A local account is a Windows 11 sign-in account that exists only on the PC on which it is created. Microsoft sometimes refers to this type of account as an offline account because it can be created even when the PC is offline: When you initially sign in to Windows 11 with a Microsoft account or Work or school account, you must be online so that you can authenticate your user credentials with Microsoft or your organization.
There are good reasons to sign in to Windows 11 using a Microsoft account or Microsoft Work or school account--security and convenience key among them--and, of course, Microsoft makes it very difficult to do otherwise. But it's still possible to use Windows 11 with a local account if you prefer that configuration for some reason.
To be clear, we recommend that most people do not sign in to Windows 11 with a local account as you will have a better--and safer--overall experience using a Microsoft account. But more sophisticated users who know what they're doing can use a local account securely. And doing so can eliminate some of the bad behaviors we see in Windows 11, in particular the silent, forced usage of OneDrive Folder backup.
If you prefer using a local account, this chapter can help you do so using the more secure possible configuration.
What changes when you use a local account
For the most part, a local account looks and behaves much like a Microsoft account. But there are some key differences.
These include:
No password required. You are not required to protect a local account with even a simple password, though doing so is obviously insecure. This is a particularly serious problem if you give the local account administrative capabilities, as a thief could access content in other Microsoft accounts or work or school accounts configured on that PC. We strongly recommend configuring a password, at which point you can use a Windows Hello PIN or facial or fingerprint recognition for an even more secure experience.
No two-step verification. Where your Microsoft account (or Work or school account) can be--and should be--protected with two-factor authentication (2FA), which makes your account and the personal data it protects more secure, a local account is not (and cannot be).
No device encryption by default. When you sign in to Windows 11 with a Microsoft account, the PC's storage is automatically protected with device encryption, a full-disk encryption solution that helps protect the documents and other data it contains from being stolen or otherwise accessed by others. To date, Microsoft has not offered this functionality to those who sign in to Windows 11 with a local account.
That changed in Windows 11 version 24H2, though there are additional steps to take to enable this critical feature. We discuss how to enable device encryption after signing in with a local account later in this chapter.
If you are using Windows 11 Pro with a local account, any account type can enable BitLocker drive encr...