Setting Up User Accounts for Cyber Essentials: A Complete Guide to Account Separation on Windows 11

By Mark Kindred, Senior Assessor, Get Cyber Certified

One of the questions I encounter most frequently during Cyber Essentials assessments is around user accounts — and specifically, whether organisations have properly separated their standard user accounts from their administrator accounts. It sounds straightforward, but it's one of the most commonly failed areas of the assessment, and it's entirely avoidable.

In this guide, I'm going to explain exactly what Cyber Essentials requires, why it matters from a genuine security perspective, and walk you through setting it up correctly on Windows 11 — step by step.

What Does Cyber Essentials Require?

The Cyber Essentials scheme, developed by the NCSC and managed by IASME, includes five technical controls. One of those controls is User Access Control, and it has clear, non-negotiable requirements around how accounts should be set up and used.

The scheme requires that:

• Standard user accounts are used for all day-to-day activities — email, browsing, creating documents, and so on.

• Administrator accounts are used only when performing administrative tasks — installing software, changing system settings, or managing other user accounts.

• Administrator accounts must not be used for routine activities like web browsing or checking email.

• Every person must have their own individual, named account — shared accounts are not permitted.

• Even if you are the only person who uses a device, you still need at least two accounts: one administrator account and one standard user account.

This is reflected in the SAQ (Self-Assessment Questionnaire) at questions A7.6 and A7.7, which ask specifically how you ensure separate accounts are used for administrative tasks, and how you prevent admin accounts from being used for everyday activities.

Source: IASME — User Access Control | IASME — The Five Core Controls of Cyber Essentials: Access Control

Why Does It Actually Matter?

This isn't box-ticking. The principle of least privilege — only giving a user account the minimum level of access needed to do its job — is one of the most effective defences against malware and account compromise.

Here's the practical reality: if you're logged into your computer using an administrator account and you accidentally open a malicious email attachment or visit a compromised website, any malware that executes will inherit your account's permissions. If you're an administrator, that malware is an administrator too. It can install itself, modify system files, disable security software, and spread across your network — all without needing to overcome any additional security barriers.

If, however, you're logged in as a standard user, the same malware runs with severely restricted permissions. It can't install itself system-wide, can't modify critical system settings, and is far more likely to be stopped dead in its tracks — or at the very least, contained.

As IASME puts it directly: "Using a regular user account will prevent most malware and other malicious programs from installing."

It's a simple change with a significant and immediate reduction in your attack surface.

Understanding Your Current Setup as a Sole Trader or Micro Business

If you're a sole trader who bought a laptop and set it up yourself, the almost universal default is that you signed into Windows 11 using your Microsoft account (your personal email address), and that account was automatically configured as an Administrator. This means you've been doing everything — emails, browsing, client work, and occasionally installing software — all from a single account with full system privileges.

This is exactly the setup that Cyber Essentials requires you to change.

What we're going to do: Keep your existing Microsoft account sign-in as your administrator account (used only for admin tasks), and create a new local standard user account as your day-to-day working account.

Why a local account for the second account? As a sole trader with one device, you don't have a second Microsoft account to add. Microsoft recommends Microsoft accounts for primary sign-in due to their integration benefits, but for the purpose of creating a separate, restricted daily-use account on a single device, a local account is the correct and practical solution — and is fully compliant with Cyber Essentials. Microsoft's own support documentation confirms this as a supported option for exactly this type of scenario.

Source: Microsoft Support — Manage User Accounts in Windows

A Note on Naming Conventions

Before we dive into the steps, it's worth mentioning a practical tip I always share with clients: use a clear naming convention so that your accounts are easily identifiable. A common and effective approach is to prefix your admin account name with admin. or suffix it with -admin. For example:

• Daily use (standard) account: firstname.lastname

• Administrator account: admin.firstname.lastname

This makes it immediately obvious during an assessment — and in your own day-to-day management — which account has elevated privileges.

Setting Up Account Separation on Windows 11

The steps below will guide you through confirming your existing account is an administrator, creating a new local standard user account for daily use, and switching your day-to-day login to that new account.

Step 1 — Confirm Your Existing Account Is an Administrator

Let's start by confirming that your current Microsoft account sign-in is set as Administrator — this will become your dedicated admin account going forward.

1. Press Windows key + I to open Settings

2. Click Accounts in the left-hand panel

3. Click Your info

4. Beneath your name and email address, you should see Administrator

If it shows Administrator, you're good to proceed. Your existing Microsoft account sign-in will remain as your administrator account — the one you'll use only when you need to install software, change settings, or carry out other admin tasks.

Step 2 — Create a New Local Standard User Account

This new account will become your account for all day-to-day tasks — email, documents, browsing, client work.

1. In Settings, click Accounts in the left-hand panel

2. Click Other users

3. Under Add other user, click Add account

4. When the Microsoft sign-in window appears, click "I don't have this person's sign-in information"

5. On the next screen, click "Add a user without a Microsoft account"

6. Enter a username for the new account — use your name in a clear format (e.g. firstname.lastname)

7. Create a strong password of at least 12 characters — this is a requirement under Cyber Essentials

8. Answer the three security questions, then click Next

The account will be created as a Standard User by default — which is exactly what we want.

Source: Microsoft Support — Create a Local User or Administrator Account in Windows

Step 3 — Verify the New Account Is a Standard User

Once the account is created, let's confirm its type is correct before going any further.

1. In Settings > Accounts > Other users, you should now see your new account listed

2. Click on the account name to expand it

3. Beneath the account name, it should show Standard User

If for any reason it shows Administrator, click Change account type, select Standard User from the dropdown, and click OK.

Step 4 — Sign In to the New Standard User Account to Complete Setup

Windows won't fully build the new account's profile until you sign into it for the first time. This step is essential — don't skip it.

1. Click the Start button

2. Click your account name or picture in the bottom-left corner of the Start menu

3. Select the new standard user account from the list

4. Sign in using the password you created in Step 2

5. Windows will take a moment to set up the new profile — this is normal, just wait for the desktop to load

6. Once the desktop appears and everything has loaded, sign out of the new account

7. Sign back into your Microsoft account (administrator) to continue

Step 5 — Confirm Everything Is Working Correctly

Before you make the new standard account your daily login, do a quick final check to make sure both accounts are configured correctly.

1. Go to Settings > Accounts > Your info — confirm your Microsoft account still shows Administrator

2. Go to Settings > Accounts > Other users — confirm the new local account shows Standard User

3. Switch to the new standard user account and attempt to install an application or change a system setting — Windows should display a User Account Control (UAC) prompt asking for administrator credentials to proceed

That UAC prompt is confirmation that account separation is working correctly. When it appears, you'll need to enter your Microsoft account password (or Windows Hello PIN) to authorise the action — you don't need to fully sign out and back in for most tasks.

Step 6 — Make the Standard Account Your Default Daily Login

From this point forward, the local standard user account is the one you should log in with every working day. Reserve your Microsoft account administrator sign-in strictly for when you need to:

• Install or uninstall software

• Apply Windows updates manually

• Change system-wide settings

• Carry out any other administrative task

Everything else — email, web browsing, creating documents, client work — should be done from the standard user account. This is the correct workflow for Cyber Essentials compliance, and it's also simply good security practice regardless of certification.

Common Mistakes I See During Assessments

Having marked Cyber Essentials assessments since the scheme launched in 2014, here are the account-related issues I see come up time and again:

• Using a single account for everything — the most common finding. The original Microsoft account sign-in is also used for all daily work. This fails both A7.6 and A7.7

• Creating the second account but never using it — the standard user account exists but the administrator account is still the daily login. This is a fail

• Setting the new account as Administrator instead of Standard User — defeats the purpose entirely and still results in a non-compliance finding

• Using a weak password on the standard user account — Cyber Essentials requires passwords of at least 12 characters

• IT support providers using shared admin credentials — if you have an IT support company who accesses your device, they should have their own individual, named administrator account. Their access carries the same risks as any other admin account

Need Help Getting This Right Before Your Assessment?

If you're preparing for Cyber Essentials certification and want to make sure your user accounts are configured correctly before you submit, our Supported and Readiness Assessment packages include a pre-submission review where we'll check your answers and flag anything that needs attention — including account separation.

You can find out more at www.getcybercertified.co.uk or get in touch directly — I'm always happy to help.

Sources used in this article:

• IASME — User Access Control

• IASME — The Five Core Controls of Cyber Essentials: Access Control

• Microsoft Support — Manage User Accounts in Windows

• Microsoft Support — Create a Local User or Administrator Account in Windo

Disclaimer:

This help guide is provided as a courtesy and is intended to allow you to see the controls required to be compliant with the Cyber Essentials account separation requirements. Please reconfigure your systems at your own risk. If unsure please seek guidance from your IT support personnel.