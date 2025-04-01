  • Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
Microsoft makes new attempt to block bypassnro in beta Win 11 build.

TL: DR for now it isn't the end of the world, as it is in a beta build and
just added step of editing registry is required to utilize OOBE for now in said beta build for now.

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE /v BypassNRO /t REG_DWORD /d 1 /f shutdown /r /t 0”
https://www.theverge.com/news/638967/microsoft-windows-11-account-internet-bypass-blocked


Microsoft is no longer playing around when it comes to requiring every Windows 11 device be set up with an internet-connected account. In its latest Windows 11 Insider Preview, the company says it will take out a well-known bypass script that let end users skip the requirement of connecting to the internet and logging in with a Microsoft account to get through the initialization process of a new PC.
As reported by Windows Central, Microsoft already requires users to connect to the internet, but there’s a way to bypass it: the bypassnro command. For those setting up computers for businesses or secondary users, or simply, on principle refuse to link their computer to a Microsoft account, the command is super simple to activate during the Windows setup process.
Microsoft cites security as one reason it’s making this change:
We’re removing the bypassnro.cmd script from the build to enhance security and user experience of Windows 11. This change ensures that all users exit setup with internet connectivity and a Microsoft Account.
As a possible alternative, I saw this command online - haven't actually had the chance to try it:

Bash: 
start ms-cxh:localonly

The article I read it from suggested that it could be used right at setup in the same manner as "OOBE\BypassNRO". Seems easier to remember than the registry modification, but like I said - I haven't had a chance to verify it works.

Source was this (yeah, I know its real click-baitey when they say "Microsoft HATES this one trick!"):
https://www.notebookcheck.net/Windo...ther-local-account-bypass-trick.990319.0.html

EDIT: This was the only definition of the command I could find online. Apparently the applet is configuring the "Microsoft Cloud Experience Host":
https://www.hexacorn.com/blog/2022/01/16/ms-cxh-and-ms-cxh-full-handlers/
 
What I don't get about this is, as an Admin in a business, I can't have a MS login that early in the install process. I need to keep a local and add it to AD, and when we fully transition to Intune/Entra ID, add it to that. What is my process going to look it if all these hacks go away. I don't understand why MS has to make this hard on professionals.
 
This is just sad now. It's like watching a pick-up artist run out of cheesy lines and resort to pleading. "But... please can I have all your data? PLEASE??"
 
OFaceSIG said:
What I don't get about this is, as an Admin in a business, I can't have a MS login that early in the install process. I need to keep a local and add it to AD, and when we fully transition to Intune/Entra ID, add it to that. What is my process going to look it if all these hacks go away. I don't understand why MS has to make this hard on professionals.
Not sure how this would effect IT admins that use AD or Intune.

As long as the OS is Pro version (which is required for AD or Intune) you get asked if it's a business account or personal account before logging in. So you just log in as a business account and it either enrolls the system into Intune or adds the system to AD.
 
actually the "start ms-cxh:localonly" command looks pretty good, better than bypassnro anyway.
 
atarione said:
actually the "start ms-cxh:localonly" command looks pretty good, better than bypassnro anyway.
i still cant get shift+f10 to open a command prompt on home but only plebs should be running home anyways...
both methods still work on the current installer though, this is just for the newest insider build.
 
If this holds true, there goes my side job of selling used laptops in my retirement. I buy used laptops and install them with a local account only, but tell the buyers that they can easily setup a MS account if they need it. What is funny is of all the used laptops I've sold, not one person wants a MS account.
 
My thing is that I have no problem signing into my MS account for the windows store for game stuff like Xbox app for Bedrock Minecraft with the kids , Gamepass when I subbed and so on. I just don’t like signing into my own hardware with it for the OS. As long as the local acct methods work I’ll just keep doing that for Win11 installs.

But of course I have an iPhone and that AppleiD…
 
pendragon1 said:
i still cant get shift+f10 to open a command prompt on home but only plebs should be running home anyways...
Worst case scenario, you can just install Windows 10 Home and then upgrade to Windows 11 Home. Local account will be retained.
 
GotNoRice said:
Worst case scenario, you can just install Windows 10 Home and then upgrade to Windows 11 Home. Local account will be retained.
Will this work with Pro? I'm currently updating all my Win10 laptops to Win11 either Home or Pro.
 
German Muscle said:
I just keep using the version of the iso before they took it away.
Make sure you're not connected to any networks when you install Windows, as the OOBE is downloaded on the fly. Old installer or not, you could very well still end up with a disabled bypassnro.
 
Vermillion said:
Not sure how this would effect IT admins that use AD or Intune.

As long as the OS is Pro version (which is required for AD or Intune) you get asked if it's a business account or personal account before logging in. So you just log in as a business account and it either enrolls the system into Intune or adds the system to AD.
Then I have to learn about how to administer admin's in the back end. I know there's a new function for that but I haven't had time to play with it yet. We always create a local admin first. I guess that's a bit traditional.
 
How is the bypassnro method different than installing with MS account and then logging out and making the machine a offline local account only?
 
philfromMPC said:
How is the bypassnro method different than installing with MS account and then logging out and making the machine a offline local account only?
so you dont have to log into an account to begin with.
 
philfromMPC said:
How is the bypassnro method different than installing with MS account and then logging out and making the machine a offline local account only?
What do you mean how is it different? You're not logging into an account at all with bypassnro. I have recently made a dummy account to log into to create a local account if Microsoft officially removes this script, but this is still an annoying workaround.
 
OFaceSIG said:
Then I have to learn about how to administer admin's in the back end. I know there's a new function for that but I haven't had time to play with it yet. We always create a local admin first. I guess that's a bit traditional.
That hasn't been necessary in many years. I stopped making local accounts first back with Windows 7. 7 Pro asked if you wanted to add to a domain or not upon initial login. Scripts and GPO did the rest like adding a local admin account for emergency use.

With Intune when you login as the business account as long as the user is assigned to the proper Intune group the computer pulls the configs and is ready to go. You can make use of the MS Company Portal app as well for approved application installs upon initial login. For example I could order a laptop from Dell. Throw in a one page sheet of instructions and ship it to the user without having to even touch the computer. They followed the instructions (they were very simple) and the system was properlly enrolled and applications like Office and Adobe Reader would auto install. If the OS version was too low, based on a setting in Intune, the system would proceed to update itself as well. If the user needed some other software like Adobe Pro they could install that through the Company Portal app as well.

Intune also has a nice reset feature. No more having to blow away a computer and re-image. You just get the laptop back, make sure it's on an Internet connection, run the reset command in the Intune Management Console and just wait. The system would reset itself so it would act like a brand new install and be ready for the next user.
 
Vermillion said:
With Intune when you login as the business account as long as the user is assigned to the proper Intune group the computer pulls the configs and is ready to go. You can make use of the MS Company Portal app as well for approved application installs upon initial login. For example I could order a laptop from Dell. Throw in a one page sheet of instructions and ship it to the user without having to even touch the computer. They followed the instructions (they were very simple) and the system was properlly enrolled and applications like Office and Adobe Reader would auto install. If the OS version was too low, based on a setting in Intune, the system would proceed to update itself as well. If the user needed some other software like Adobe Pro they could install that through the Company Portal app as well.

Intune also has a nice reset feature. No more having to blow away a computer and re-image. You just get the laptop back, make sure it's on an Internet connection, run the reset command in the Intune Management Console and just wait. The system would reset itself so it would act like a brand new install and be ready for the next user.
yup, we're in the process of going all intune and its quite simple, once setup.
the reset is nice, no more reloads between users.
 
Vermillion said:
That hasn't been necessary in many years. I stopped making local accounts first back with Windows 7. 7 Pro asked if you wanted to add to a domain or not upon initial login. Scripts and GPO did the rest like adding a local admin account for emergency use.

With Intune when you login as the business account as long as the user is assigned to the proper Intune group the computer pulls the configs and is ready to go. You can make use of the MS Company Portal app as well for approved application installs upon initial login. For example I could order a laptop from Dell. Throw in a one page sheet of instructions and ship it to the user without having to even touch the computer. They followed the instructions (they were very simple) and the system was properlly enrolled and applications like Office and Adobe Reader would auto install. If the OS version was too low, based on a setting in Intune, the system would proceed to update itself as well. If the user needed some other software like Adobe Pro they could install that through the Company Portal app as well.

Intune also has a nice reset feature. No more having to blow away a computer and re-image. You just get the laptop back, make sure it's on an Internet connection, run the reset command in the Intune Management Console and just wait. The system would reset itself so it would act like a brand new install and be ready for the next user.
Damn bro, sounds like you've been at the Intune thing for a while. Would love to be able to pick your brain if needed. I don't know if you're open to that. Appreciate the bits of info you've already given.
 
OFaceSIG said:
Damn bro, sounds like you've been at the Intune thing for a while. Would love to be able to pick your brain if needed. I don't know if you're open to that. Appreciate the bits of info you've already given.
I was on the forefront of it for awhile. I no longer do admin work though as I've moved into pure security/NIST compliance type stuff and it's been a number of years since I last used Intune so I imagine some things have changed pretty drastically since then.

I was far happier with Intune though than I ever was with straight AD back in the day.
 
pendragon1 said:
ms is still working on stopping work arounds(in home and pro), and the new beta stops the "localonly" trick. heres a new way.
from command prompt:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE /v BypassNRO /t REG_DWORD /d 1 /f

shutdown /r /t 0

this will allow the "i dont have internet" option to appear and you can create a local account again.
