One of the recommended methods for bypassing Microsoft account login during the Windows 11 OOBE is to attempt to log in using a locked account (no @thankyou.com being the most commonly recommended account to use). This causes an error on the server side that would then allow Windows to be installed using a local account.
In various discussions on this general topic, there have been security concerns raised about using a locked account tied to the owner of a domain such as ‘thankyou.com’ (which in this case happens to be Citibank).
As suggested in a comment in this question, could the domain owner be granted privileges remotely over an OS installed this way? Is there some facility in the backend of Microsoft’s servers that would allow for an attack vector like this?
Edit 1/5/2024:
I appreciate the feedback to date, but I'm already aware of the other methods with which to set up a local account during the OOBE. In fact, the first link above connects to a superuser question asking, "How can I setup Windows 11 22H2 with a local account?", covering this topic.
The latter is a different query and not a duplicate of what I'm asking here.
My question is whether there are security risks if one would (for various reasons) prefer to use the 'locked account' method over the other methods that have already been discussed.