When you set up a Windows PC for the first time, you need to create a user account that will act as an administrator for the device. Depending on your edition of Windows and your network configuration, you will have the choice between four distinct types of accounts.
On professional editions (Pro, Pro for Workstations, Enterprise, and Education), the Windows installer asks you to choose whether you want to set up the PC for personal use or for use on a network managed by your organization, such as indicated below. If you choose the second option, you can set up the PC using an account in your Windows Active Directory domain or you can sign in using an Azure Active Directory account, such as one associated with a subscription Office 365 Business or Enterprise.
This choice is only available with Windows 10 Pro or Enterprise.
On the Windows 10 Home edition, this choice is not available, and you are limited to only personal options: a local account or a Microsoft account. The installer keeps trying to convince you to sign in with a Microsoft account. Windows 11 Home Edition only gives you the Microsoft account option, but you can add a local account (or remove the Microsoft account login) after your first login.
Here I explain the pros and cons of each account type and explain why your best option might be a combination of two account types.
Microsoft account
This is Microsoft’s free online account for personal use, needed to sign in to the company’s consumer services, including OneDrive, Xbox Live, Skype, and Microsoft 365 (formerly Office 365) Home and Personal subscriptions, between others.
If you have an email account on Outlook.com or Hotmail.com (or, for old, live.com or msn.com), you already have a Microsoft account. You can also create a new account at any time, by choosing a new address on Outlook.com or by using your own email address.
Signing in to your Windows 10 or Windows 11 PC with a Microsoft account has several benefits:
- On PCs built for Windows 10 or Windows 11, signing in with a Microsoft account automatically enables full system disk encryption, even on systems running the Home Edition. If you turn on BitLocker encryption (Pro and Enterprise editions only), your recovery key is stored in OneDrive, allowing you to recover your data if you get locked out.
- Signing in with a Microsoft account stores a record of your successful activation, allowing you to easily restore your activation (no product key required) if you ever need to reinstall Windows.
- Windows lets you sync settings between PCs you sign in to using the same Microsoft account. This includes personalization settings such as wallpaper, saved passwords (including Wi-Fi profiles), language and regional settings, etc. (For a complete list, see “Windows 10 roaming settings reference.”)
- You can automatically sign in to any Microsoft consumer service using your saved Microsoft account credentials.
- You can sync data and settings from preinstalled Windows apps (Mail and Calendar, for example) and easily restore apps you download from the Microsoft Store.
Note that Windows telemetry is tied to your device and not associated with a Microsoft account.
Of course, you can create a Microsoft account and use it exclusively to sign in to Windows, while keeping your email, online storage, and other services elsewhere. But if you use a Microsoft account for services like Office 365 and OneDrive, it makes sense to sign into Windows using the same account.
Local account for Windows
A local account is about as old as Windows can get. You don’t need a network connection or an email address; instead, you create a username (up to 20 characters) and password, both of which are stored on the PC where you create them and only grant access to that device.
There’s no particular security or privacy benefit to logging in with a local account (in fact, the lack of device encryption is a negative, in my opinion); but if that’s your preference, you can do it when first installing Windows 10 (all editions) or Windows 11 Pro on a new PC.
Windows 11 Home requires you to sign in with a Microsoft account during initial setup. You can do this by creating a brand new Microsoft account, then after logging in for the first time, go to Settings > Accounts > Your info. Under Account settings, choose To log in with a local account and follow the instructions.
In Windows 10, when you reach the screen Sign in with Microsoft shown below, click the option Offline account in the lower left corner; then click No in the screen Sign in with Microsoft which appears next.
This option in the lower left corner allows you to set up a local account.
After passing these hurdles, you can enter your username and password.
With a Microsoft account, you have several recovery options if you forget your password. With local accounts, you historically don’t have this option if you forget your password. On Windows 10, setting up a local account requires you to fill in answers to three security questions, to help you recover your password if you forget it.
You cannot bypass these questions, nor choose alternatives other than the six predefined questions. If you’re worried that a thief with a search engine might guess these answers, do as I do and…be creative. For example, you can answer all three security questions with a three-word passphrase of your choice, entered word by word. Or, if you’d rather bypass the feature, just tap on the keyboard to create random “answers” that no one (including you) can guess. If you choose either option, don’t blame me if you forget your password.
You can switch between a local account and a Microsoft account at will, using the options in Settings > Accounts > Your info.
Even if you prefer a local account, remember to sign in with a Microsoft account first. After confirming that your system is successfully activated and the activation status is saved with this Microsoft account, switch back to a local account and continue with your activities.
Also, if you’re picky about the name of your default user profile folder, consider logging in with a local account first and then joining your Microsoft account. If you follow this procedure, Windows uses the exact local user name you specify as the folder name and retains that name when you switch accounts. If you’re starting with a Microsoft account, your user profile folder name is the first five characters of the part of your email address to the left of the @ sign.
Active Directory (domain join)
On a corporate network with a Windows server running as a domain controller, you can join a Windows 10 or Windows 11 PC to the domain. To create this type of account, a domain administrator must create an Active Directory account, after which you can log in using credentials in the format domainusername (Where username@domain, if the domain is associated with a fully qualified domain name).
Ironically, before you can join a PC to a domain and log in with your Active Directory account, you must first create a local account.
Azure Active Directory
This is the newest option in the range of Windows account types. Like a domain account, an Azure AD account is managed by an organization’s administrator, but it doesn’t require a local server. Instead, credentials are managed in Microsoft’s Azure cloud.
If your organization uses Microsoft 365 or has an Office 365 Business or Enterprise subscription, you have an Azure AD account. It behaves similarly to a Microsoft account, with the ability to sync settings between devices where you’re signed in with the same account. The big difference is that your access to the device is managed by your organization’s administrator, who can apply security settings and restrict certain options.
To manage Azure AD accounts, administrators use the Azure AD admin center, which also includes the ability to sync the cloud-based directory with an on-premises domain’s Active Directory, an option called Azure AD Connect .
Administrators can manage Azure AD from this portal.
A basic Azure AD account is free, but as with all Microsoft enterprise services, expansion options abound. Payment for Azure AD Premium (included in an Enterprise Mobility and Security E5 subscription) unlocks advanced security features.
And you can mix account types on the same device for more flexibility. You may need a local account to handle routine administrative tasks, a Microsoft account for personal use, and an Azure AD account to connect to your company’s servers. (To set up additional accounts after the first, use Settings > Accounts > Family > Other users > Add someone else to this PC). Just choose the right account when you first log in to a new session.
Source: ZDNet.com