I had the misfortune of setting up a Windows 11 machine and being confronted with creating a mandatory Microsoft account. I can’t concisely explain why being forced to create an account bothers me so much, but generally when a vendor tries this hard to get you to do something, it’s not for a user-friendly reason.
Anyways, after a bit of searching I found that Rufus is able to create a Windows 11 boot image that can bypass the account setup requirement; but for various reasons I just wanted to modify the OEM configuration.
After poking through the Rufus source code for a bit, I found the pointy end of the stick, applied the patch, and it worked.
Here’s my notes on how I did it — mostly so I have it someplace where I won’t lose it, but also maybe because someone else might find it useful. NB: Microsoft seems to have been paying attention and hardening their setup process against work-arounds to account setup, so the shelf life of this post might not be so long.
Assuming you have a brand new machine with a Windows 11 OEM pre-install, and you have not yet turned it on:
- On first boot, go to BIOS settings and turn off the TPM (and backdoors like Intel AMT, Absolute Persistence module, etc.), and allow third party OS boot. On my machine (a Lenovo laptop) this caused the screen to go black for quite a while on reboot as it undid the Bitlocker encryption on the pre-installed Windows volume. Decrypting the Windows volume is necessary for the next steps.
- Grab an Ubuntu install image, put it on a USB drive, and boot the Ubuntu image using the “Try Ubuntu” selection.
- Mount the C: volume (probably the biggest partition on the NVME drive). You may have to run ntfsfix on the volume first to make it writeable.
- Edit the file at …/Windows/panther/unattend.xml and insert some XML (exact incantation shown below).
- Unmount the volume and reboot.
- When the first dialog box appears during setup, hit Shift + F10 and type OOBE\BYPASSNRO into the command prompt shell that appears. This will disable the internet connection requirement, and force a reboot of the machine to restart the setup process.
- When you get to “Let’s connect you to a network” there should be an option now that says “I don’t have Internet”; click that, and the system should proceed to setup a local-only account.
During setup, I connected to the Internet using a wired Ethernet line, so I could easily cut the internet by pulling the cable out if things went wrong and I had to try again (if you do set up by wifi, it’s a bit more complicated to cut internet). In my trials I did end up connecting a couple times and allowing the system to update, and that didn’t impact my ability to pull off the procedure in the end.
The specific commands I used within Ubuntu to access the unattended installer manifest were:
sudo su ntfsfix /dev/nvme0n1p3 mount /dev/nvme0n1p3 /mnt nano /mnt/Windows/panther/unattend.xml
But the exact path to the Windows partition will probably be different depending on your OEM and hardware configuration. The right partition is probably the biggest partition, so you can use fdisk to inspect your disk and guess the exact path for your machine.
The XML I injected was this snippet:
<RunSynchronousCommand wcm:action="add"> <Order>1</Order> <Path>reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE /v BypassNRO /t REG_DWORD /d 1 /f</Path> </RunSynchronousCommand>
Stick it in the first “settings” block, just after the “component” block. So overall, the top of the unattended.xml file on my machine ends up looking like this:
<?xml version='1.0' encoding='utf-8'?> <unattend xmlns="urn:schemas-microsoft-com:unattend"> <settings pass="specialize"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="xxxxxxxxxxxxxxxx" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <OEMName>Lenovo</OEMName> <OEMInformation> <Logo>c:\windows\system32\oemlogo.bmp</Logo> <Manufacturer>Lenovo</Manufacturer> <HelpCustomized>true</HelpCustomized> <RecycleURL>https://www.lenovo.com/recycling</RecycleURL> <TradeInURL>https://www.lenovo.com/trade-in-program</TradeInURL> </OEMInformation> </component> <RunSynchronousCommand wcm:action="add"> <Order>1</Order> <Path>reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE /v BypassNRO /t REG_DWORD /d 1 /f</Path> </RunSynchronousCommand> </settings> .... more settings blocks below ....
It’s not exactly a fast or convenient procedure, but unfortunately the “just unplug network during setup” hack that populates the front couple pages of Google searches on the topic was patched. Anyways, I always disable a bunch of the security theater/DRM and back doors installed by OEMs (in addition to running an overnight RAM test, hence the need to allow third-party/unsigned OS boot), so this was only incrementally more effort on top of what I was already going to do.
I have not tested this with Windows 11 yet, but when the Microsoft account requirement was added in Windows 10 one way to bypass it was to use a mail address that is linked to a permanently locked account and some random password. security@ worked for this.
Err, make that “security@[some random microsoft freemail domain]”
You can bypass it in the standard installation. You have to press Shift+F10 and you will get a command window. You can then type the command rufus uses:
oobe/bypassnro
After that windows will restart and after the reboot the option create a classic machine user account will be enabled.
Hmm, you might be right that maybe the ‘oobe/bypassnro’ is actually the only part of the whole procedure that mattered. I had started by working my backward through Rufus source code and then came across that command to make the “I don’t have Internet” option appear. I seem to remember trying some variant of that and getting the “upside-down ice cream cone” graphic with an “oops something went wrong” forcing me to reboot and try again, but that was on an earlier iteration of the system config. If someone else is trying this from scratch, might be worth just trying the Shift-F10 + ‘oobe/bypassnro’ combo first before going through the whole Ubuntu boot thing. On the other hand, it was a good check that the default Bitlocker encryption was actually undone.
According to Intel, the method described earlier by ‘jolfu’ is all that is required.
They have a support article for installing Windows 11 on a host computer without a network driver available that provides the details –> https://www.intel.com/content/www/us/en/support/articles/000092599/intel-nuc.html
The Shift-F10 trick doesn’t seem to work any more, at least with the Home Edition, there’s a brief busy-cursor and then nothing. To bypass with home edition, enter your user name as “no@thankyou.com” and any password, it’ll tell you the account is locked and allow you to continue with a local account.
Surprisingly entertaining read, like a spy thriller written by the sysadmin.
If you use Windows 10 and accidentally enable the account sign in option, hope that you don’t use a proxy to get online. It won’t tell you anything about needing Internet on the next sign in and you’ll be completely locked out of your computer. Even if you boot up into the recovery console and mess around with renaming stuff in System32 to pop a SYSTEM command prompt, re-enable the admin account, and use the ‘net’ command to set the proxy server directly… you’ll be disappointed to disappointed to realize that this doesn’t work either. If you’re stuck in this situation, the easiest thing to do is delete the online account and create a local account manually again.
[…] 详情参考 […]
it’s easy. disconnect from network during installation.
Think you missed to read this passage?
>>
It’s not exactly a fast or convenient procedure, but unfortunately the “just unplug network during setup” hack that populates the front couple pages of Google searches on the topic was patched.
<<
Could someone create a captivating YouTube video explaining the inner workings of electronic devices? I’m particularly interested in the intricate details of how these devices function.
If I understand you are trying to keep the pre-installed Windows OS image that Lenovo put on the machine, otherwise you would just have used Rufus to make a bootable disk and installed from scratch. You skipped over the reason why, but it would be really interesting to know.
The combination Shift-F10 + ‘oobe/bypassnro’ is sufficient. I have used it several times to configure pre-installed win11 on client laptops.
Many moons ago the company I worked for had a few projects that were classified and the computer systems inside could not be connected to the internet for security reasons. Even way back then I remember those folks complaining about the headaches of any OS changes because anything had to be brought in on physical media.
I would imagine there are cases where customers need to operate their computers without any connectivity, not just because they don’t feel like it (and there’s nothing wrong with that, either). Companies operating sensitive infrastructure – certain portions of nuclear power plants come to mind. Has Microsoft just entirely given up on that niche market?
The example I mentioned was in the 90s, and most of those computers were Unix workstations which did most of the work. There was one or two Windows machines, mostly used for report writing. Today you could comfortable run a whole isolated company without any Windows machines. (BTW these computers could talk to each other, just not leave the room to the outside world).
I’ve seen e-passport gates at one airport flash up virus scanning dialogues while people were trying to use them. Where do we even begin to discuss the “thinking” behind that kind of infrastructure deployment?
Well, to be fair, one could perform virus scanning as a matter of course on a completely isolated network. Just in case. That doesn’t necessarily mean that computer was online. But in all likelihood it was.
Thank you for sharing this. I ran into the same problem recently and I was able to not add an account but I did have to add a pin# to get around it.
Instead use the Microsoft account: no@thankyou.com with virtually any password value and you will be allowed to carry on with local accounts.
I’m not a Windows person at all, but recently had the opportunity to get my old work laptop for personal use. Optionally, as part of the wipe/reinstall, one could get Windows 11.
During early setup I had already entered the wifi credentials when I remembered, whoops! So I went back, deleted the wifi info and proceeded with “I don’t have internet”. And sure enough it let me create a local account. It has yet to know about the Microsoft account I do have, and works fine (judging from the amount of updating and device driver installing it did post-install) , or rather did until I swapped a different SSD in and installed Fedora. Dual boot on EFI sounds scary.
[…] Bypassing Windows 11 Account Setup […]
I noticed on a laptop sometimes Shift f10 has no effect. I attached a USB keyboard and then clicked Shift f10 and it worked.
Try doing Fn-Shift-F10; one of my customers had this issue and it helped
A lot of new laptops have disturbingly awkward keybaord layouts. Fn-shifting for what used to be dedicated keys is particularly common. And laptops haven’t gotten any smaller, yet 20 years ago you could easily find one with a full standard PC layout. I blame the penny-pinchers.