Account configuration

[pathei-kosmos]

Hi!
Which account configuration do you recommend?
If I understand correctly: one Administrator account to install things, one normal user account for daily use, both with Windows Hello? And you have to run the script on both? Or is using just one Administrator account enough?
It might be a good idea to add your recommendations about this in the Readme.

[HotCakeX]

Hi, good question!
Either Microsoft account or AAD/Entra ID

Home users have MSA and that's enough, but real security is when there is no local admin and identities are managed using Entra ID. It can allow for multi-factor unlock, so you can enforce PIN + Face or PIN + Fingerprint to unlock Windows, top security stuff.

All accounts should be connected to Microsoft accounts online, be password-less, use MFA with Authenticator app, use OneDrive for backup/restore capability etc.

Regardless of how many accounts you have, you only need to run it once as administrator to make system-wide changes, then for each standard user you can run the script without elevation so non-admin category can apply to the standard account, but even if you don't do this the system-wide changes are enough 🙂

I made some changes to the readme

5102f5c

[pathei-kosmos]

Thanks!
And if I understand correctly, for home users you recommend having one Admin account that you only use to install software, and to do all the rest of your daily use on a standard user account?

[HotCakeX]

Yes that is correct :)

It is kinda hard though if you're used to having admin rights all the time, however it is going to be changed:
https://youtu.be/8T6ClX-y2AE?t=494

[pathei-kosmos]

The conference is very interesting, thank you for sharing!

[HotCakeX]

You're welcome ^^ this channel also has very interesting conferences
https://www.youtube.com/@msftsecresponse