In today's digital landscape, the importance of maintaining a robust security posture cannot be overstated. A critical aspect of achieving this is ensuring that users operate with the least privilege required. Users with Administrator rights on Windows have powerful capabilities to modify configurations and make systemwide changes that might impact the overall security posture of a Windows 11 device. These powerful administrative privileges represent a significant attack vector and are frequently abused by malicious actors to gain unauthorized access to user data, compromise privacy, and disable OS security features without a user’s knowledge. Recent statistics from Microsoft Digital Defense Report 2024 indicate that token theft incidents, which abuse user privileges, have grown to an estimated 39,000 per day.
To address this, Microsoft is embarking on a transformative journey to help protect administrator users on Windows—with Administrator protection, a new platform security feature in Windows 11. Administrator protection aims to protect users while still allowing them to perform necessary functions with just-in-time administrator privileges.
Understanding Administrator protection
Administrator protection requires that a user verify their identity with Windows Hello integrated authentication before allowing any action that requires administrator privileges. These actions include installing software, changing system settings like the time or the registry, and accessing sensitive data. Administrator protection minimizes the risk of the user making a system-level change by mistake, and, more importantly, helps prevent malware from making silent changes to the system without the user knowing.
Screenshot of a Windows Security user prompt verifying the user’s identity before authorizing an admin-level operation, in this case allowing an app to make changes to the device
Administrator protection security model
At its core, Administrator protection operates on the principle of least privilege. The user is issued the deprivileged user token when they sign in to Windows. However, when admin privileges are needed, Windows will request that the user authorize the operation. Once the operation is authorized, Windows uses a hidden, system-generated, profile-separated user account to create an isolated admin token. This token is issued to the requesting process and is destroyed once the process ends. This ensures that admin privileges do not persist. The whole process is repeated when the user tries to perform another task that requires admin privileges.
Key architectural highlights
Administrator protection is integrated with Windows Hello for simple and secure authorization.
Just-in-time elevation: With Administrator protection, the user stays de-privileged and is granted just-in-time elevation rights only for the duration of an admin operation. The admin token is discarded after use and is recreated when another task requiring admin privileges is performed.
Profile separation: Administrator protection uses hidden, system-generated, profile-separated user accounts to create isolated admin token. This helps ensure that user-level malware cannot compromise the elevated session, thus making elevation a security boundary.
No auto-elevations: With Administrator protection, the user needs to interactively authorize every admin operation. This ensures that the administrator user stays in full control and that admin privileges are not abused. Integration with Windows Hello further enhances security while providing a convenient experience.
Illustration showing the Administrator protection architecture
Administrator protection introduces a new security boundary with our support to fix any reported security bugs. It should not be confused with User Account Control (UAC), which is more of a defense-in-depth feature. The architectural changes mentioned above help ensure that any access to or tampering with the code or data of elevated session cannot be done without authorization.
Benefits of Administrator protection
Enhanced security: By requiring explicit authorization for every administrative task, Administrator protection protects Windows from accidental changes by users and changes by malware. It helps ensure that users are aware of potentially harmful actions before they occur, which provides an additional layer of defense against cyber threats.
The user is always in control: Administrator protection allows users to manage admin rights, granting or restricting access granularly to individual apps. This helps ensure that only authorized apps can make system changes, reducing the risk of accidental or malicious modifications.
Malware reduction: Malicious software often relies on admin privileges to change device settings and execute harmful actions. Administrator protection breaks the attack kill chain since malware will no longer be able to silently acquire admin privileges.
Configuring Administrator protection
Administrator protection can be enabled easily via local device settings and via Windows management tools such as Microsoft Intune for large-scale deployments across your organization.
Using Windows Security settings (available soon)
You can enable Administrator protection on your device by navigating to the Account protection section on the Windows Security Settings page and switching the toggle to On. A restart will be required.
Using Group Policy
Administrator protection can be enabled on a device using Local Group Policy Editor or other local policy editor tool.
- Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
- In the Policy pane, locate the policy for “User Account Control: Configure type of Admin Approval Mode” and change the Local Security Setting to “Admin Approval Mode with Administrator protection” to enable the feature.
- You can choose your desired consent and credential prompt behavior by selecting the policy for “User Account Control: Behavior of the elevation prompt for administrators running with Administrator protection” and choosing a Local Security Setting. By default, Administrator protection will be enabled with “Prompt for credentials.”
- Restart the device to apply the changes.
Windows 11 Group Policy editor with Administrator protection enabled
Windows 11 Group Policy editor – changing prompt behavior
Using mobile device management (MDM)
IT admins can deploy and manage Administrator protection using MDM tools like Microsoft Intune. In Intune, use the settings catalog or administrative templates (coming soon) to configure Administrator protection. Note that devices will need to restart for the feature to be enabled.
To enable Administrator protection using Intune:
- In Intune, create a security group and enroll your users in that group.
- Set up the Administrator protection policy through the settings catalog.
- Include your security group in the policy.
- Intune will sync at regular intervals to apply the policy on your device.
- Restart the devices when the policies flow in.
Policy setting through Intune settings catalog
Administrator protection is also configurable in the LocalPoliciesSecurityOptions CSP. To enable Administrator protection, configure UserAccountControl_TypeOfAdminApprovalMode. To choose between consent and credential use the UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection node.
Conclusion
Administrator protection is an upcoming security feature in Windows 11, offering robust security and user privilege management to help the user stay in control of changes to their Windows device. By requiring user authorization for administrative tasks, it helps safeguard the system from unauthorized changes and malware, enhancing overall device security. A seamless integration with modernized Windows Hello helps provide a secure and convenient way to authorize the use of admin privileges.
Our goal is to enable Administrator protection by default in Windows very soon. This feature is available now to Windows Insiders. We encourage you to try out your applications with Administrator protection enabled and provide us with your feedback.
Explore the latest Windows 11 security features
At Microsoft, we truly believe security is a team sport. By partnering with original equipment manufacturers, app developers, and other partners in the ecosystem—and by helping people learn how to better protect themselves—we are continuing to make Windows more secure by design and more secure by default. Check out the Windows Security Book to learn more about what makes it easy to stay secure with Windows 11.
To learn more about Microsoft Security solutions, visit our website, then bookmark the Microsoft Security Blog and follow us on LinkedIn and on X @MSFTSecurity for the latest news and updates on cybersecurity.
Hear more about what's new with Windows and Windows 365
Bookmark our guide to Windows at Microsoft Ignite 2024, then dive into the Microsoft Ignite announcements that reinforce our commitment to getting you and your organization future-ready:
- Windows 365 Link—the first Cloud PC device for Windows 365
- New AI experiences transform productivity on Windows 11 Copilot+ PCs
- Hotpatch for client comes to Windows 11 Enterprise
- Elevate security in Windows 365 and Azure Virtual Desktop
- Streamlined, AI-powered update management: Windows Autopatch
- Windows 365 Frontline shared mode now in public preview
- Two new features make Universal Print truly "universal"
Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.
Microsoft
