When Microsoft first introduced the concept of the “Microsoft” account along side online services like the Microsoft Store, it was fairly clear they wanted to capture some of the same revenue that Apple had from their closed ecosystem inside iTunes and their App Store. Later, the use of a Microsoft account became a requirement for setting up any Home version of windows. This requirement adds an extra vector of attack to every single Home version of windows as it is now connected to a service (now services) that is not all that hard to compromise. Microsoft also split accounts into personal and “work or school” this was allegedly to differentiate the services that you get from Microsoft when you connect.
If you were not comfortable with having your system connected into the Microsoft cloud, you could opt to spend a little more on getting a professional version of the operating system or upgrade your home version for about $100. Doing that mean you were free from the requirements of being tethered to Microsoft. You could create a complexly local account without any need to be connected to the internet or be connected to the Mothership. Of course, for larger groups you have Windows Enterprise which has a much higher cost, and more robust features.
Now Microsoft is taking that option away. In current preview builds of Windows 11 there is no option to create a non-connected account. You either need to be connected into the Microsoft Cloud (via MS365) or connected into the Microsoft cloud via a personal Microsoft account. It is pretty clearly spelled out in the change logs for the latest preview build:
“Similar to Windows 11 Home edition, Windows 11 Pro edition now requires internet connectivity during the initial device setup (OOBE) only. If you choose to setup device for personal use, MSA will be required for setup as well. You can expect Microsoft Account to be required in subsequent WIP flights.”
The move will put a lot of systems at risk of compromise including MS365 small business users and organizations that have BYOD policies. Everybody knows that attackers look to compromise user accounts at the cloud level so by forcing people to have this level of connectivity it leaves them very open to attack. This requirement also does nothing to address the ability to attach multiple Microsoft accounts to Windows for use in different services. Having watched a targeted attack that used a Microsoft account injection onto a Windows Pro system for data collection and extraction, this move raises serious security concerns.
Currently the move is not expected to prevent connecting into an MS365 environment with a work of school account during start up. It will just prevent the use of a local account for setup and configuration of the operating system. I would expect to see some significant backlash over this as forcing people to utilize one type of Microsoft account or another is not going to go over well with Microsoft users. Personally, it makes me wonder if this means that Microsoft may get rid of the Pro version and just combine the functionality down into Home, I hope this is not the case though.