Administrator Elevation- one of Win11's most disruptive changes?

radsdau · Feb 17, 2022

glasskuter said:
Not true.The user that is established when you install windows automatically is put into the administrative group whether it is a microsoft account or a local account. Any new users this account adds can be given administrative privileges as well..

No, you missed what I was saying. Our security policies (and security program membership) mandate that "local users CANNOT be Administrators". Technically of course you can, but it's not a secure way of administering a lot of machines and users, and controlling what can be done by them.

radsdau · Feb 17, 2022

glasskuter said:
A standard user has NEVER had a way to gain administrative privileges. It is and always has been by design. So if that is indeed what he's asking, he's out of luck until the administrator of the computer changes his privileges..

Not true, we use this all the time. That's what UAC is about. You get a chance to 'be administrator' for a specific action, but of course you need to know the Admin user's credentials.

AdvancedSetup · Feb 17, 2022

According to NIST [NIST 01] in Section 3.3, "IT Security Principles," from page 16:

Implement least privilege.
The concept of limiting access, or "least privilege," is simply to provide no more authorizations than necessary to perform required functions. This is perhaps most often applied in the administration of the system. Its goal is to reduce risk by limiting the number of people with access to critical system security controls; i.e., controlling who is allowed to enable or disable system security features or change the privileges of users or programs. Best practice suggests it is better to have several administrators with limited access to security resources rather than one person with "super user" permissions.
Consideration should be given to implementing role-based access controls for various aspects of system use, not only administration. The system security policy can identify and define the various roles of users or processes. Each role is assigned those permissions needed to perform its functions. Each permission specifies a permitted access to a particular resource (such as "read" and "write" access to a specified file or directory, "connect" access to a given host and port, etc.). Unless a permission is granted explicitly, the user or process should not be able to access the protected resource.

According to Schneier [Schneier 00] in "Security Processes":

Limit Privilege.
Don't give any user more privileges than he absolutely needs to do his job. Just as you wouldn't give a random employee the keys to the CEO's office, don't give him a password to the CEO's files.

A limited user whether on Windows 10 or Windows 11 must always provide administrator credentials to perform any task that may affect all users on the computer such as modification of the HKLM in the Registry or files and folders in various locations of the system.

Example of a limited user attempting to access Device Manager. They are prompted that they can only VIEW the devices.

Here is an example of viewing one of the devices, there is a button to allow you to use Admin rights to modify the device in question.

Then once admin level rights have been provided you see the following.

So, not sure what you're seeing that is different in Windows 11 that hasn't been there in Windows 10

radsdau · Feb 17, 2022

AdvancedSetup said:
According to NIST [NIST 01] in Section 3.3, "IT Security Principles," from page 16:
...
So, not sure what you're seeing that is different in Windows 11 that hasn't been there in Windows 10

Thank you, yes this is correct. I don't expect to see any differences, but I can't do admin tasks in 11 like I can in 10, hence this post. As far as you know, it should behave the same? If so there's a setting different somewhere, and I'll post when I find it.
It'd be great to get a Windows dev perspective on this to know for sure.
Cheers

EDIT: Sorry, to clarify: the difference I'm seeing is the use of Ctrl+Shift as a modifier to launch as Administrator. Works in 10, not in 11.

glasskuter · Feb 17, 2022

radsdau said:
Not true, we use this all the time.

Sorry about that, I did not read into your original post that this was in relation to a system administrator managing users across multiple devices.

hdmi · Feb 18, 2022

Archigos said:
@radsdau As @hdmi said, holding Ctrl+Shift when clicking Device Manger in the Win+X Menu works... however, not sure how it worked in Windows 10, but what you might be missing... I tested this and if you open the menu, hold the keys and click it does NOT work. You have to hold the keys BEFORE opening the menu and it'll work.

I don't have to hold the keys BEFORE opening the menu. I tested this on both Windows 11 Home and Windows 10 Home. Opening the menu with Win + X or by right-clicking on Start, also didn't make a difference to this. I am logged in to a Microsoft Account that is a member of the Administrators group, and I am not joined to a domain.

hdmi · Feb 18, 2022

radsdau said:
As far as you know, it should behave the same?

Confirmed.

hdmi · Feb 18, 2022

Dch48 said:
How can you tell if Device Manager is running as admin or not? Mine just always says Device Manager at the top.

How to check if a process is running as administrator (elevated) in Windows

Ever since Windows Vista introduced User Account Control, there has been a need to occasionally run some programs as administrator for doing some

winaero.com

The process name of Device Manager is mmc.exe (the description is Microsoft Management Console).

ThrashZone · Feb 18, 2022

Hi,
Yeah I don't see an issue seeing a admin password will always be needed to do admin changes.
Been that way forever on standard user accounts.

Berton · Feb 18, 2022

When I set up my Notebook 4 months ago with Win10 Pro I created only a Local Account with Administrative rights, first User is always an Administrator. Then I Upgraded to Win11 Pro. Haven't needed my Microsoft Account set up just yet. A small problem with a few of my clients is understanding the terms used, Microsoft Account, Local Account/Administrator and Standard User [limited rights].

Did see a blurb where Microsoft may force everyone to have a Microsoft Account.

Microsoft soon wants to force us to use Microsoft Account for Windows Pro too!

Remember how Microsoft forced everyone to have a god damn Microsoft Account to even use Windows 11 Home and not for Windows 11 Pro? Well, they are changing the tune now and want to force everyone t…

rejzor.wordpress.com

Dch48 · Feb 18, 2022

hdmi said:
How to check if a process is running as administrator (elevated) in Windows

Ever since Windows Vista introduced User Account Control, there has been a need to occasionally run some programs as administrator for doing some

winaero.com

The process name of Device Manager is mmc.exe (the description is Microsoft Management Console).

That column does not exist in Windows 11.

Zentaur · Feb 18, 2022

It's a miscommunication from the Microsoft developer trust allocation system.

In layman's terms, as they may say, a few frequencies were interrupted regarding the AMD TPM to the translation of the Intel equivalent before Windows 11 was shipped and made publicly available to consumers.

Berton · Feb 18, 2022

A new article on the Win11 Widgets today:

Windows 11 will soon be closed off to anyone without internet

hdmi · Feb 19, 2022

Dch48 said:
That column does not exist in Windows 11.

Yes it does (at least if we can assume that the OS language is English─on my Dutch version of Windows 11 it is called Verhoogd). Here's another tutorial to show how it looks like on Windows 11.

How to Check if a Process Is Running With Admin Rights on Windows 11 Systems

You can check if a process is running with admin rights on Windows 11 using the Task Manager. Learn how to in detail with this tutorial.

wccftech.com

Dch48 · Feb 19, 2022

hdmi said:
Yes it does (at least if we can assume that the OS language is English─on my Dutch version of Windows 11 it is called Verhoogd). Here's another tutorial to show how it looks like on Windows 11.

How to Check if a Process Is Running With Admin Rights on Windows 11 Systems

You can check if a process is running with admin rights on Windows 11 using the Task Manager. Learn how to in detail with this tutorial.

wccftech.com

Okay, I found it now. It says Device Manager is running elevated without me doing anything but opening it.

hdmi · Feb 20, 2022

Dch48 said:
Okay, I found it now. It says Device Manager is running elevated without me doing anything but opening it.

Same here. That's normal when you're logged in as an administrator, as the process inherits privileges from the user account used to invoke the process creation.

The idea was that an UAC prompt would not be necessary for an administrator to start Device Manager, as driver signing enforcement is enabled by default. But not too long ago a security flaw was discovered allowing a standard user to use that as an exploit to gain access to a command prompt that has elevated status, simply by plugging in a Razer mouse. It is one of those reasons why some companies keep all USB ports disabled, as they already knew it beforehand that something like this was going to be only a matter of time before it happened. A similar thing has happened with all bluetooth devices, as it was discovered that the bluetooth standard as a whole is not secure, inherently, due to the specification that the standard is built on.

As for 'disruptive' changes, you can't disrupt security, when security is not there.

torchwood · Feb 20, 2022

looks like your Boss has given you a nice bone to chew
your best bet allthough not perfect and will likely require you to `bargain with them.
You will need to set various Templates via Secpol, and i do not believe this has changed in W11
Change User Rights Assignment Security Policy Settings in Windows 10

radsdau · Feb 20, 2022

torchwood said:
looks like your Boss has given you a nice bone to chew
your best bet allthough not perfect and will likely require you to `bargain with them.

Non negotiable. Requirements of dealing with government contractors.

radsdau · Feb 20, 2022

Helpful info from this page:
"The recommended and more secure method of running Windows 10 or Windows 11 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.
The alternative to running as a standard user is to run as an administrator in Admin Approval Mode. With the built-in UAC elevation component, members of the local Administrators group can easily perform an administrative task by providing approval.
... The credential prompt is presented when a standard user attempts to perform a task that requires a user's administrative access token. Administrators can also be required to provide their credentials by setting the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting value to Prompt for credentials."

My experience suggests that if UAC is not set high enough, then a standard user cannot perform Admin tasks because the Credential Prompt doesn't get displayed, at least in Win10. Perhaps this detailed slipped under the radar in my Win11 testing, which to date has been limited.

radsdau · Feb 21, 2022

I made a fresh Win11 install yesterday (upgrade from Win10), all updates, etc.
The feature described above does not work for me.

I have UAC set to Highest
Local account is a 'Standard' user
Built-in Administrator user is enabled with PW

I did precisely the same action on the same machine in Win10 before upgrading, and it worked fine. To recap: Win+x, hold Ctrl+Shift, click Device Manager. UAC credentials window pops up, Device Manager opens with Admin access.

Upgrade to Win11, did same thing: Win+x, hold Ctrl+Shift, click Device Manager. I get "You are logged on as a standard user. You can view device settings in Device Manager, but you must be logged on as an administrator to make changes.". This is the same message you get in Win10 when you don't hold Ctrl+Shift.

I'm not making this up. It's been changed, and I haven't found anyone yet who can describe why. And I don't understand why some users report that it does work for them.

And it's a damned nuisance.