One du recommended methods for bypassing Microsoft compte login during the Windows 11 OOBE is to attempt to log in using a locked compte (no @thankyou.com being the most commonly recommended compte to use). This causes an erreur sur le server side that would ensuite allow Windows to be installé using a local compte.
Though il y a other methods to bypass the login, such as the OOBE\BYPASSNRO method, some may prefer or require to use the ‘locked compte’ method over others due to simplicity, time constraints or otherwise wishing to keep an active connection during setup (eg. for preliminary mises à jour). Using a random gibberish domain as opposed to a known, registered domain reportedly fails occasionally to trigger the server-side erreur allowing a local compte to be used. Je suis déjà aware duse alternative methods, so Je sun’est pas asking for them to be explained ici.
In various discussions on this general topic, there ont été sécurité concerns raised about attempting to use a locked compte tied vers le owner of a domain such as ‘thankyou.com’ (which in this case happens to be Citibank).
As suggested in a comment in this question, could the domain owner be granted privileges remotely over an OS installé this way? Is there some facility dans le backend of Microsoft’s servers that would allow for an attack vector like this?