Stop using admin for everything and take back control of your machine
Why Microsoft Sets You Up Wrong
The Microsoft Account Push
Microsoft wants you logged into their cloud because:
- Telemetry - They can tie your activity to an identity
- OneDrive - Your files sync to their servers by default
- Microsoft 365 - Easier upsell when you are already signed in
- Account recovery - Sounds helpful, but it means they control access to your machine
- Advertising ID - Personalized ads across devices
The Admin Problem
When you set up Windows, your account is an administrator. This means:
- Any program you run has full system access
- Malware does not need to "elevate" if you are already elevated
- A bad link in an email can install software without extra prompts
- Ransomware runs with your permissions and encrypts everything you can access
The fix is simple: create a separate admin account for system changes, and demote your daily account to Standard User. This is how Linux and macOS work by default, and it is significantly safer.
Step 1: Create a Separate Admin Account
- Open Settings > Accounts > Other users
- Click Add account
- Click I don't have this person's sign-in information
- Click Add a user without a Microsoft account
- Enter a username
Naming tips:
- Do not use "Admin" or "Administrator" (too obvious, easy target)
- Pick something you will remember but is not guessable
- Examples: Your initials + a number, a nickname, a reference only you would get
- Avoid your name, pet names, birthdays, or anything on your social media
- Create a strong password (use your password manager)
- Fill in the security questions (required, unfortunately)
- Click Next
Make It an Administrator
- Back in Other users, click on the new account
- Click Change account type
- Select Administrator
- Click OK
Step 2: Convert Your Microsoft Account to Local
If you are currently using a Microsoft account, convert it to local before demoting.
Sign Out of Microsoft Account
- Press Win + I to open Settings
- Go to Accounts > Your info
- Click Sign in with a local account instead
- Enter your current Microsoft account password
- Create a local username and password
- Click Next, then Sign out and finish
You will be logged out. Log back in with your new local credentials.
What you lose:
- OneDrive sync (you can still use OneDrive, just sign in separately)
- Settings sync across devices
- Microsoft Store purchases tied to your account (you can sign into the Store app separately)
What you keep:
- All your files
- All your installed programs
- Your desktop, documents, everything
Step 3: Demote Your Daily Account to Standard User
Now for the important part. Log out of your daily account and log into the admin account you created.
Log In as Admin
- Click Start > your profile icon > Sign out
- On the login screen, select the admin account
- Enter the password
Demote Your Main Account
- Press Win + I to open Settings
- Go to Accounts > Other users
- Find your main account (the one you normally use)
- Click on it, then Change account type
- Change from Administrator to Standard User
- Click OK
Log back into your regular account. You are now running as a standard user.
What Changes Day-to-Day
Installing Software
Before: Double-click installer, click Yes on UAC, done.
Now: Double-click installer, enter admin password, done.
That is it. One extra step. But that step makes you think about what you are installing.
System Settings
Some settings require admin rights:
- Adding/removing programs
- Changing network settings
- Windows Update (can still run automatically)
- Installing drivers
When you try to change these, you will enter the admin password. Everything else works normally.
What Does Not Change
- Browsing the web
- Office documents
- Most applications
- Playing games (already installed)
- Watching videos
- File management
90% of what you do does not need admin rights. You will not notice the difference most of the time.
Real-World Attacks This Stops
Drive-by Downloads
You visit a compromised website. It tries to download and run malware. As a standard user, the malware cannot install system-wide. It is contained to your user profile at worst, and usually fails entirely.
Malicious Email Links
You click a link in a phishing email. It downloads a fake "invoice.exe". You accidentally run it. As a standard user, it asks for admin credentials. You do not have them handy. You stop and think. You do not get infected.
Bundled Installers
You download a free program. The installer tries to add toolbars, change your homepage, install "bonus" software. As a standard user, all those system changes fail.
Ransomware
Ransomware encrypts your files. As an admin, it can encrypt everything, including system files and backups. As a standard user, it can only touch files you own. Still bad, but recoverable. And many ransomware variants fail entirely without admin rights.
Fresh Install Tip: Skip the Microsoft Account
If you are setting up a new Windows 11 machine, you can skip the Microsoft account entirely during setup.
The Network Trick
When Windows asks you to connect to a network during setup:
- Press Shift + F10 to open Command Prompt
- Type:
oobe\bypassnro - Press Enter
The machine restarts. When you get back to the network screen, there is now an option: I don't have internet. Click it, then Continue with limited setup.
You will create a local account from the start. No Microsoft account needed.
Microsoft keeps trying to close these workarounds. If this does not work on your version of Windows 11, they may have patched it out in a recent update. Search for current methods if this fails, or set up with Microsoft and convert to local afterward using the steps above.
TL;DR
- Microsoft accounts tie you to their cloud and tracking
- Local accounts keep your login on your machine only
- Admin by default means any program you run has full control
- Standard user means you enter a password for system changes
- Create a separate admin account, then demote your daily account
- This is how Linux and macOS work, and it is safer