Accounts Enable or Disable Administrator Protection for Admin Approval Mode in Windows 11


  • Staff
Administrator_Protection_banner.png

This tutorial will show you how to enable or disable Administrator Protection for admin approval mode elevations in Windows 11.

Starting with Windows 11 build 27718.1000 (Canary), you can now enable Administrator Protection to use for Admin Approval Mode (aka: elevated rights) instead of User Account Control (UAC).

Administrator Protection is an upcoming platform security feature in Windows 11, which aims to protect free floating admin rights for administrator users allowing them to still perform all admin functions with just-in-time admin privileges. This feature is off by default and needs to be enabled via group policy. Microsoft plans to share more details about this feature at Microsoft Ignite.

Admin Approval Mode runs in legacy mode by default, and uses User Account Control (UAC) for elevation approval.

If you enable Administrator Protection, Admin Approval Mode uses Windows Security for a more secure elevation approval instead of User Account Control (UAC).

You must be signed in as an administrator to enable or disable Administrator Protection.



Contents

  • Option One: Enable or Disable Administrator Protection for Admin Approval Mode in Local Security Policy
  • Option Two: Enable or Disable Administrator Protection for Admin Approval Mode using REG file


EXAMPLE: Administrator Protection enabled (Windows Security) and disabled (UAC)

UAC.png
Administrator_Protection_with_Windows_Security-1.png
Administrator_Protection_with_Windows_Security-2.png





Option One

Enable or Disable Administrator Protection for Admin Approval Mode in Local Security Policy


Local Security Policy is only available in the Windows 11 Pro, Enterprise, and Education editions.

All editions can use Option Two to change the same policy.


1 Open Local Security Policy (secpol.msc).

2 Perform the following actions: (see screenshot below)
  1. Expand open the Local Policies folder in the left pane.
  2. Click/tap on the Security Options subfolder in the left pane.
  3. Double click/tap on the User Account Control: Configure type of Admin Approval Mode policy in the right pane.
Administrator_Protection_secpol-1.png

3 In the Local Security Setting tab, select Legacy Admin Approval Mode (Default) (disable) or Admin Approval Mode with Administrator protection (enable) for what you want in the drop menu, and click/tap on OK. (see screenshot below)

Administrator_Protection_secpol-2.png

4 Restart the computer to apply.




Option Two

Enable or Disable Administrator Protection for Admin Approval Mode using REG file


1 Do step 2 (enable) or step 3 (disable) below for what you would like to do.

2 Enable Administrator Protection for Admin Approval Mode

A) Click/tap on the Download button below to download the file below, and go to step 4 below.​

Enable_Administrator_Protection_for_Admin_Approval_Mode.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"TypeOfAdminApprovalMode"=dword:00000002

3 Disable Administrator Protection for Admin Approval Mode

This is the default setting.


A) Click/tap on the Download button below to download the file below, and go to step 4 below.​

Disable_Administrator_Protection_for_Admin_Approval_Mode.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"TypeOfAdminApprovalMode"=dword:00000001

4 Save the .reg file to your desktop.

5 Double click/tap on the downloaded .reg file to merge it.

6 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

7 Restart the computer to apply.

8 You can now delete the downloaded .reg file if you like.


That's it,
Shawn Brink


 

Attachments

  • Disable_Administrator_Protection_for_Admin_Approval_Mode.reg
    656 bytes · Views: 157
  • Enable_Administrator_Protection_for_Admin_Approval_Mode.reg
    656 bytes · Views: 199
Last edited:

My Computer

System One

  • OS
    Win 11 Pro 23H2 (OS Build 22631.4391)
    Computer type
    PC/Desktop
    Manufacturer/Model
    I have six computers. Five are HP and one is home built.
    Internet Speed
    800MB/sec up & down
    Browser
    Chrome
    Antivirus
    Malwarebytes
Once I enabled admin protection and rebooted, I can't log in anymore:

The resource loader cache doesn’t have loaded MUI entry​

Any suggestions as how to fix this? I get it on log in with an Entra user into a virtual machine.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    HP
Once I enabled admin protection and rebooted, I can't log in anymore:

The resource loader cache doesn’t have loaded MUI entry​

Any suggestions as how to fix this? I get it on log in with an Entra user.
Hello Peter, and welcome. :alien:

You could try using option five in the tutorial below to enable the built-in "Administrator" account at boot. Afterwards, sign in to this "Administrator" account to disable the "User Account Control: Configure type of Admin Approval Mode" policy.

 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Surface Laptop 7 Copilot+ PC
    CPU
    Snapdragon X Elite (12 core) 3.42 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Monitor(s) Displays
    15" HDR
    Screen Resolution
    2496 x 1664
    Hard Drives
    1 TB SSD
    Internet Speed
    Wi-Fi 7 and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender
Thanks for your quick reply. I already have a local Administrator account. When I try to log in with that after enabling admin protection, I get:
The parameter is incorrect
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    HP
Thanks for your quick reply. I already have a local Administrator account. When I try to log in with that after enabling admin protection, I get:
The parameter is incorrect
You might go ahead and try the built-in admin account to see if it may let you since it's an elevated account.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Surface Laptop 7 Copilot+ PC
    CPU
    Snapdragon X Elite (12 core) 3.42 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Monitor(s) Displays
    15" HDR
    Screen Resolution
    2496 x 1664
    Hard Drives
    1 TB SSD
    Internet Speed
    Wi-Fi 7 and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender
Sorry, I should have been clearer. I was referring to the built-in admin account that gives me the "The parameter is incorrect" message. It's no big deal really as I can easily go back to a snapshot without the protection enabled but I wanted to see how this admin protection works. I wonder why enabling it messes up my image though.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    HP
Sorry, I should have been clearer. I was referring to the built-in admin account that gives me the "The parameter is incorrect" message. It's no big deal really as I can easily go back to a snapshot without the protection enabled but I wanted to see how this admin protection works. I wonder why enabling it messes up my image though.
Normally, it shouldn't affect sign-in.

Administrator Protection is basically just a more secure replacement of UAC.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Surface Laptop 7 Copilot+ PC
    CPU
    Snapdragon X Elite (12 core) 3.42 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Monitor(s) Displays
    15" HDR
    Screen Resolution
    2496 x 1664
    Hard Drives
    1 TB SSD
    Internet Speed
    Wi-Fi 7 and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender
As a local standard user (non-admin) I can still log in. Never mind, I'll wait for a new build and then try again,
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    HP

Latest Support Threads

Back
Top Bottom