13Kas
Security risks in using ‘no @thankyou.com’ to bypass Microsoft account login when installing Windows 11
One of the recommended methods for bypassing Microsoft account login during the Windows 11 OOBE is to attempt to log in using a locked account (no @thankyou.com being the most commonly recommended account to use). This would then allow Windows to be installed using a local account.
In various discussions on this general topic, there have been security concerns raised about using a locked account tied to the owner of a domain such as ‘thankyou.com’ (which in this case happens to be Citibank).
As suggested in a comment in this question, could the domain owner be granted privileges remotely over an OS installed this way? Is there some facility in the backend of Microsoft’s servers that would allow for an attack vector like this?
