This tutorial will show you how to enable or disable Administrator Protection for admin approval mode elevations in Windows 11.
Starting with Windows 11 build 27718.1000 (Canary), you can now enable Administrator Protection to use for Admin Approval Mode (aka: elevated rights) instead of User Account Control (UAC).
Administrator Protection is an upcoming platform security feature in Windows 11, which aims to protect free floating admin rights for administrator users allowing them to still perform all admin functions with just-in-time admin privileges. This feature is off by default and needs to be enabled via group policy. Microsoft plans to share more details about this feature at Microsoft Ignite.
Admin Approval Mode runs in legacy mode by default, and uses User Account Control (UAC) for elevation approval.
If you enable Administrator Protection, Admin Approval Mode uses Windows Security for a more secure elevation approval instead of User Account Control (UAC).
You must be signed in as an administrator to enable or disable Administrator Protection.
Contents
- Option One: Enable or Disable Administrator Protection for Admin Approval Mode in Local Security Policy
- Option Two: Enable or Disable Administrator Protection for Admin Approval Mode using REG file
EXAMPLE: Administrator Protection enabled (Windows Security) and disabled (UAC)
Enable or Disable Administrator Protection for Admin Approval Mode in Local Security Policy
Local Security Policy is only available in the Windows 11 Pro, Enterprise, and Education editions.
All editions can use Option Two to change the same policy.
1 Open Local Security Policy (secpol.msc).
2 Perform the following actions: (see screenshot below)
- Expand open the Local Policies folder in the left pane.
- Click/tap on the Security Options subfolder in the left pane.
- Double click/tap on the User Account Control: Configure type of Admin Approval Mode policy in the right pane.
3 In the Local Security Setting tab, select Legacy Admin Approval Mode (Default) (disable) or Admin Approval Mode with Administrator protection (enable) for what you want in the drop menu, and click/tap on OK. (see screenshot below)
4 Restart the computer to apply.
1 Do step 2 (enable) or step 3 (disable) below for what you would like to do.
2 Enable Administrator Protection for Admin Approval Mode
A) Click/tap on the Download button below to download the file below, and go to step 4 below.
Enable_Administrator_Protection_for_Admin_Approval_Mode.reg
(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"TypeOfAdminApprovalMode"=dword:00000002
3 Disable Administrator Protection for Admin Approval Mode
This is the default setting.
A) Click/tap on the Download button below to download the file below, and go to step 4 below.
Disable_Administrator_Protection_for_Admin_Approval_Mode.reg
(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"TypeOfAdminApprovalMode"=dword:00000001
4 Save the .reg file to your desktop.
5 Double click/tap on the downloaded .reg file to merge it.
6 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.
7 Restart the computer to apply.
8 You can now delete the downloaded .reg file if you like.
That's it,
Shawn Brink
Attachments
Last edited: