If we have identified that you are a local admin and need to be a user, this is a quick guide to correcting that issue.
So, if you are here, it's likely your assessor has identified that you are running as a local admin, and for that very specific issue, this is the article you need. If you have admin access provisioned by EntraID, Active Directory or other methods, this particular article is not for you.
Firstly, your day-to-day account should NOT be of an admin level, but you have set up everything on that account now, so we don't want to unduly affect your current environment. Therefore, we will complete the below by setting up a new admin account and then demoting your day-to-day account, thus not impacting you in any way.
(NOTE: This is a good thing to do, whether you are using a personal device or a business device)
WHY
We want to ensure you are not running as an administrator in your day-to-day account because if your day-to-day account is compromised (you are tricked into running some code, a dodgy link from a website, an email, or similar), the "compromise" or "threat actor" will have administrative access over your device and can thus do whatever they like, without limits, on your device.
HOW
Right-click on the Windows Icon on your menu.
Select "Run"
Type "netplwiz"
You will then see your account, the one the assessor has found an issue with, and it will show membership in the Administrators Group.
So now, we need to create a new admin account, after which we can demote your account, without affecting your setup.
Click "Add" and hopefully, you can click on "Sign in without a Microsoft Account (not recommended) at the bottom of the resulting screen.
Next, select the "Local account" option
Please fill in the details and set a password that you can remember and that you can type in shortly when we switch accounts.
Now, double click on the new account, or select the account and click properties.
Select the "Group Membership" tab at the top of the resulting screen, set the user to "Administrator," and click OK.
We now have a new administrator's account for the device, so we need to check that it works and then use that account to demote the previous admin's account.
We suggest logging out of your day-to-day account and then logging in as the new administrator's account. This way, you can be 100% sure that the account is working and can complete admin tasks on the device with the account.
Log off, and log in as the new admin account.
Once you have proceeded through Microsoft's new user setup wizards and have a desktop, you can again run the "netplwiz"
Right-click on the Windows Icon on your menu.
Select "Run"
Type "netplwiz"
This time, you double-click on your day-to-day account or single-click and select "Properties." You then select "Group Membership" from the top tab and "Standard user" from the options. Once you've finished, select OK.
You now have a new admin account that you have tested and that works. This is the way to administer your device. Your day-to-day account is now a user, so if you are compromised, the threat has only user-level access.
You should now log off this account and log back in with your day-to-day account.
When you complete any task requiring administrative elevation, you will be asked for your newly created administrative credentials, the account you just created.
EVIDENCE
If we have asked you to provide us with evidence that this has been completed, you can do so through the command prompt by running a few commands (below) and giving your assessor a screenshot of the results.
Right-click on the Windows Icon on your menu.
Select "Run"
Type "CMD" and select OK
Type "hostname" and press Enter.
Type "whoami" and press Enter.
Type "net localgroup administrators" and press Enter.
Take a screenshot (PrtScrn) like the one below and share with your assessor.
