Removing BypassNRO is shortsighted
I support small businesses that are large enough or have software requirements that result in them having an on-premise file server, but for various reasons do NOT use Microsoft 365 or Entra.
Our process for these businesses is to take any hardware purchased or turned in during turnover and start with a fresh repartitioning, format, and operating system load of Win 11 Pro. These steps all take place offline. Then we disable automatic updates and put this known-clean system on a designated VLAN, load OEM drivers, an initial set of pre-downloaded Microsoft updates, and install our RMM application. Then we use the RMM to finish the updates, log system inventory, etc.
It then goes back on the shelf until needed, at which time I join it to the domain. All of the preceding steps take place at a location that is inaccessible to the domain controller, in fact, we often don't even know to which site or domain the machine will eventually be deployed. Of the machines that we DO know, we usually have no idea who the end user will be. It may be a new hire or be used to exchange existing equipment.
At no time during this process is a Microsoft account wanted or needed. If a user is using Microsoft 365, THEN a Microsoft account can be added.
Given these changes, what will be the "Microsoft recommended and supported" method of preparing these machines?