Windows 11 Setup Guide: 1. How to Configure Your PC Securely with Microsoft Accounts

by | Oct 31, 2025

Introduction

Most Microsoft Windows 11 users—and even many small businesses—manage their Windows 11 setup with a single Microsoft account because it seems like the natural thing to do. This simplicity can create serious security gaps, though. This article decribes how Microsoft recommends your workstation should be set up conventionally using two Microsoft accounts using an administrator account and a standard users account.

Why two accounts?

If your admin account is exposed through daily email use, a single phishing attack could give an attacker full control of your computer, your files, and even your Microsoft 365 subscription. In our companion article, we explain why this risk exists, how Microsoft’s design choices contribute to it, and what practical steps you can take to protect yourself—whether you’re a home user or running a small business.

For more about why Microsoft recommends two accounts for securing Windows 11, see this article:

Windows 11: Why One Microsoft Account Isn’t Enough for Home and Small Business Users

Click open the headers below to learn more about how Microsoft Windows setup. Support options are available for professional assistance. You can return to our Index of Articles by clicking here

Preparation - document what you do

Your Microsoft account controls everything—your files, apps, and even your ability to unlock your laptop. If you lose access access you could lose everything tied to that account. So, the first thing to do is to make sure your credentials are documented, including secondary email address and your mobile phone number. If you are going to create a new Microsoft account, write down your user name and password first to be sure you enter credentials accurately.

Hot Tip: Keep accurate records of usernames, passwords, and recovery keys. Use a secure password manager or store a printed copy in a safe place. Review your account credentials periodically.

Why Two Separate Microsoft Accounts Are Recommended

Windows 11 does not allow the same Microsoft account for two different user profiles on the same machine. So, to secure your computer properly, you need:

  • One Microsoft account for the Administrator profile
  • A second Microsoft account for the Standard User profile

For a simpler approach to security, consider using a Microsoft 365 Business subscription rather than a Microsoft 365 Personal or Family subscription which operates in a less disciplined environment. Microsoft 365 Business requires a domain name, and its architecture segregates email and files from the less rigorously secured personal security provided by Microsoft’s consumer-oriented services.

Why Microsoft Designed It This Way

When Windows 11 is configured for consumer use:

  • Each Microsoft account manages its own identity and cloud encryption (e.g., OneDrive), but the device-level BitLocker key is tied to the Administrator account.
  • Sharing one account across profiles would break security boundaries—making administrator rights meaningless.

This feels complex, but Microsoft’s purpose is designed to provide strong security and identity separation.

Step-by-Step: Setting Up Two Accounts
  1. Create the Administrator Account
    1. During initial setup, sign in with your primary Microsoft account.
    2. Always use a Microsoft account—not a local account—for better recovery options.
  2. Create the Standard User Account
    1. Go to Settings > Accounts > Family & other users.
    2. Click Add account and sign in with a different Microsoft account (create a free Outlook.com account if needed).
    3. Set this account as Standard, not Administrator.

Use the Standard account for daily work. This reduces risk and keeps your system secure.

! Keep Your Admin Account active

Microsoft may close accounts that appear inactive for two years. If your Administrator account is rarely used for email or OneDrive, it could be flagged as inactive.

When Microsoft terminates a Microsoft account:

  • You lose access to the Administrator profile.
  • BitLocker recovery keys stored in that account become inaccessible.
  • Device management and recovery options break.

How to keep a Microsoft account active after Wondows 11 setup:

  • Sign in to your Microsoft Account for your administrator profile periodically via a browser.
  • Link the account to your device.
  • Enable a minimal service (OneDrive sync or Microsoft Authenticator).
  • Keep your account credentials updated:
    • secondary email address
    • mobile phone number
Create a Windows 11 recovery drive

A recovery drive is your safety net if Windows won’t start or something goes wrong. After Windows 11 setup is and Microsoft has had a chance to update your computer’s Windows version from the original mirror installed during assembly:

How to create a recovery drive

  • Allow about a week to allow for cumulative updates.
  • Plug in a USB drive (at least 32GB).
  • Search for Create a recovery drive in Windows Start menu.
  • Follow the instructions (check “Back up system files”).

Store your recovery drive in a safe place. Often, professionals tether the USB stick to the computer’s power lead. The recovery drive is valuable. It is necessary to repair or re-install Windows in case of a catastrophic failure. If you lose your recovery drive, you may have to replace a damaged computer.

Schedule periodic recovery drive replacement

Windows is constantly upgraded with patches and fixes. No less that annually, recompile your recovery drive. 

Understand BitLocker and Recovery Keys

BitLocker encrypts your data, protecting it if your laptop is lost or stolen.

If BitLocker is enabled, you will get a recovery key—a long code that unlocks your laptop if something goes wrong.

Where to find it:

  • Saved to your Microsoft account online:
    • https://account.microsoft.com/devices/recoverykey

You can also create a manual copy of your Bitlocker key which can be saved in a .txt file. This is a worthwhile additional method. In Wondows Start/Search, search for “Manage Bitlocker”. Professional guidance is recommended.

Summary: Why is Windows 11 setup so complicated?

Many users find Microsoft’s guidance for Windows 11 setup frustrating—and rightly so. However, Microsoft’s best practice guidance is aimed at these objectives:

  • Stronger security boundaries
  • Better integration with cloud services
  • Easier recovery options

Another reason for this seeming complexity is often that users are hoping to achieve commercial levels of security using consumer grade solutions, and this means we have to make Windows bend to keep up with more robust disciplines which are already available in Microsoft 365 Business as standard.

Linux, is free and some believe it is simpler. Even so, Windows remains the dominant choice for compatibility with mainstream apps and small-office tools. Yo better understand the real-world security implications of conventional Windows 11 setup for consumer equipment, read our companion article:

Windows 11 Why One Account Isn’t Enough for Home and Small Business Users

You can return to our Index of Articles by clicking here.

How to backup your Microsoft 365 Authenticator credentials

by | May 9, 2025

Backup Microsoft Authenticator settings

***Microsoft operates Microsoft Authenticator from its Entra ID service and procudeures in this post have been superceded with effect from September 2025. Instead, click here to read the latest guidelines for Microsoft Authenticator MFA account backup.***

*****

Backup and restore your Microsoft 365 multi-factor authentication (MFA) credentials to restore access to 365 dashboards in the event of a lost or stolen mobile phone.

This option is especially useful for 365 tenancy owners/global administrators. For example, if you are a 365 tenancy owner/Global Administrator (global Admin) then you cannot turn to a higher authority to re-establish credentials if your credentials are lost.

microsoft authenticator

Click on the headers below to find out how to backup Microsoft Authenticator on Apple and Android mobile phones.

Why backup has to be configured

Microsoft Authenticator data is not included in iCloud and Android mobile phone backups because the security keys are critically sensitive. Instead, you can organize Authenticator data backups in Microsoft Authenticator app settings. Authenticator backups can then be saved to Google Drive/iCloud, however you have to be verify identity against a Microsoft account to validate your identity when restoring credentials.

Microsoft Account vs Microsoft 365 account

You need a Microsoft account to backup and restore Microsoft Authenticator credentials. A Microsoft account and a Microsoft 365 account are two different entities. Without a Microsoft account you cannot back up your 365 credentials.

If you have a Microsoft account, but you have fogotten your credentials, you may need to establish a new Microsoft account. Do not lose the credentials to your Microsoft account. If you forget these credentials, you will not be able to connect Microsoft Authenticator on a new mobile phone to restore your settings. This would be catastrophic, so be sure to document your Microsoft Account credentials.

How to backup Microsoft Authenticator

Use the steps below to configure backup in Microsoft Authenticator settings. The process may vary from notes here because Microsoft updates its processes periodically. Also, the process might vary depending on your mobile phone hardware and operating system. Either way, prompts are not difficult to follow. These tips will steer you in the right direction:

  1. Open Microsoft Authenticator on your mobile phone
  2. Access Settings: Tap the three vertical dots at the top right corner and select <Settings>
  3. Enable <Backup>*
  4. Depending on your hardware, provide your Microsoft Account credentials if/when asked**

 * Apple users will need to be sure Authenticator is logged in to iCloud.

** In some cases, users may already be logged in to existing Microsoft Accounts, however the backup process will direct you to provide credentials as necessary. 

Recovery & Summary

To recover your credentials, install Microsoft Authenticator on your new mobile phone. Usually, the <Welcome> screen offers an option to <Begin Recovery>. This option depends on your hardware and software versions. The process is a little different for Apple and Android users, and is easily executed provided you have the credentials for iCloud/Google account, and your Microsoft Account.

You should periodically check Authenticator backup settings to verify backups are current. Authenticator app settings will confirm when your credentials were last backed up.

Authenticator offers options in settings to override Android or Apple screen-lock defaults. Also, some Apple and Android versions may need Authenticator enabling to run in the background. This can be checked in Authenticator settings.

 

 Summary

Tenancy owners and global admins do not have scope to resort to a higher authority to restore access to a 365 dashboard if their mobile phone is lost or destroyed. Therefore it is crucial to your organization’s IT continuity to protect your access settings to 365 Admin. Microsoft Authenticator enables you to restore existing credentials which cannot otherwise be found in Android and Apple backups.

For help, contact us using WhatsApp via our web site, or by phone.

About ComStat.uk: Internet Service Provider Comstat provides IT support, web hosting, and media services including web design, Microsoft 365 setup, and audio/video production, serving businesses across Denbighshire, North Wales and Wirral from Ruthin, and Lancashire and the Northwest from Bolton.

 

Exchange Online Protection – EOP

by | Jun 21, 2023

Microsoft Exchange Online Protection (EOP) is a cloud-based email filtering service that helps protect Exchange users against spam and malware. EOP includes tools to safeguard organizations from messaging-policy violations. EOP runs within Microsoft data centres as a bundled provision for licensed Office 365 and Exchange users reducing problematic customer bandwidth risks, protecting email before delivery to all user devices, and simplifying the management of on-premise messaging environments and alleviating inherent costs that come with maintaining conventional on-premises hardware and software.

Microsoft Exchange EOP Features:

  • Eliminates threats before they reach your business firewall with multi-layered, real-time anti-spam and multi-engine anti-malware protection.
  • No extra hardware or software installation – EOP is a bundled service and runs from data centre, managing email before it is delivered to user devices.
  • Protects your company’s IP reputation by using separate outbound delivery pools for high-risk email.
  • Provides 5 financially backed SLAs, including protection from 100% of known viruses and 99% of spam.
  • Active content, connection, and flexible policy-based filtering enables compliance with corporate policies and public sector/IT departmental governance.
  • Leverages a globally load-balanced network of data centres helps to ensure a 99.999% network uptime.
  • Managed and administered from the Exchange Administration Centre with a single web-based interface.
  • Near real-time reporting and message trace capabilities provide insight into email environments by retrieving the status of any message that Exchange Online Protection processes.
  • Available to non-Exchange users.

022514_2142_ReportingCu1

 

 

Microsoft ActiveSync

by | Nov 21, 2022

Microsoft Exchange ActiveSync enables users of desktop and mobile devices to access email, calendar, contacts, and tasks from their organization’s Microsoft Exchange server.

Microsoft Exchange is the de facto standard in public sector and corporate IT and is the email backbone of Microsoft’s Office 365 Office suite.  Given Exchange’s dominance in premium email services, Exchange ActiveSync is licensed to all major mobile devices manufacturers, although there may be minor variations in subsets of the application used by Windows Phone, Apple, and Android.

The major advantage this brings to users is that it decentralises reliance on a “primary” workstation from which emails etc. have to be co-ordinated. ActiveSync cordinates all devices to a centralised server so that each device has access to all information equally.

Network administrators can limit availability of data to user devices, which is useful in industries where data sensitivity, or in cases where devices are lost or stolen. This usually depends on in-house organisational competency, or in the case of small businesses, access to “delegated” administrators – Microsoft approved third party engineers. ComStat is an authorised delegated network administrator.

ActiveSync is a protocol. In the past, POP3 and IMAP protocols have been widely adopted by manufacturers and users. As modern technology becomes more widely adopted however, POP3’s limitations particularly make it an awkward protocol for users who want to mirror email, contact, and calendaring information between multiple devices. As small business adopts Microsoft’s Office 365 applications, technologies like POP3 which cannot synchronise data between devices “organically” are losing their popularity.

Microsoft Exchange supports POP3, IMAP, MAPI, all of which are widely recognized email distribution protocols. In its native environment, however, MS Exchange performs optimally with ActiveSync. Office 365 users can connect up to 5 devices to their account services.