Windows 11 setup: Which user account type should you choose?

wgettyimages-1238265324

Ed Bott explains the pros and cons of each account type and why your best option might be a combination of two account types.

NurPhoto/Getty Images

When you set up a Windows PC for the first time, you’re required to create a user account that will allow you to act as the administrator for that computer. Depending on your Windows edition and network setup, you have a choice of up to four separate account types.

Also: Windows 11: Do these six things right away after you finish setup

On business editions (Pro, Pro for Workstations, Enterprise, and Education), the Windows Setup program asks you to choose whether you want to set the PC up for personal use or for use on a network managed by your organization, as shown below. If you choose the second option, you can set up the PC using an account in your Windows Active Directory domain or you can sign in using an Azure Active Directory account, such as the one associated with a Microsoft 365 Business or Enterprise subscription. (A quick note here: Microsoft announced in July 2023 that it’s changing the name of this feature from Azure Active Directory to Microsoft Entra ID. The feature set remains the same, however.)

user-account-personal-or-organization.jpg

This choice is only available with Windows 10 Pro or Enterprise

Screenshot by Ed Bott/ZDNET

On Windows 10 Home edition, that choice isn’t available, and you’re limited to only the personal options: a local account or a Microsoft account. The Setup program is extremely persistent about trying to coax you into signing in with a Microsoft account. Windows 11 Home edition gives you only the option for a Microsoft account, although you can add a local account (or remove the connection to the Microsoft account) after you’ve signed in for the first time.

In this post, I’ll explain the pros and cons of each account type and explain why your best option might be a combination of two account types.

Microsoft account

This is Microsoft’s free online account for personal use, required for signing into the company’s consumer services, including OneDrive, Xbox Live, Skype, and Microsoft 365 Family and Personal subscriptions, among others.

If you have an email account at Outlook.com or Hotmail.com (or, for old-timers, at live.com or msn.com), you already have a Microsoft account. You can also sign up for a new account anytime, choosing a new address at Outlook.com or using your own email address.

Also: Is Windows 10 too popular for its own good?

Signing in to your Windows 10 or Windows 11 PC with a Microsoft account offers several distinct benefits:

  • On PCs designed for Windows 10 or Windows 11, signing in with a Microsoft account automatically enables full-disk encryption for the system drive, even on systems running Home Edition. If you turn on BitLocker encryption (Pro and Enterprise editions only), your recovery key is stored in OneDrive, allowing you to retrieve your data if you find yourself locked out.
  • Signing in with a Microsoft account stores a record of your successful activation, allowing you to easily restore your activation (no product key required) if you ever have to reinstall Windows.
  • Windows allows you to sync settings between PCs where you sign in using the same Microsoft account. That includes personalization settings like your desktop background, saved passwords (including Wi-Fi profiles), language and regional settings, and more. (For a full list, see “Windows 10 roaming settings reference.”)
  • You can sign in automatically to any Microsoft consumer service using your saved Microsoft Account credentials.
  • You can sync data and settings for preinstalled Windows apps (Mail and Calendar, for example) and easily restore apps you download from the Store.

Note that Windows telemetry data is tied to your device and isn’t associated with a Microsoft account. (For more details on how telemetry works, see “Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data.”)

Also: The best Windows laptop models: Comparing Dell, Samsung, Lenovo, and more

And, of course, you can create a Microsoft account and use it exclusively for signing in to Windows while keeping your email, cloud storage, and other services elsewhere. But if you do use a Microsoft account for services such as Microsoft 365 and OneDrive, it makes sense to sign in to Windows using the same account.

Local account

A local account is about as old school as Windows gets. You don’t need a network connection or an email address; instead, you create a username (up to 20 characters) and a password, both of which are stored on the PC where you create them. Those credentials grant access only to the device on which you created them.

There’s no particular security or privacy advantage to signing in with a local account (indeed the lack of device encryption is a negative, in my book); but if that’s your preference, you can do so when you first set up Windows 10 (any edition) or Windows 11 Pro on a new PC.

Windows 11 Home requires you to sign in with a Microsoft account during initial setup. Beginning with version 22H2, so does Windows 11 Pro when you choose the option to set it up for personal use. You can work around this restriction by entering the address no@thankyou.com as your Microsoft account. When you’re asked for a password, enter anything. Windows will inform you that the account has been locked because of too many incorrect password attempts (you’re not the first person to do this, after all), and you’ll be given the option to create a local account instead.

Also: The ultimate Windows troubleshooting trick

If you’ve already created a new account that’s associated with a Microsoft account, you can easily convert it to a local account. After signing in for the first time, go to Settings > Accounts > Your Info. Under the Account Settings heading, choose Sign In With A Local Account Instead and follow the prompts. 

On Windows 10, make sure you’re not connected to the internet when you run Setup; then, when you reach the Sign In With Microsoft screen shown here, click the “Continue with limited setup” option in the lower left corner. 

set-up-a-local-account.jpg

That option in the lower left corner allows you to set up a local account.

Screenshot by Ed Bott/ZDNET

After you get past those speed bumps, you can enter your username and password. 

With a Microsoft account, you have multiple options to recover if you forget your password. With local accounts, you’ve historically had no such option if you forget your password. On Windows 10, setting up a local account on Windows 10 requires that you fill in answers to three security questions, to help you recover in the event you forget your password.

You can’t bypass those questions, nor can you choose alternatives other than the six predefined questions. If you’re worried that a thief with a search engine can guess those answers, do as I do and … be creative. For example, you can answer the three security questions with a three-word passphrase of your own, entered one word at a time. Or, if you’d prefer to bypass the whole feature, just mash the keyboard to create random “answers” that no one (including you) could possibly guess. If you choose either option, don’t blame me if you forget your password.

Also: Windows 11 security: How to protect your home and small business PCs

You can switch at will between a local account and a Microsoft account, using options in Settings > Accounts > Your Info.

Even if you prefer a local account, consider signing in first with a Microsoft account. After you confirm that your system is properly activated and the activation status is recorded with that Microsoft account, switch back to a local account and go on about your business.

Likewise, if you’re fussy about the name of your default user profile folder, consider signing in with a local account first, and then attach your Microsoft account. If you follow that procedure, Windows uses the exact local username you specify as the folder name and retains that name when you switch; if you start with a Microsoft account, your user profile folder name is the first five characters of the portion of your email address to the left of the @ sign.

Active Directory (domain join)

If your company has an enterprise network with a Windows server running as a domain controller, you can join a Windows 10 or Windows 11 PC to the domain. Creating that type of account requires that a domain administrator create an Active Directory account, after which you can sign in using those credentials in the format domain\username (or username@domain, if the domain is associated with a fully qualified domain name).

Ironically, before you can join a PC to a domain and sign in with your Active Directory account, you have to first create a local account.

Microsoft Entra ID (formerly Azure Active Directory)

This is the newest option in the lineup of Windows account types. Like a domain account, an Entra ID account is managed by an organization’s administrator, but it doesn’t require a local server. Instead, the credentials are managed in Microsoft’s Azure cloud.

If your organization uses Microsoft 365 or has an Office 365 Business or Enterprise subscription, you already have a Microsoft Entra ID/Azure AD account. As with a Microsoft account, you sign in using an email address as your username (in this case, the address is assigned by your organization and managed by their IT staff); this account type gives you the ability to sync settings across devices where you’re signed in with the same account. The big difference is that your access to the device is managed by your organization’s administrator, who can apply security settings and restrict some options.

Also: The best all-in-one computers: Mac, HP, and more compared

To manage Microsoft Entra ID accounts, administrators use the Microsoft Entra admin center, which also includes the option to synchronize the cloud-based directory with a local domain’s Active Directory, an option called Azure AD Connect.

azure-ad-porta.jpg

It might take a while for Microsoft to change the Azure AD branding to Entra ID in this portal.

Screenshot by Ed Bott/ZDNET

A basic Entra ID account is free, but like all Microsoft enterprise services, upsell options abound. Paying for a premium account (which is included with a Microsoft 365 E3 or E5 subscription) unlocks advanced security features.

And you can mix and match account types on the same device for the sake of flexibility. You might want a local account to handle routine administrative tasks, a Microsoft account for personal use, and an Entra ID account for connecting to your organization’s servers. To set up additional accounts after the first one, use Settings > Accounts > Family & Other Users > Add Someone Else To This PC (Windows 10) or Settings > Accounts > Other Users > Add Other User (Windows 11). Just choose the right account when you first sign in to a new session.

READ MORE HERE