Decided to go back to running standard user after watching
@cruelsister video on MBAM & UAC and
@Andy Ful video's on antivirus challenges.
I returned to running standard user again because CS showed how trival it is to bypass UAC and Andy showed how easy it is to disable Defender protection with elevated privileges. I also reduced the SRP application level from all users to 'all except admin' and added block rules for the LoLbins mentioned in Github project. Reason for doing so is that all CS exploits in MBAM video would be blocked by SRP-SWH part of WHHL, except for one: the modified executable using NETSH to bypass MBAM. WDAC-ISG would have probably blocked this executable when it would not be signed by trusted software developer/publisher. But the 'probably' settled in my mind and started to doubt my decision to run admin again.
Running standard user enforces a hard border between standard user and admin (as opposed to UAC only providing a soft-border). Additionally I am blocking LoLBins (like Netsh) system wide when started by standard user. I kept Andy's set of SRP rules to block risky file extension to run in user folders and block executables running in archives and prevent misuse of LNK and UAC holes. Although I can execute and install programs my setup is actually whitelist based. System wide Malware Defender's only allows programs to run which are whitelisted in the cloud and the user folders are additionally protected with WDAC-ISG small (hence more aggressive) local whitelist (in case internet connection fails).
I have ran this standard user with hardened SWH-SRP and MD on MAX as long as I have this laptop without problems, so I am not expecting any problems with this enhanced setup (with WDAC-ISG added). This probably also means that I will have less to post, because there is no need to change something when it is working perfectly.
