Blog Post

Windows IT Pro Blog
6 MIN READ

Administrator protection on Windows 11

Katharine_Holdsworth's avatar
Nov 19, 2024

In today's digital landscape, the importance of maintaining a robust security posture cannot be overstated. A critical aspect of achieving this is ensuring that users operate with the least privilege required. Users with Administrator rights on Windows have powerful capabilities to modify configurations and make systemwide changes that might impact the overall security posture of a Windows 11 device. These powerful administrative privileges represent a significant attack vector and are frequently abused by malicious actors to gain unauthorized access to user data, compromise privacy, and disable OS security features without a user’s knowledge. Recent statistics from Microsoft Digital Defense Report 2024 indicate that token theft incidents, which abuse user privileges, have grown to an estimated 39,000 per day.

To address this, Microsoft is embarking on a transformative journey to help protect administrator users on Windows—with Administrator protection, a new platform security feature in Windows 11. Administrator protection aims to protect users while still allowing them to perform necessary functions with just-in-time administrator privileges.

Understanding Administrator protection

Administrator protection requires that a user verify their identity with Windows Hello integrated authentication before allowing any action that requires administrator privileges. These actions include installing software, changing system settings like the time or the registry, and accessing sensitive data. Administrator protection minimizes the risk of the user making a system-level change by mistake, and, more importantly, helps prevent malware from making silent changes to the system without the user knowing.

Screenshot of a Windows Security user prompt verifying the user’s identity before authorizing an admin-level operation, in this case allowing an app to make changes to the device

Administrator protection security model

At its core, Administrator protection operates on the principle of least privilege. The user is issued the deprivileged user token when they sign in to Windows. However, when admin privileges are needed, Windows will request that the user authorize the operation. Once the operation is authorized, Windows uses a hidden, system-generated, profile-separated user account to create an isolated admin token. This token is issued to the requesting process and is destroyed once the process ends. This ensures that admin privileges do not persist. The whole process is repeated when the user tries to perform another task that requires admin privileges.

Key architectural highlights

Administrator protection is integrated with Windows Hello for simple and secure authorization.

Just-in-time elevation: With Administrator protection, the user stays de-privileged and is granted just-in-time elevation rights only for the duration of an admin operation. The admin token is discarded after use and is recreated when another task requiring admin privileges is performed.​

Profile separation: Administrator protection uses hidden, system-generated, profile-separated user accounts to create isolated admin token. This helps ensure that user-level malware cannot compromise the elevated session, thus making elevation a security boundary.

No auto-elevations: With Administrator protection, the user needs to interactively authorize every admin operation. This ensures that the administrator user stays in full control and that admin privileges are not abused. Integration with Windows Hello further enhances security while providing a convenient experience.​

Illustration showing the Administrator protection architecture

Administrator protection introduces a new security boundary with our support to fix any reported security bugs. It should not be confused with User Account Control (UAC), which is more of a defense-in-depth feature. The architectural changes mentioned above help ensure that any access to or tampering with the code or data of elevated session cannot be done without authorization.

Benefits of Administrator protection

Enhanced security: By requiring explicit authorization for every administrative task, Administrator protection protects Windows from accidental changes by users and changes by malware. It helps ensure that users are aware of potentially harmful actions before they occur, which provides an additional layer of defense against cyber threats.

The user is always in control: Administrator protection allows users to manage admin rights, granting or restricting access granularly to individual apps. This helps ensure that only authorized apps can make system changes, reducing the risk of accidental or malicious modifications.

Malware reduction: Malicious software often relies on admin privileges to change device settings and execute harmful actions. Administrator protection breaks the attack kill chain since malware will no longer be able to silently acquire admin privileges.

Configuring Administrator protection

Administrator protection can be enabled easily via local device settings and via Windows management tools such as Microsoft Intune for large-scale deployments across your organization.

Using Windows Security settings (available soon)

You can enable Administrator protection on your device by navigating to the Account protection section on the Windows Security Settings page and switching the toggle to On. A restart will be required.

Using Group Policy

Administrator protection can be enabled on a device using Local Group Policy Editor or other local policy editor tool.

  1. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
  2. In the Policy pane, locate the policy for “User Account Control: Configure type of Admin Approval Mode” and change the Local Security Setting to “Admin Approval Mode with Administrator protection” to enable the feature.
  3. You can choose your desired consent and credential prompt behavior by selecting the policy for “User Account Control: Behavior of the elevation prompt for administrators running with Administrator protection” and choosing a Local Security Setting. By default, Administrator protection will be enabled with “Prompt for credentials.”
  4. Restart the device to apply the changes.

Windows 11 Group Policy editor with Administrator protection enabled

Windows 11 Group Policy editor – changing prompt behavior

Using mobile device management (MDM)

IT admins can deploy and manage Administrator protection using MDM tools like Microsoft Intune. In Intune, use the settings catalog or administrative templates (coming soon) to configure Administrator protection. Note that devices will need to restart for the feature to be enabled.

To enable Administrator protection using Intune:

  1. In Intune, create a security group and enroll your users in that group.
  2. Set up the Administrator protection policy through the settings catalog.
  3. Include your security group in the policy.
  4. Intune will sync at regular intervals to apply the policy on your device.
  5. Restart the devices when the policies flow in.

Policy setting through Intune settings catalog

Administrator protection is also configurable in the LocalPoliciesSecurityOptions CSP. To enable Administrator protection, configure UserAccountControl_TypeOfAdminApprovalMode. To choose between consent and credential use the UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection node.

Conclusion

Administrator protection is an upcoming security feature in Windows 11, offering robust security and user privilege management to help the user stay in control of changes to their Windows device. By requiring user authorization for administrative tasks, it helps safeguard the system from unauthorized changes and malware, enhancing overall device security. A seamless integration with modernized Windows Hello helps provide a secure and convenient way to authorize the use of admin privileges.  

Our goal is to enable Administrator protection by default in Windows very soon. This feature is available now to Windows Insiders. We encourage you to try out your applications with Administrator protection enabled and provide us with your feedback.

Explore the latest Windows 11 security features

At Microsoft, we truly believe security is a team sport. By partnering with original equipment manufacturers, app developers, and other partners in the ecosystem—and by helping people learn how to better protect themselves—we are continuing to make Windows more secure by design and more secure by default. Check out the Windows Security Book to learn more about what makes it easy to stay secure with Windows 11.

To learn more about Microsoft Security solutions, visit our website, then bookmark the Microsoft Security Blog and follow us on LinkedIn and on X @MSFTSecurity for the latest news and updates on cybersecurity.

Hear more about what's new with Windows and Windows 365

Bookmark our guide to Windows at Microsoft Ignite 2024, then dive into the Microsoft Ignite announcements that reinforce our commitment to getting you and your organization future-ready:

 


Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Updated Nov 19, 2024
Version 2.0
  • sylveon's avatar
    sylveon
    Copper Contributor

    I'm not sure I understand the distinction between UAC and this.

     

    With Administrator protection, the user stays de-privileged and is granted just-in-time elevation rights only for the duration of an admin operation. The admin token is discarded after use and is recreated when another task requiring admin privileges is performed.​

    Doesn't UAC do the same with LUA? Your user session runs with a limited privilege token and only programs which where granted elevation get an admin token.

     

    With Administrator protection, the user needs to interactively authorize every admin operation. This ensures that the administrator user stays in full control and that admin privileges are not abused. Integration with Windows Hello further enhances security while providing a convenient experience.​

    Doesn't UAC already do this as well? By default, you are prompted for admin consent on the Secure Desktop for every process that needs elevation.

     

    Is Administration Protection more granular? e.g. a limited user process can request an admin token without needing to relaunch itself entirely as admin?

    • Nilanjana Ganguly's avatar
      Nilanjana Ganguly
      Icon for Microsoft rankMicrosoft

      In Administrator protection, the token with administrator permissions is discarded as soon as the admin task is completed, thereby reducing the attack opportunity.

  • wroot's avatar
    wroot
    Silver Contributor
    • How does this work when working on remote machine? Also, to compare with UAC, i can elevate cmd, mmc, regedit or such and run multiple commands and administrative actions. Will it work the same with this protection and just add "MFA" in the form of Windows Hello?
    • Yes, Administrator protection will work the same way when you are logged into a remote machine.

      • Laurie_Aldam's avatar
        Laurie_Aldam
        Copper Contributor

        Will it just prompt for a password instead of Windows Hello authentication which (from my understanding) is tied to the machine?

  • Laurie_Aldam's avatar
    Laurie_Aldam
    Copper Contributor

    Some sort of comparison graphic between UAC and Administrator Protection would be good to help understand the distinction

  • Kam_S_'s avatar
    Kam_S_
    Copper Contributor

    Hello, how does 'admin protection' work if you remote into a users laptop. The user is working from home and you as IT support need to use a domain admin account on the remote computer e.g. need to remove some faulty software.

    • Pearl-Angeles's avatar
      Pearl-Angeles
      Icon for Community Manager rankCommunity Manager

      Hi Kam_S_ - your question was addressed by panelists in the AMA: Windows security, chip to cloud session, at around 24:04

  • WolfgangBach's avatar
    WolfgangBach
    Brass Contributor

    Running Windows Canary.. as soon as i active it via gpedit.msc and reboot i get an Windows Logon error (The resource loader cache doesn't have loaded MUI entry) and can't sign in to the device anymore.

     

    • Laurie_Aldam's avatar
      Laurie_Aldam
      Copper Contributor

      I run into the same problem with the latest build on the Canary channel. If you haven't fixed this already then follow these steps:

      Reboot PC into Windows Recovery Environment

      Open a command prompt and run regedit. Click on HKEY_LOCAL_MACHINE

      Select: File > Load Hive > Navigate to your OS volume\Windows\System32\config\ > load SYSTEM file

      Give it a temporary name

      In the loaded hive navigate to the registry key value that was changed - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

      Change the the data for the value 'TypeOfAdminApprovalMode' to 1

      File > Unload Hive

      Close regedit and command prompt and then reboot the machine.

       

  • pickwick's avatar
    pickwick
    Copper Contributor

    What about the hidden, system generated accounts and profiles? Is it only one always and preserved or really per process one generated and the whole profile deleted afterwards or per user elevating things and the profiles deleted/kept around or ...?

    The differences to UAC only address the default Windows behaviour of having a user already being a member of the admin group and having UAC-protected admin permissions anyway. With a default basic user and an additional admin account, elevating requires a username and password, therefore authenticating as well eben with enabled UAC.

    In that setup there's no difference to the new protection anymore, isn't it? Or are the background admin accounts and profiles still generated and possibly deleted and generated and ...?

  • how the hidden profile been operated. Is it any separate account managed by its device itself or any know controlled profile.