Windows 11 Offline Account
Using ms-cxh:localonly to bypass Microsoft account requirement during Windows 11 setup
What is OOBE?
OOBE (Out-of-Box Experience) is Microsoft's term for the initial setup process that runs when you first start a new Windows computer or after a clean installation.
OOBE Includes:
- Language and Region: Setting system locale
- Network Connection: Connecting to Wi-Fi or Ethernet
- Account Setup: Microsoft account or local account creation
- Privacy Settings: Telemetry and data collection preferences
- Security Questions: Account recovery options
OOBE Characteristics:
- Runs before the desktop loads
- Requires completion to access Windows
- Configures core system settings
- Establishes user accounts and permissions
- Sets up Windows Update and Microsoft services
What is ms-cxh:localonly?
The ms-cxh:localonly command is a built-in Windows protocol handler that forces the Connection Flow Handler into offline mode, bypassing Microsoft account requirements during the OOBE process.
Why Use This Method?
- Official Method: Uses built-in Windows functionality
- Reliable: Works consistently across Windows 11 versions
- Clean: Triggers the legacy local account wizard
- Supportable: Doesn't modify system files
Best For:
- Security research and penetration testing labs
- Corporate imaging and deployment scenarios
- Educational environments requiring offline operation
- Privacy-focused installations
Complete Step-by-Step Process
- Pause at Network Setup:
Stop when OOBE requests Wi-Fi connection or Microsoft account sign-in. Keep the device offline to ensure the bypass works properly.
- Launch Elevated Command Prompt:
Press Shift + F10 during OOBE. This opens cmd.exe running under SYSTEM privileges with access to internal provisioning commands.
- Execute the Local-Only Command:
Type
start ms-cxh:localonlyand press Enter. This triggers the Connection Flow Handler to enter offline mode. - Close Command Prompt:
Close the terminal window and wait for the interface to refresh and show the local account setup option.
- Select Limited Setup:
Click "Continue with limited setup" when the option appears on the screen.
- Create Local Administrator:
Define your local admin username, password, and complete the required security questions.
- Stay Offline Until Desktop:
Keep network cables unplugged and skip Wi-Fi until you reach the desktop to prevent OOBE from re-enabling Microsoft account requirements.
Command Reference
The Magic Command:
start ms-cxh:localonlyExecute from OOBE command prompt (Shift + F10)
How ms-cxh:localonly Works
Technical Details:
- Protocol Handler:
ms-cxhis a registered Windows protocol for Connection Experience Handler - Local-Only Parameter: Forces the handler into offline mode, bypassing cloud authentication
- OOBE Integration: Triggers the legacy local account creation wizard that's still present in Windows 11
- System-Level Access: Works because OOBE command prompt runs with SYSTEM privileges
Process Flow:
Troubleshooting ms-cxh:localonly
| Issue | Solution |
|---|---|
| "Unknown protocol" error | Ensure you typed start ms-cxh:localonly exactly with the colon. The URI scheme is case-sensitive. |
| Command has no effect | Make sure all network adapters are disconnected (Ethernet and Wi-Fi) before running the command. |
| Still shows Microsoft account requirement | Close the command prompt after running the command and wait 10-15 seconds for the interface to refresh. |
| Limited setup option not appearing | Try running the command multiple times, or restart OOBE by rebooting the system while keeping network disconnected. |
| Command prompt won't open | Ensure you're pressing Shift + F10 during the OOBE screens, not after Windows has fully loaded. |
When to Use ms-cxh:localonly
Ideal Scenarios:
- Security Labs: Isolated testing environments
- Enterprise Imaging: Creating golden images before domain join
- Privacy Requirements: No cloud data synchronization needed
- Incident Response: Workstations requiring local-only credentials
- Educational Labs: Classroom environments with restricted internet
- Air-Gapped Systems: High-security environments without internet access
Important Considerations
Keep in Mind:
- Network Isolation: Keep the system offline during entire OOBE process
- Timing: Execute command during network setup phase for best results
- Enterprise Policies: Some corporate builds may override this method after domain join
- Updates: Microsoft may modify this behavior in future Windows versions
- Documentation: Record the process for compliance and audit purposes
- Testing: Always test in your specific environment before deployment
Post-Setup Security Hardening
After successfully creating your local account, consider these security measures:
Registry Tweaks:
# Disable Microsoft account prompts permanently
reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" /v "NoConnectedUser" /t REG_DWORD /d 3 /f
# Disable consumer experiences
reg add "HKLMSOFTWAREPoliciesMicrosoftWindowsCloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d 1 /fPowerShell Security:
# Disable telemetry services
Set-Service -Name "DiagTrack" -StartupType Disabled
Set-Service -Name "dmwappushservice" -StartupType Disabled
# Configure privacy settings
Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesDataCollection" -Name "AllowTelemetry" -Value 0Key Takeaways
Remember:
- ✅
start ms-cxh:localonlyis the official method - ✅ Execute during OOBE network setup phase
- ✅ Keep system completely offline during setup
- ✅ Use Shift + F10 to access command prompt
- ✅ Wait for interface refresh after command execution
Best Practices:
- 🔧 Document the process for your organization
- 📋 Test in your specific environment first
- 🛡️ Apply security hardening post-installation
- 📊 Verify compliance with enterprise policies
- 🔄 Stay updated on Windows 11 changes affecting this method