When you set up a new Windows 10 PC, you have a choice of four types of user accounts, from the old-school local account to the newest, Active Azure Directory. Here’s how to make the right choice.
When you set up a Windows 10 PC for the first time, you’re required to create a user account that will serve as the administrator for the device. Depending on your Windows edition and network setup, you have a choice of up to four separate account types.
On business editions (Pro, Pro for Workstations, Enterprise, and Education), the Windows Setup program asks you to choose whether you want to set the PC up for personal use or for use on a network managed by your organization, as shown below. If you choose the second option, you can set up the PC using an account in your Windows Active Directory domain or you can sign in using an Azure Active Directory account, such as the one associated with an Office 365 Business or Enterprise subscription.
On Windows 10 Home, that choice isn’t available, and you’re limited to only the personal options: a local account or a Microsoft account
The Setup program is extremely persistent about trying to coax you into signing in with a Microsoft account. If you’re equally persistent, you can choose a local account instead. But is that the right choice?
In this post, I’ll explain the pros and cons of each account type and explain why your best option might be a combination of two account types.
This is Microsoft’s free online account for personal use, required for signing in to the company’s consumer services, including OneDrive, Xbox Live, Skype, and Office 365 Home and Personal subscriptions, among others.
If you have an email account at Outlook.com or Hotmail.com (or, for old-timers, at live.com or msn.com), you already have a Microsoft account. You can also sign up for a new account anytime, choosing a new address at Outlook.com or using your own email address.
Signing in to your Windows 10 PC with a Microsoft account offers several distinct benefits:
- Windows 10 allows you to sync settings between PCs where you sign in using the same Microsoft account. That includes personalization settings like your desktop background, saved passwords (including Wi-Fi profiles), language and regional settings, preferences for Edge and Internet Explorer, and more. (For a full list, see “Windows 10 roaming settings reference.”)
- You can sign in automatically to any Microsoft consumer service using your saved Microsoft Account credentials.
- You can sync data and settings for preinstalled Windows apps (Mail and Calendar, for example) and easily restore apps you download from the Store.
- On PCs designed for Windows 10, signing in with a Microsoft account automatically enables full-disk encryption for the system drive, even on systems running Home edition. If you turn on BitLocker encryption (Pro and Enterprise editions only), your recovery key is stored in OneDrive, allowing you to retrieve your data if you find yourself locked out.
- Signing in with a Microsoft account stores a record of your successful activation, allowing you to easily restore your activation if you have to reinstall Windows.
Note that Windows telemetry data is tied to your device and isn’t associated with a Microsoft account.
And, of course, you can create a Microsoft account and use it exclusively for signing in to Windows while keeping your email, cloud storage, and other services elsewhere. But if you do use a Microsoft account for services such as Office 365 and OneDrive, it makes sense to sign in to Windows using the same account.
A local account is about as old school as Windows gets. You don’t need a network connection or an email address; instead, you create a username (up to 20 characters) and a password, both of which are stored on the PC where you create them and grant access only to that device.
After you get past those speed bumps, you can enter your username and password. With a Microsoft account, you have multiple options to recover if you forget your password. With local accounts, you’ve historically had no such option if you forget your password. Beginning with version 1803, setting up a local account on Windows 10 requires that you fill in answers to three security questions, to help you recover in the event you forget your password.
You can’t bypass those questions, nor can you choose alternatives other than the six predefined questions. If you’re worried that a thief with a search engine can guess those answers, do as I do and … be creative. For example, you can answer the three security questions with a three-word passphrase of your own, entered one word at a time. Or, if you’d prefer to bypass the whole feature, just mash the keyboard to create random “answers” that no one (including you) could possibly guess. If you choose either option, don’t blame me if you forget your password.
You can switch at will between a local account and a Microsoft account, using options in Settings > Accounts > Your Info.
Even if you prefer a local account, consider signing in first with a Microsoft account. After you confirm that your system is properly activated and the activation status is recorded with that Microsoft account, switch back to a local account and go on about your business.
Likewise, if you’re fussy about the name of your default user profile folder, consider signing in with a local account first, and then attach your Microsoft account. If you follow that procedure, Windows uses the exact local username you specify as the folder name and retains that name when you switch; if you start with a Microsoft account, your user profile folder name is the first five characters of the portion of your email address to the left of the @ sign.
ACTIVE DIRECTORY (DOMAIN JOIN)
On an enterprise network with a Windows server running as a domain controller, you can join a Windows 10 PC to the domain. Creating that type of account requires that a domain administrator create an Active Directory account, after which you can sign in using the credentials in the format domain\username (or username@domain, if the domain is associated with a fully qualified domain name).
Ironically, before you can join a PC to a domain and sign in with your Active Directory account, you have to first create a local account.
AZURE ACTIVE DIRECTORY
This is the newest option in the lineup of Windows account types. Like a domain account, an Azure AD account is managed by an organization’s administrator, but it doesn’t require a local server. Instead, the credentials are managed in Microsoft’s Azure cloud.
If your organization uses Microsoft 365 or has an Office 365 Business or Enterprise subscription, you have an Azure AD account. It behaves similarly to a Microsoft account, with the ability to sync settings across devices where you’re signed in with the same account. The big difference is that your access to the device is managed by your organization’s administrator, who can apply security settings and restrict some options.
To manage Azure AD accounts, administrators use the Azure AD admin center, which also includes the option to synchronize the cloud-based directory with a local domain’s Active Directory, an option called Azure AD Connect.
A basic Azure AD account is free, but like all Microsoft enterprise services, upsell options abound. Paying for Azure AD Premium (included with an Enterprise Mobility and Security E5 subscription) unlocks advanced security features.
And you can mix and match account types on the same device for the sake of flexibility. You might want a local account to handle routine administrative tasks, a Microsoft account for personal use, and an Azure AD account for connecting to your organization’s servers. (To set up additional accounts after the first one, use Settings > Accounts > Family & Other Users > Add Someone Else To This PC). Just choose the right account when you first sign in to a new session.
There’s no particular security or privacy advantage to signing in with a local account (indeed the lack of device encryption is a negative, in my book); but if that’s your preference, you can do so when you first set up Windows 10 on a new PC. When you reach the Sign In With Microsoft screen shown here, click the “Offline Account” option in the lower left corner; then click “No” on the Sign In With Microsoft Instead screen, which appears next.