display language
  • Bypassing Windows 11 requirements
  • Install without internet (but only if you don’t have any)
  • Computer name
  • Wi-Fi Network (DO NOT DO THIS ONLINE, EDIT YOUR XML LATER)
  • Windows product keys: Just pick something other than Home, due to the afforementioned paywalling of features.
  • User accounts: admin vs user
  • Debloating Windows by removing various preinstalled programs
  • Building your own Powershell/Batch/CMD script

Enabling Bitlocker for Free

Now that we have our admin/user accounts under our control, we have to get into the joys of Bitlocker.

Windows Pro, Education, Enterprise

If you are a Windows Pro, Education, or Enterprise user, you can enable Bitlocker from Settings → System → About → Bitlocker → Turn on Bitlocker.

Next, you will be prompted to save your key to a file with 3 options: saving your recovery key to your Microsoft account, a file, or printing it out. Since we are avoiding Microsoft accounts, that leaves the last 2 options. I also recommend making a note in your password manager verbatim of the file Microsoft gave you. You can also upload it to cloud storage.

Home

If you are a Windows Home user (because you or a loved one cannot stand that activation watermark), you will not have access to this GUI and instead must resort to hackery. While Microsoft blocks you from accessing the GUI, you can still use a series of convoluted PowerShell commands to figure out what to do.

Most of what needs to be done needs to be done in Windows Terminal.

Preliminary Checks

First, you must identify your disks using the command

Get-Disk

This will list your disks and ensure it is partitioned as GPT. If you have repeatedly upgraded Windows, this could read MBR instead. If does not, have fun reinstalling Windows, rewind the video, or scroll back up.

Next, check if TPM is elligible for Windows 11 as is 2.0 or higher. After entering the command below, there will be a SpecVersion section in the output.

Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm

If you bypassed the Windows 11 requirements, this is your reminder, Windows doesn’t like that and could make your life more difficult in the future. Staying on Windows 10 is also not an option anymore. Either upgrade your computer, buy a Mac, or switch to Linux. If you are are a valid Windows 11 user, proceed below.

Bypassing the Paywall

First, boot Windows into advanced startup. Navigate to Settings → System → Recovery → Advanced startup → Restart now and confirm.

After your computer reboots, the Windows recovery screen will appear. Navigate to Troubleshoot → Advanced Options → Command Prompt. From here, enter the following command to turn Bitlocker on.

manage-bde -on c: -used

After, close Command Prompt and click “Continue” to boot back into Windows. Next, open Windows Terminal under your administrator account.

  • Right-click on Start → Windows Terminal (Admin)
  • In Start → Windows Terminal → RMB → Run as Administrator

Next enter the following command.

manage-bde c: -protectors -add -rp -tpm

This will produce your Bitlocker recovery key similar to the normal way. Write the password down, save it to your password manager, print it out, store it someplace safe like in a USB or cloud storage.

After you saved your recovery key, run the following to start the encryption process on your C:\ drive. You can also repeat the command, but change c: to the letter of another drive you exclusively use with Windows (e.g. d:).

manage-bde -protectors -enable c:

See Bitlocker’s Status

To verify if Bitlocker is working, run the command below. You can also repeatedly spam it if you want to see the progress of your data being encrypted.

manage-bde -status

Afterword

Once you have gotten your unattended install with your administrator and user accounts, bypassed the Microsoft account requirements, and enabled Bitlocker, you have essentially gotten the major benefits you would have gotten with a Microsoft account.

Now all that’s left is to remove the privacy invasive features and advertisements…

Video References

Track Listing: