Created
August 15, 2025 19:28
-
-
Save minanagehsalalma/6a23641b0ddd1d281839132b667c998d to your computer and use it in GitHub Desktop.
Set Your Windows Account To local; unlink Microsoft account.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # --- Unlink Microsoft account from a local profile (safe if some keys don't exist) --- | |
| # 0) Optional restore point (no error if disabled) | |
| try { Checkpoint-Computer -Description "Before_unlink_MSA" -RestorePointType MODIFY_SETTINGS } catch {} | |
| # 1) Backup what exists | |
| if (Test-Path HKCU:\Software\Microsoft\IdentityCRL) { | |
| reg export HKCU\Software\Microsoft\IdentityCRL "$env:USERPROFILE\Desktop\IdentityCRL_Backup.reg" /y | Out-Null | |
| } | |
| if (Test-Path HKCU:\Software\Microsoft\Windows\CurrentVersion\AADTokenBroker) { | |
| reg export HKCU\Software\Microsoft\Windows\CurrentVersion\AADTokenBroker "$env:USERPROFILE\Desktop\AADTokenBroker_Backup.reg" /y | Out-Null | |
| } | |
| # 2) Remove the user-scoped identity links (this is what shows your email as “linked for apps”) | |
| $toNuke = @( | |
| 'HKCU:\Software\Microsoft\IdentityCRL\StoredIdentities', | |
| 'HKCU:\Software\Microsoft\IdentityCRL\Profiles', | |
| 'HKCU:\Software\Microsoft\Windows\CurrentVersion\AADTokenBroker\Accounts', | |
| 'HKCU:\Software\Microsoft\Windows\CurrentVersion\AADTokenBroker\LogonCache', | |
| 'HKCU:\Software\Microsoft\Windows\CurrentVersion\AADTokenBroker\TokenBinding', | |
| 'HKCU:\Software\Microsoft\Windows\CurrentVersion\AADTokenBroker\WebAuthN' | |
| ) | |
| foreach ($p in $toNuke) { if (Test-Path $p) { Remove-Item $p -Recurse -Force } } | |
| # 3) Clear any saved MicrosoftAccount/Passport credentials (Credential Manager) | |
| $targets = (cmd /c "cmdkey /list") -match 'Target:' -replace '^\s*Target:\s*','' | |
| $targets | Where-Object { $_ -like 'MicrosoftAccount:*' -or $_ -like 'Passport:*' -or $_ -like 'SSO_POP_Device*' } | | |
| ForEach-Object { cmd /c ("cmdkey /delete:`"{0}`"" -f $_) | Out-Null } | |
| # 4) Optional: block Windows from (re)linking MS accounts (set to 1; use 3 to block sign-in entirely) | |
| $admin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole('Administrator') | |
| if ($admin) { | |
| $pol = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' | |
| New-Item -Path $pol -Force | Out-Null | |
| New-ItemProperty -Path $pol -Name 'NoConnectedUser' -PropertyType DWord -Value 1 -Force | Out-Null | |
| } else { | |
| Write-Warning "Not elevated: skipping NoConnectedUser policy. Re-run elevated if you want to enforce it." | |
| } | |
| # 5) (If you were joined to work/school, leave. Safe to run; it just fails harmlessly if not joined.) | |
| try { dsregcmd /leave | Out-Null } catch {} | |
| # 6) Sign out to flush the session | |
| shutdown /l |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you ever want to allow linking again, set: