1. Home
Feeling StupidKeyboard Layout

Windows 11 Clean Installation

Perform a clean install of Windows 11 in lab environments and create a local account without a Microsoft login by using the ms-cxh:localonly enrollment flow.

Why Perform a Clean Install?

Clean installations wipe the target drive and deploy a fresh copy of Windows 11. This is the preferred approach for lab machines, refurbished hardware, or systems that previously belonged to another organization.

  • Removes unwanted vendor bloatware and legacy domain policies.
  • Ensures BitLocker, Secure Boot, and TPM features are configured from a known baseline.
  • Eliminates user profiles that may contain malware, credential residue, or telemetry settings you do not control.
  • Makes it easier to capture a master image for future redeployment.

Prepare Installation Media

  1. Download the Windows 11 ISO directly from Microsoft.
  2. Use Rufus or the Media Creation Tool to write the ISO to a USB drive (8 GB minimum).
  3. Select the Standard Windows installation (TPM + Secure Boot) option unless your lab hardware lacks those features.

Tip: When Rufus prompts for account preferences you can disable the Microsoft account requirement there as well, but the SHIFT+F10 technique works on any official installer.

BIOS & Boot Checklist

  • Verify Secure Boot and TPM 2.0 are enabled (required for default Windows 11 policy).
  • Set boot mode to UEFI and disable Legacy/CSM unless the hardware forces it.
  • Reorder boot priority so the USB media loads first for this session.

After saving BIOS changes, insert the USB media and reboot into the Windows Setup wizard.

Installation Workflow

  1. At the region and language selection screens choose your locale and continue.
  2. Select Install now, then choose I do not have a product key if you will activate later.
  3. Accept the license agreement and pick Custom: Install Windows only (advanced).
  4. Delete every existing partition on the target disk and highlight the unallocated space. Windows Setup will create the required GPT partitions automatically.
  5. Allow the installation to copy files and reboot. Do not remove the USB until Setup transitions into the Out-Of-Box Experience (OOBE) wizard.

Bypass Microsoft Account Requirement

Recent Windows 11 builds attempt to force a Microsoft cloud account during OOBE, even on the Home edition. In security labs we often need an offline administrator profile to disconnect machines from telemetry or to build golden images. The hidden ms-cxh:localonly flow restores the local account dialog.

Use Responsibly: Only apply this bypass on systems you manage. Enterprise-joined builds may have policy requirements that still enforce Microsoft Entra ID logins after first boot.
Step-by-Step Offline Account Setup
  1. When the OOBE wizard reaches the network selection page, press Shift + F10 to open Command Prompt.
  2. Run the following command to trigger the local account workflow:
    start ms-cxh:localonly
  3. The command launches the Connection Flow Handler, which is the same component Microsoft uses for region-specific device experiences. The localonly flag bypasses the cloud sign-in page and exposes the "Sign in options" link.
  4. Close the command window. Back in OOBE, choose Continue with limited setup and create your local administrator credentials.

Behind the scenes the URI scheme calls an internal API that resets the provisioning flow to an offline mode. Because it is processed by the same shell that enforces network requirements, it survives future updates while remaining fully supported.

If the system reconnects to the internet before you create the account, Windows may revert to demanding a Microsoft login. Keep the Ethernet unplugged and skip Wi-Fi until the desktop loads.

Post-Install Hardening

  • Enable a strong local Administrator password and create a separate standard user for daily tasks.
  • Turn on BitLocker with a recovery key stored in your secure vault.
  • Apply all Windows Updates, then capture a system image for rapid rollbacks.
  • Install baseline tooling: Windows Admin Center, security agents, and PowerShell modules used in your lab.

Troubleshooting Tips

  • If the ms-cxh:localonly URI does not launch, check that you typed it exactly and the command prompt is running as SYSTEM (default in OOBE).
  • For builds prior to 22H2 you can also run OOBE\BYPASSNRO; both commands trigger offline setup.
  • Disconnect the network entirely if the wizard continues to loop back to Microsoft account creation.
  • When imaging multiple devices, create an unattended XML that configures the Microsoft-Windows-Shell-Setup component for LocalAccount creation to avoid manual steps.