X
Business

For Windows 11 setup, which user account type should you choose? How to decide

When you set up a new Windows PC, you can choose from up to four types of user accounts - but your first choice might not be the right one.
Written by Ed Bott, Senior Contributing Editor
Windows 11 on laptop
Beata Zawrzel/NurPhoto via Getty Images

When you set up a Windows PC for the first time, you're required to create a user account that allows you to act as the administrator for that computer. Depending on your Windows edition and network setup, you have a choice of up to four separate account types.

Also: How to upgrade your 'incompatible' Windows 10 PC to Windows 11

The key phrase there is "up to four account types." Your actual choices might be more limited. You might have only two choices, and even then you might need to jump through some hoops to choose anything other than a Microsoft account. To get started, let's talk about your Windows edition.

Which Windows edition are you running?

On business editions of Windows (Pro, Pro for Workstations, Enterprise, and Education), the Windows Setup program asks you to choose whether you want to set the PC up for personal use or for use on a network managed by your organization, as shown below. If you choose the second option, you can set up the PC using an account that your organization set up for you, but you'll need the help of a network administrator to continue.  

user-account-personal-or-organization.jpg

This choice is only available with Windows Pro, Enterprise, and Education editions

Screenshot by Ed Bott/ZDNET

On Windows Home edition, the option to set up for an organization isn't available, and you're limited to only the two personal options: a local account or a Microsoft account. The exact same choices are available if you're running a business edition of Windows and choose the "Set up for personal use" option. 

Also: How to install Windows 11 the way you want (and bypass Microsoft's restrictions)

Even that choice isn't easy to exercise, at least not at first. The Setup program is extremely persistent about coaxing you into signing in with a Microsoft account. Current versions of Windows 11, in fact, offer only the option to use a Microsoft account, although you can work around this restriction with some tricks I explain later in this post. You can also install a Microsoft account as the primary account and then add a local account (or remove the connection to the Microsoft account) after you've signed in for the first time.

Let's look at the pros and cons of each account type. Even if your natural instinct is to say no to an account managed by Microsoft, you should consider that option. You might even find that combining two account types is best of all.

Microsoft account

This is Microsoft's free online account for personal use, required for signing into the company's consumer services, including OneDrive, Xbox Live, Skype, and Microsoft 365 Family and Personal subscriptions.

Also: Still have a Windows 10 PC? You have 5 options before support ends next year

If you have an email account at Outlook.com or Hotmail.com (or, for old-timers, at live.com or msn.com), you already have a Microsoft account. You can also sign up for a new account anytime, choosing a new address at Outlook.com or Hotmail.com or using your own email address.

Signing in to your Windows PC with a Microsoft account offers several distinct benefits:

  • On PCs designed for Windows 10 or Windows 11, signing in with a Microsoft account automatically enables full-disk encryption for the system drive, even on systems running Home edition. Your recovery key is stored in OneDrive, allowing you to access your data if you find yourself locked out. On Pro, Enterprise, and Education editions, you can turn on BitLocker encryption for secondary drives and removable storage devices like flash drives.      
  • Signing in with a Microsoft account stores a record of your successful activation, allowing you to easily restore your activation (no product key required) if you have to reinstall Windows after making significant hardware changes.
  • Windows allows you to back up and sync settings between PCs where you sign in using the same Microsoft account. That includes personalization settings like your desktop background, saved passwords (including Wi-Fi profiles), language and regional settings, and more. (For a full list, see "Windows 10 roaming settings reference.")
  • You can sign in automatically to any Microsoft consumer service using your saved Microsoft Account credentials.

One objection I hear regularly to the use of Microsoft accounts involves privacy. However, the amount of data that's tied to a Microsoft account is extremely limited and is mainly associated with subscription services that aren't on unless you choose to use them. What about Windows telemetry data? That's tied to your device and isn't associated with your Windows account. (For more details on how telemetry works, see "Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data.")

Also: The best Windows laptop models right now

The least invasive way to use a Microsoft account is to choose the option to create a new Microsoft account during setup and then use that account exclusively for signing in to Windows while keeping your email, cloud storage, and other services elsewhere. But if you do use a Microsoft account for services such as Microsoft 365 and OneDrive, it makes sense to sign in to Windows using the same account.

Local account

A local account is about as old school as Windows gets. You don't need a network connection or an email address; instead, you create a username (up to 20 characters) and a password, both of which are stored on the PC where you create them. Those credentials grant access only to the device on which you created them.

Also: This hidden Windows 11 setting lets you kill unresponsive apps much more quickly

There's no particular security or privacy advantage to signing in with a local account (indeed, the lack of device encryption is a negative, in my book); but if that's your preference, you can do so when you set up Windows on a new PC.

Windows 11 Home requires you to sign in with a Microsoft account during initial setup. Beginning with version 22H2, so does Windows 11 Pro when you choose the option to set it up for personal use. You can work around this restriction by entering the address [email protected] as your Microsoft account. When you're asked for a password, enter anything. Windows will inform you that the account has been locked because of too many incorrect password attempts (you're not the first person to do this, after all), and you'll be given the option to create a local account instead.

Also: The ultimate Windows troubleshooting trick

If you've already created a new Windows account that's associated with a Microsoft account, you can easily convert it to a local account. After signing in for the first time, go to Settings > Accounts > Your Info. Under the Account Settings heading, choose "Sign in with a local account instead" and follow the prompts. 

On Windows 10, make sure you're not connected to the internet when you run Setup; then, when you reach the Sign In With Microsoft screen shown here, click the "Continue with limited setup" option in the lower left corner. 

set-up-a-local-account.jpg

That option in the lower left corner allows you to set up a local account on a Windows 10 PC.

Screenshot by Ed Bott/ZDNET

After you get past those speed bumps, you can enter your username and password. 

With a Microsoft account, you have multiple options to recover if you forget your password. With local accounts, you've historically had no such option if you forget your password. Setting up a local account requires that you fill in answers to three security questions to help you recover in the event you forget your password.

You can't bypass those questions, nor can you choose alternatives other than the six predefined questions. If you're worried that a thief with a search engine can guess those answers, do as I do and ... be creative. For example, you can answer the three security questions with a three-word passphrase of your own, entered one word at a time. Or, if you'd prefer to bypass the whole feature, just mash the keyboard to create random "answers" that no one (including you) could possibly guess. If you choose either option, don't blame me if you forget your password.

Also: 7 password rules to live by in 2024, according to security experts

You can switch at will between a local account and a Microsoft account using options in Settings > Accounts > Your info.

Even if you prefer a local account, consider signing in first with a Microsoft account. After you confirm that your system is properly activated and the activation status and encryption recovery key are saved with that Microsoft account, switch back to a local account and go on about your business.

Likewise, if you're fussy about the name of your default user profile folder, consider signing in with a local account first and then attach your Microsoft account. If you follow that procedure, Windows uses the exact local username you specify as the folder name and retains that name when you switch; if you start with a Microsoft account, your user profile folder name is the first five characters of the portion of your email address to the left of the @ sign.

Active Directory (domain join)

If your company has an enterprise network with a Windows server running as a domain controller, you can join a Windows 10 or Windows 11 PC to the domain. Creating that type of account requires that a domain administrator create an Active Directory account, after which you can sign in using those credentials in the format domain\username (or username@domain, if the domain is associated with a fully qualified domain name).

Ironically, before you can join a PC to a domain and sign in with your Active Directory account, you have to first create a local account.

Microsoft Entra ID (formerly Azure Active Directory)

This is the newest option in the lineup of Windows account types. Like a domain account, an Entra ID account is managed by an organization's administrator, but it doesn't require a local server. Instead, the credentials are managed in Microsoft's Azure cloud.

(A quick note here: Microsoft announced the change of name from Azure Active Directory to Microsoft Entra ID in July 2023, and as is always the case, it takes a long, long time for the change to ripple through every part of the system, which mean you will see occasional references to Azure AD in documentation and some management tools. The feature set remains the same, regardless of the name.)

Also: Windows security: How to protect your home and small business PCs

If your organization uses Microsoft 365 or has an Office 365 Business or Enterprise subscription, you already have a Microsoft Entra ID/Azure AD account. As with a Microsoft account, you sign in using an email address as your username (in this case, the address is assigned by your organization and managed by their IT staff); this account type gives you the ability to sync settings across devices where you're signed in with the same account. The big difference is that your access to the device is managed by your organization's administrator, who can apply security settings and restrict some options.

To manage Microsoft Entra ID accounts, administrators use the Microsoft Entra admin center, which also includes the option to synchronize the cloud-based directory with a local domain's Active Directory, an option called Microsoft Entra Connect.

azure-ad-porta.jpg

Entra ID is the new name for what used to be called Azure AD.

Screenshot by Ed Bott/ZDNET

A basic Entra ID account is free, but like all Microsoft enterprise services, upsell options abound. Paying for a premium account (which is included with a Microsoft 365 E3 or E5 subscription) unlocks advanced security features.

Also: Windows 11: Do these six things right away after you finish setup

And you can mix and match account types on the same device for the sake of flexibility. You might want a local account to handle routine administrative tasks, a Microsoft account for personal use, and an Entra ID account for connecting to your organization's servers. To set up additional accounts after the first one, go to Settings > Accounts > Other users and click "Add account." Creating a local account here is relatively easy compared to the initial account setup process.

One final note: By default, the new account will be a Standard user with limited permissions. To make the additional account a local administrator, you'll need to change the account type after creating the account.

This article was originally published on July 23, 2019. It has been updated multiple times since then, and it was last updated on September 2, 2024. 

Editorial standards