➡ To switch to a local account in Windows 11, you need Windows 11 Pro. Although it costs extra, it supports local accounts without any tricks. If you’ve already used a Microsoft ID, you’ll need to start from scratch with a full Windows 11 Pro installation. After installing, choose ‘Setup for Work or School’ and ‘Domain Join’ to avoid using a Microsoft account. Make sure BitLocker is off and reset the TPM to avoid sending credentials to Microsoft. If Windows 11 Pro is already installed, you can remove the Microsoft account through the settings, but this may leave traces in the registry.

➡ You can disable the Microsoft account requirement during Windows 11 installation by using Rufus, a free tool, to create a modified bootable USB. This method, which works offline, prevents the transfer of your information to the cloud and stops certain Windows features from working or sending data to Microsoft. However, if you prefer simpler options and don’t need specific apps, you can stick with Windows 10 and use a local account. For those serious about privacy, consider joining Braxme, a community that offers privacy tools like BraxMail and BytesVPN.

Windows 11 has some pretty bad features that are truly privacy invading. From a Windows recall that records everything you do on the computer to new telemetry that can potentially track your interactions over the Internet tied to a TPM chip identity. I’ll refresh your memory and tell you what these anti privacy features are as I’ve discussed them in recent videos. Fortunately, I discovered a workaround that will actually evade all these spyware features and surprisingly it still works. To put it to you directly, you must login to Windows only using a local account, but you need to know why it works.

You must never ever log in again using a Microsoft account. If you do, you need to reinstall this and start all over again. If you’re running Windows 11 Home, you already know how Microsoft makes it practically impossible for a user to use a local account. And if you’re on Windows 10 and you’re doing an upgrade to Windows 11, you will not realize that that Microsoft account has changed and is doing a ton of new things to ensure you have no privacy. So if you’re using a Microsoft account before, you must really reinstall from scratch and remove that Microsoft account connection.

As this function changed between Windows 10 and Windows 11, I’m going to teach you a simple way to convert to a local account and then you must understand why you must never use a Microsoft account on this device ever again. Stay right there. Between Windows 10 and Windows 11 there was a drastic change in what the Microsoft account is for, and this involves the TPM chip. The TPM contains a factory burned endorsement key ek, a permanent unique hardware fingerprint. When you sign in with a Microsoft account, Windows can use that EK during cloud attestation, permanently tying that specific machine to your Microsoft identity in Microsoft’s attestation logs.

Even though your fingerprint or face data itself never leaves the computer and stays encrypted locally. The moment Windows hello unlocks device with a Microsoft account, the operating system immediately phones home to Microsoft. Why? Because a Microsoft account session isn’t just a local login anymore, it’s a full cloud session as soon as you’re in Windows refreshes your authentication tokens, checks in with Microsoft’s identity servers, syncs your settings, starts OneDrive, pings copilot services, and if you’ve enabled it, uploads or verifies your BitLocker recovery key. All of this traffic is tied to both your Microsoft account and matched to the permanent hardware identifier derived from your tpm.

As I said earlier, every login or unlock triggers authentication token refreshes and device bound telemetry, effectively telling Microsoft this is me on this exact machine. Even if you never touch OneDrive or Copilot in practice, Microsoft now knows exactly which physical computer you’re sitting in front of every time you log in. This also has pretty significant implications when using passkeys which are also tied to Windows hello. Suddenly your passkeys are also integrated into the Microsoft cloud so it is no longer local data. This also means that Microsoft gets to do telemetry on every inst where you use passkeys.

This is tied to some other pieces I’m going to show you. BitLocker and Microsoft account Recovery While the TPM chip in theory is there to provide you with extra security, this now gets complicated in Windows 11 on new Copilot Plus PC computers, meaning the AI enabled computers. BitLocker is turned on by default and you didn’t know this, but as soon as you log into your Microsoft account on that computer, the bitlock for recovery keys are moved over to Microsoft. Microsoft also has the ability to recover your specific computer login because the credentialing process is now attached to the Microsoft cloud, again attached to your Microsoft account.

In theory, a government with legal compulsion could obtain your BitLocker recovery key from Microsoft if you ever backed it up there. TPM Attestation in addition to just dealing with security when logging into the Microsoft cloud, the TPM has been used by Microsoft to supply an external tool for attestation, meaning a third party app can query Microsoft to check the status of your device, for example to check that it is the same machine and not been altered and this third party check is verified through an interaction between the TPM and Microsoft. The result of that then is passed to the third party.

Thus even Microsoft is involved with third party credentialing and validation of a device. This can also be used for control purposes like ensuring you’re running a specific OS or ensuring you don’t modify your own computer. Windows Recall and Copilot Part of the reason that all these security features are there is to supposedly protect your computer, because now the Windows Recall module is doing screenshots every few seconds and storing data about everything you’re doing on the machine. This is the reason you can’t run Windows recall without enabling BitLocker. This data is potentially something that the third party can capture either a hacker or a government.

So all of this is tied together like a package with a ribbon. All these pieces, the Microsoft Account BitLocker window recall are pieces important to the AI companion that will be Your computer friend. This is the big picture. Since the computer is supposed to be your AI companion, then this data must be protected at all costs by Microsoft. The cost being your your privacy since your private info has just been transferred from your brain to the computer. Microsoft Cloud of course, there’s always a financial reason for all this. Microsoft is making most of its money now as the second largest corporation in the world from cloud services.

So all this is really made to move your computer interactions to the cloud. Office 365, OneDrive, Windows Backup, and now all integrated with Copilot, which mostly also runs in the cloud. In the end, this translates really to your computer not really being your computer. In essence, it’s just going to be a terminal to access all your resources in the cloud. Microsoft’s Kryptonite Fortunately, Microsoft created their own Kryptonite and all these features I just described require a Microsoft account. This is the reason they pushed the Microsoft account everywhere. But Microsoft has a huge enterprise market. Many of these features I just described are really for the consumer.

The enterprise IT staff does not want Windows recall Copilot and such, and they have their own licenses for Office365 and certainly their own servers for storage and backup. So if you’re an enterprise customer, you can skip all this and log in using a domain instead. And you’re allowed to log in using a local account. I’m sure they would get tremendous pushback if they blocked it Enterprise account from logging in using a local account. There would be a quick migration to Linux, I expect. What happens if you have a local account? Local account Windows hello When you switch to a pure local account, Windows hello goes back to the Windows 10 behavior 100% local unlock zero traffic to Microsoft, no hardware fingerprint sent anywhere, no cloud session created passkey state device, only bitlocker keys stay in your own hands and none of your logins ever light up on Microsoft’s radar again.

Local Account TPM the danger in a TPM is not actually the TPM itself, but is the involvement of a third party in every security query off the TPM. This is because in Windows 11, Microsoft has inserted the Microsoft account in every security transaction. But the good news is that when you use a local account, the TPM doesn’t get used to communicate with Microsoft at all. So even if you didn’t turn off the TPM as I recommended in my TPM video, this will work fine as long as you never log into Microsoft ever again. Can you do that? We’ll get back to that local account bitlocker While I still don’t recommend using BitLocker when there are other alternatives like Veracrypt, if you use BitLocker with a local account, you actually get to backup your own recovery keys and it doesn’t get forwarded to Microsoft.

So this makes BitLocker actually okay to use. But don’t forget this is very important. Turning BitLocker off on Copilot PCs turns off Windows recall. You want that. So BitLocker is best left off, especially on these newer machines. Use Veracrypt instead if you want Microsoft temptations. Microsoft will taunt you to log in and once you do then the TPM will be engaged and the identity of your computer will be revealed. The computer identity is, as I said earlier, known by the public endorsement key, and this is permanent and burned into the chip. Sure, the private key stays hidden, but the public EK alone is enough to fingerprint your hardware forever.

Because of this, once you log into Microsoft with a Microsoft account, the endorsement key, the BitLocker recovery keys, the backup credentials for Windows hello will all become part of the Microsoft account. So imagine this. You spent all your time ensuring that you have made no connection between your machine Microsoft. But when you log into OneDrive or Windows Backup because you didn’t think about it and then it captures your Microsoft account once that happens, then reverting back to a local account is meaningless. All the device data related to the TPM, BitLocker, window recall and so on are now once again in the Microsoft realm.

By the way, I don’t believe using Office365 over a browser is enough to compromise the the Microsoft id. You have to use some feature of the OS itself that uses some non browser app. But this could be a problem on native Windows apps like Xbox apps or the Microsoft Store which are in fact tied to the Microsoft account. How do you switch to local account in Windows 11? The easiest way to switch to a local account is to use Windows 11 Pro Pro. I know it’s painful to pay extra up to $99 to upgrade Windows 11 Home to Windows 11 Pro or $199 for a full Windows 11 Pro version, but this method requires no tricks.

In Windows 11 Pro, local account is natively supported. You don’t have to do the OOBE bypass or Rufus hacks on the Windows Home. And as I said earlier, they will likely support this for the foreseeable future due to the size of the enterprise market. To Microsoft, the Windows Pro market is almost like a separate market group with its enterprise focus step by step Conversion to a local Account let’s assume here that you’ve already installed or upgraded to Windows 11 Home in some way and now got a Windows 11 Pro upgrade, but you’ve already used the Microsoft ID or the other possibility is that you already have Windows 11 Pro and you did not know to use a local account and you’ve already used a Microsoft account.

The problem is that if you upgrade to a local account, the machine must never have transmitted the TPM identifiers and BitLocker identifiers to Microsoft. So in these scenarios you can’t just go forward. You have to really start from scratch. Step number one obtain a full Windows 11 Pro installation ISO image. You can download Windows 11 Pro 24 25H2, which is the current version, directly from Microsoft. I recommend that you do not get an Upgrade to Windows 10, nor should you start with Windows 11 Home and then buy the upgrade. If you do this, you will likely be forced to use a Microsoft account and this whole exercise will fail or you have to do this Rufous tricks that I’m going to discuss later for advanced users.

I will talk about the options to doing a local account on Windows 11 Home, but just realize that Microsoft is actively removing this workaround so it is not certain to be available in the long run. But there is no indication that Windows 11 Pro will lose the option of a local account as far as I can see. So this is a long term insurance policy. Next, after you download Windows 11 Pro 25H2 and create an installation USB drive, go ahead and find an inexpensive license for this. The retail price of Windows 11 Pro is 199, but there are many legit sources of product keys that are much cheaper.

On Amazon there’s an official one for around 1:46. There are much cheaper ones like 20 to $40 in the gray market, but make sure the source is reputable so look for reviews now. There’s no particular rush to activate Windows 11 Pro after installation as it will still work. Just remember to do it at some point. Step number 2 Install Windows 11 now using the official ISO image of Windows 11 Pro. Install Windows and when you reach the screen that says let’s connect you to a network. If you have no network like Ethernet unplugged plus no WI fi selected, click I don’t have Internet at the bottom.

If you are connected, just click the same link or press shift F10 and then type ipconfig release enter close the window to kill the connection. The next screen is how would you like to set up this device now you will see two large options set up for personal use. Setup for Work or School. Choose Setup for Work or School. A new screen appears, titled actually the same title. How would you like to set up this device? In the lower left corner you will see small blue text Sign in Options or sometimes More Options and click on that Sign in Options.

On the next screen, choose Domain Join instead. Sometimes worded Offline Account or Join a local Active directory domain. Click Next and now you’re completely out of the Microsoft account path. The next screen simply says who’s going to use the device? Type your desired local username, type a password, confirm the password, answer the three security questions if that’s offered, and finish the out of box experience or oobe. That’s it. You now have a 100% local account on Windows 11 Pro with zero Microsoft account ever created or linked. Step number three bitlocker since this would be a new install, I would imagine that BitLocker will be off.

However, new Copilot Plus PCs I.e. snapdragon X Elite, Intel Lunar Lake or AMD Strix point machines with Windows 11 will have BitLocker enabled by default. In any case, the only issue is to make sure that at this point bitlocker must be turned off. So before you proceed further, disable that in Settings, just go to Settings and type bitlocker and then you’ll see if it’s enabled or not. Step number 4 TPM insurance in order to ensure that your computer doesn’t accidentally send your TPM credentials, meaning the endorsement key, to Microsoft, and to destroy the connection between any old installation on this same computer with your new install, you must reset the the tpm.

Microsoft can still theoretically link the hardware fingerprint if that exact machine ever authenticated before even once. Because the factory Burn endorsement key is immutable. However, a reset of the TPM removes all other keys and removes any other connection between the machine and Microsoft. Hopefully if you follow the steps here, it will appear like the computer has been sold to someone else and and it is owned by a different person. To reset the tpm go to Windows Security, then go to Device Security. What you see here may change, but usually you will see some option related to security processor and after that security processor troubleshooting.

If you click that there should be an option there to clear tpm, click Clear tpm, then clear and restart. What will happen now is that the TPM will reset and erase prior credentials in the TPM so it will not match anything in the Microsoft database other than the endorsement key. Now If I don’t need to use Windows hello, you can actually take another step and turn off the TPM itself in the BIOS of the computer. So follow the instructions to enter the BIOS of your computer and look at turning off the security chip, TPM or whatever wording is used to imply the TPM.

FYI, I run Windows 11 without the TPM, without BitLocker, without Secure Boot and using a local account, and I’ve done everything I’ve discussed here on several new computers so this is tested to work fine. I prefer turning off the TPM so I don’t have the risk of accidentally sending the TPM endorsement key if I accidentally log in to a Microsoft account Windows 11 Pro already installed if your Windows 11 Pro is already installed, for example, this is a new computer. Here’s a process to remove the Microsoft account. Unfortunately this is not 100% in my opinion because you will find that the Microsoft account will leave remnants in the registry which may show up depending on the Windows service.

So a full reset is my recommendation from scratch. But as a short term measure, maybe to push off the reset to another time that you can dedicate the time for it. Here’s the solution. Step one make sure you are logged in with the current Microsoft account, the one you want to remove. Open Settings Accounts your info on the right you will see sign in with a local account instead, which is a blue link. Click it Windows asks are you sure? Next it will prompt you to re enter your current Microsoft account password for verification. Type it next.

Now fill in username, whatever you want can be the same name or new password, set password and then hit next. Sign out and finish. Windows immediately signs you out and back in with the new local account. Step 2 While now logged in as the local account, go back to Settings Accounts, Email and Accounts. Under Accounts used, try other apps, click the old Microsoft account remove, then click on yes. Then go back to Settings, Accounts, Access, Work, or School. If the old Microsoft account appears here, select it, disconnect and then confirm. This is optional but recommended. Go to Start, type netplwiz Enter this launches an old wizard that handles credentials.

Select your new local account, hit Properties, make sure full name and description have no leftover Microsoft data and then okay. Well this is not a perfect solution because some app could still find traces of your Microsoft account on the computer if it search for it. At least this will leave all the dangerous aspects of Windows 11 off, like interference with Windows hello and TPM attestation and Windows Recall and copilot. Windows 11 Home installed if you don’t want to invest in Windows 11 Pro for whatever reason and you already have Windows 11 Home installed, we can come up with alternate ways to disable the Microsoft account.

There are two common ways in the past, but only one is currently still likely to work. The problem with these methods is that Microsoft is constantly trying to break these, so I cannot tell you that this will be long run Solutions the Windows 11 Pro solution is pretty safe for the long haul and is straightforward, but as of the time of this video, this method still works. Use Rufus to create a modified bootable USB Use Rufus to create a modified bootable usb. This is the easiest for fresh installs. Download the official Windows 11 ISO from Microsoft site.

Use Rufus, which is a free tool to make a bootable usb. Select the ISO, then check Remove requirement for an online Microsoft account in Rufus’s options. This disables the Microsoft account prompt entirely during oobe. No commands needed. Boot from the USB install as usual and you’ll get a local account option right away. Why does it prevent accidents? There’s no on screen Microsoft account field to tempt you. It’s bypassed up front. This takes about 10 to 15 minutes extra for the prep. Works offline after you create the USB. As of December 2025, Rufus 4.11 still fully supports the remove requirement for an online Microsoft Account checkbox on the official 25H2 ISO.

Final Thoughts Some of you might think this is overkill to evade the Microsoft account, but as I said, this transfers your information to the cloud. But as a bonus, this is also insurance that the dangerous features of Windows like Windows Recall and Copilot will stop working. Or at the very least it stops sending that traffic to Microsoft or with your specific identity. Which is lucky for us. By the way. If you stick to Windows 10, you can still use local account as far as I’m aware, and that makes it a lot less complicated. However, many of you will be prevented from using Windows 10 if some apps required.

For example TurboTax announced that they will only work with Windows 11. So this at least removes the sharp edges of Windows 11 and makes it more palatable for privacy. Not perfect, but at least not the worst. Bottom line, if you value owning your computer instead of renting a cloud terminal from Microsoft, Windows 11 Pro plus local account plus TPM disabled is still the only bulletproof combination in late 2025 and beyond for Windows folks. If you’re serious about privacy, come join us at Braxme. It’s a growing community where real privacy people hang out. No censorship no nonsense.

While you’re there, check out the tools we actually built and use ourselves. BraxMail Unlimited aliases, no IP leaks. Brax Virtual Phone Real Anonymous Numbers BytesVPN no logs, no big corporate BS. The Google phones and more in the store. The Brax3 Phone second batch is open for pre order right now at braxstech.net the first batch sold shortly after release. Big thanks to everyone supporting us on patreon locals and YouTube memberships. You keep this channel alive. See you next time.
[tr:tra].

See more of Rob Braxman Tech on their Public Channel and the MPN Rob Braxman Tech channel.