Accounts Enable or Disable Administrator Protection for Admin Approval Mode in Windows 11

This tutorial will show you how to enable or disable Administrator Protection for admin approval mode elevations in Windows 11.

Starting with Windows 11 build 27718.1000 (Canary), you can now enable Administrator Protection to use for Admin Approval Mode (aka: elevated rights) instead of User Account Control (UAC).

Administrator Protection is an upcoming platform security feature in Windows 11, which aims to protect free floating admin rights for administrator users allowing them to still perform all admin functions with just-in-time admin privileges. This feature is off by default and needs to be enabled via group policy. Microsoft plans to share more details about this feature at Microsoft Ignite.

Administrator protection requires that a user verify their identity with Windows Hello integrated authentication before allowing any action that requires administrator privileges. These actions include installing software, changing system settings like the time or the registry, and accessing sensitive data. Administrator protection minimizes the risk of the user making a system-level change by mistake, and, more importantly, helps prevent malware from making silent changes to the system without the user knowing.

At its core, Administrator protection operates on the principle of least privilege. The user is issued the deprivileged user token when they sign in to Windows. However, when admin privileges are needed, Windows will request that the user authorize the operation. Once the operation is authorized, Windows uses a hidden, system-generated, profile-separated user account to create an isolated admin token. This token is issued to the requesting process and is destroyed once the process ends. This ensures that admin privileges do not persist. The whole process is repeated when the user tries to perform another task that requires admin privileges.

Administrator protection introduces a new security boundary with our support to fix any reported security bugs. It should not be confused with User Account Control (UAC), which is more of a defense-in-depth feature. The architectural changes mentioned above help ensure that any access to or tampering with the code or data of elevated session cannot be done without authorization.

Benefits of Administrator protection:

• Enhanced security: By requiring explicit authorization for every administrative task, Administrator protection protects Windows from accidental changes by users and changes by malware. It helps ensure that users are aware of potentially harmful actions before they occur, which provides an additional layer of defense against cyber threats.
• The user is always in control: Administrator protection allows users to manage admin rights, granting or restricting access granularly to individual apps. This helps ensure that only authorized apps can make system changes, reducing the risk of accidental or malicious modifications.
• Malware reduction: Malicious software often relies on admin privileges to change device settings and execute harmful actions. Administrator protection breaks the attack kill chain since malware will no longer be able to silently acquire admin privileges.

Admin Approval Mode runs in legacy mode by default, and uses User Account Control (UAC) for elevation approval.

If you enable Administrator Protection, Admin Approval Mode uses Windows Security for a more secure elevation approval instead of User Account Control (UAC).

Starting with Windows 11 build 27774.1000 (Canary), Administrator protection can now be enabled from Windows Security settings under the Account Protection tab. This allows users to enable this feature without requiring help from IT admins. It also allows Windows home users to enable Administrator protection via Windows Security settings. Changing this setting requires a Windows reboot. With administrator protection enabled, the prompt requesting the user’s authorization for elevating untrusted and unsigned applications now comes with expanded color-coded regions which will now extend down over the app description.

References:

You must be signed in as an administrator to enable or disable Administrator Protection.

EXAMPLE: Administrator Protection enabled (Windows Security) and disabled (UAC)







1 Open Windows Security, and click/tap on Account protection. (see screenshot below)


2 Click/tap on the Administrator protection settings link under Administrator protection. (see screenshot below)


3 Turn on or off (default) Administrator protection for what you want. (see screenshot below)


4 Restart the computer to apply. (see screenshot below)

Local Security Policy is only available in the Windows 11 Pro, Enterprise, and Education editions.

All editions can use Option One or Option Three to change the same policy.

1 Open Local Security Policy (secpol.msc).

2 Perform the following actions: (see screenshot below)

1. Expand open the Local Policies folder in the left pane.
2. Click/tap on the Security Options subfolder in the left pane.
3. Double click/tap on the User Account Control: Configure type of Admin Approval Mode policy in the right pane.

3 In the Local Security Setting tab, select Legacy Admin Approval Mode (Default) (disable) or Admin Approval Mode with Administrator protection (enable) for what you want in the drop menu, and click/tap on OK. (see screenshot below)








1 Do step 2 (enable) or step 3 (disable) below for what you would like to do.





(Contents of REG file for reference)

This is the default setting.

(Contents of REG file for reference)

4 Save the .reg file to your desktop.

5 Double click/tap on the downloaded .reg file to merge it.

6 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

7 Restart the computer to apply.

8 You can now delete the downloaded .reg file if you like.


That's it,
Shawn Brink