Microsoft has announced Administrator protection for Windows 11. The new security feature aims to improve security on Windows 11 devices by changing certain actions that require elevation are carried out and handled.
For users, it means that they need to authorize elevated actions using Windows Hello. Depending on how that is set up, it may require entering the device PIN, using biometric authentication, or other means available on the device.
The core changes happen in the background. When a user signs in to Windows, that user is assigned what Microsoft calls a deprivileged user token. When admin privileges are needed, for instance when installing software, Windows will request authorization from the user using Windows Hello.
When the user does so, Windows “uses a hidden, system-generated, profile-separated user account to create an isolated admin token”. This token is “issued to the requesting process and is destroyed once the process ends”.
In other words, the admin privileges do not persist on the system, but end with the execution of the task that requested them.
The following illustration visualizes the process.
Microsoft lists the following benefits of Administrator protection:
- Improved security by requiring explicit authorization for “every administrative task”.
- Users may manage admin rights by granting or restricting “access granularly to individual apps”.
- Malware that is designed to acquire administrative privileges silently is blocked.
Managing Administrator protection
It appears that Administrator protection is disabled by default. Microsoft explains how administrators may enable the new protection.
It is located under Windows Security > Account protection. There, administrators may toggle Administrator protection to turn the feature on (or off). A restart of the device is required.
There is also a new policy under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
- Double-click on User Account Control: Configure type of Admin Approval Mode.
- Change the Local Security Setting to “Admin Approval Mode with Administrator protection”. This enables the feature.
Closing Words
Administrator protection is an optional feature it appears. This means that it won’t be enabled on most home systems any time soon.
The feature improves security against certain types of malware, but it makes certain operations cumbersome. It remains to be seen how well the Windows 11 community will react to the feature.
Would you enable Administrator protection, if it would be available on your system? Feel free to leave a comment down below.
“Malware that is designed to acquire administrative privileges silently is blocked.”
Sounds like a useful feature, but . . . the rest sounds like “K” in Kafka’s “The Castle” who attempts again and again to gain access to the “mysterious authorities” who govern the village.
Does this apply to systems with only local accounts? Because I don’t use any of those “means available on the device”.
Also, your words do not match the screenshot.
There is no “User Account Control: Configure type of Admin Approval Mode.” in the screenshot. In fact it shows a different policy opened.
In my experiences with actual M.$ employees, they refused to even acknowledge one might not be using a M.$ accout on their own windows PC so it’s no suprise the article you linked to never mentions it and most certainly assumes everyone is happily signed into M.$.
I purposely do not have any biometric devices on any of my computers, inluding no cameras. So if i understand this correctly it would requie a password or pin to function. Why not just leave it as it is now? This seems to be a solution for something that is not a problem. The more I see what MS is doing to windows. The more and more I am using Linux. I only have one windows system left of 3 computers used, the thers are all Linux.