Accounts Enable or Disable Administrator Protection for Admin Approval Mode in Windows 11

  • Thread starter Thread starter Brink
  • Start date Published: Start date Updated Updated:
  • Tags Tags
    uac

Administrator_Protection_banner.webp

This tutorial will show you how to enable or disable Administrator Protection for admin approval mode elevations in Windows 11.

Starting with Windows 11 build 26220.7961 (Beta 25H2) and build 26300.7965 (Dev 25H2), Administrator protection is being gradually re-enabled and aims to protect free floating admin rights for administrator users, allowing them to still perform all admin functions with just-in-time admin privileges. This feature is OFF by default and can be enabled via OMA-URI in Intune or via group policy.

Starting with Windows 11 build 26220.8138 (Beta 25H2) and build 26300.8142 (Dev 25H2), after resuming the rollout of Administrator Protection as enabled by IT admins, we are also now rolling out the ability to enable Administrator Protection in Settings under Privacy & security > Windows Security > Account protection and switching the toggle to on. A restart will be required.

You can enable Administrator Protection to use for Admin Approval Mode (aka: elevated rights) instead of User Account Control (UAC).

Administrator Protection is an upcoming platform security feature in Windows 11, which aims to protect free floating admin rights for administrator users allowing them to still perform all admin functions with just-in-time admin privileges. This feature is off by default and needs to be enabled via group policy. Microsoft plans to share more details about this feature at Microsoft Ignite.

Administrator protection requires that a user verify their identity with Windows Hello integrated authentication before allowing any action that requires administrator privileges. These actions include installing software, changing system settings like the time or the registry, and accessing sensitive data. Administrator protection minimizes the risk of the user making a system-level change by mistake, and, more importantly, helps prevent malware from making silent changes to the system without the user knowing.

At its core, Administrator protection operates on the principle of least privilege. The user is issued the deprivileged user token when they sign in to Windows. However, when admin privileges are needed, Windows will request that the user authorize the operation. Once the operation is authorized, Windows uses a hidden, system-generated, profile-separated user account to create an isolated admin token. This token is issued to the requesting process and is destroyed once the process ends. This ensures that admin privileges do not persist. The whole process is repeated when the user tries to perform another task that requires admin privileges.

Administrator protection introduces a new security boundary with our support to fix any reported security bugs. It should not be confused with User Account Control (UAC), which is more of a defense-in-depth feature. The architectural changes mentioned above help ensure that any access to or tampering with the code or data of elevated session cannot be done without authorization.

Benefits of Administrator protection:
  • Enhanced security: By requiring explicit authorization for every administrative task, Administrator protection protects Windows from accidental changes by users and changes by malware. It helps ensure that users are aware of potentially harmful actions before they occur, which provides an additional layer of defense against cyber threats.
  • The user is always in control: Administrator protection allows users to manage admin rights, granting or restricting access granularly to individual apps. This helps ensure that only authorized apps can make system changes, reducing the risk of accidental or malicious modifications.
  • Malware reduction: Malicious software often relies on admin privileges to change device settings and execute harmful actions. Administrator protection breaks the attack kill chain since malware will no longer be able to silently acquire admin privileges.
Admin Approval Mode runs in legacy mode by default, and uses User Account Control (UAC) for elevation approval.

If you enable Administrator Protection, Admin Approval Mode uses Windows Security for a more secure elevation approval instead of User Account Control (UAC). A C:\Users\ADMIN_<OriginalAdminProfileFolderName> profile folder (ex: "ADMIN_Brink") will be created by the system to use for Administrator Protection.

References:
techcommunity.microsoft.com

Administrator protection on Windows 11 | Microsoft Community Hub

New Windows 11 security feature provides just-in-time admin privileges to help protect users while performing key functions.
techcommunity.microsoft.com techcommunity.microsoft.com
techcommunity.microsoft.com

Evolving the Windows User Model – A Look to the Past | Microsoft Community Hub

techcommunity.microsoft.com techcommunity.microsoft.com
techcommunity.microsoft.com

Evolving the Windows User Model – Introducing Administrator Protection | Microsoft Community Hub

Previously, in part one, we outlined the history of the multi-user model in Windows, how Microsoft introduced features to secure it, and in what ways we got...
techcommunity.microsoft.com techcommunity.microsoft.com
blogs.windows.com

Enhance your application security with administrator protection

Introduction Administrator protection is a new Windows 11 platform security feature that aims to protect the admin users on the device while still allowing them to perform the necessary functions which may require use of admin level permissi
blogs.windows.com blogs.windows.com

You must be signed in as an administrator to enable or disable Administrator Protection.


If you don't have the Administrator Protection feature available yet in the builds above and would like to try it now, then you can enable it using the ViVeTool command below.

vivetool.exe /enable /id:60288851

www.elevenforum.com

Enable or Disable Hidden Feature Flags in Windows 11

This tutorial will show you how to enable or disable hidden experimental feature flags in Windows 11. ViVeTool is an open source tool that can be used to enable hidden features that are part of controlled feature roll-outs or A/B testing in Insider builds of Windows 11. Starting with Windows...
www.elevenforum.com www.elevenforum.com



Contents

  • Option One: Enable or Disable Administrator Protection for Admin Approval Mode in Windows Security
  • Option Two: Enable or Disable Administrator Protection for Admin Approval Mode in Local Security Policy
  • Option Three: Enable or Disable Administrator Protection for Admin Approval Mode using REG file


EXAMPLE: Administrator Protection enabled (Windows Security) and disabled (UAC)

UAC.png
Administrator_Protection_with_Windows_Security-1.png
Administrator_Protection_with_Windows_Security-2.webp





Option One

Enable or Disable Administrator Protection for Admin Approval Mode in Windows Security


1 Open Windows Security, and click/tap on Account protection. (see screenshot below)

Administrator_Protection_mode_Windows_Security-1.webp

2 Click/tap on the Administrator protection settings link under Administrator protection. (see screenshot below)

Administrator_Protection_mode_Windows_Security-2.webp

3 Turn on or off (default) Administrator protection for what you want. (see screenshot below)

Administrator_Protection_mode_Windows_Security-3.webp

4 Restart the computer to apply. (see screenshot below)

Administrator_Protection_mode_Windows_Security-4.webp




Option Two

Enable or Disable Administrator Protection for Admin Approval Mode in Local Security Policy


Local Security Policy is only available in the Windows 11 Pro, Enterprise, and Education editions.

All editions can use Option One or Option Three to change the same policy.


1 Open Local Security Policy (secpol.msc).

2 Perform the following actions: (see screenshot below)
  1. Expand open the Local Policies folder in the left pane.
  2. Click/tap on the Security Options subfolder in the left pane.
  3. Double click/tap on the User Account Control: Configure type of Admin Approval Mode policy in the right pane.
Administrator_Protection_secpol-1.png

3 In the Local Security Setting tab, select Legacy Admin Approval Mode (Default) (disable) or Admin Approval Mode with Administrator protection (enable) for what you want in the drop menu, and click/tap on OK. (see screenshot below)

Administrator_Protection_secpol-2.png






Option Three

Enable or Disable Administrator Protection for Admin Approval Mode using REG file


1 Do step 2 (enable) or step 3 (disable) below for what you would like to do.

2 Enable Administrator Protection for Admin Approval Mode

A) Click/tap on the Download button below to download the file below, and go to step 4 below.​

Enable_Administrator_Protection_for_Admin_Approval_Mode.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"TypeOfAdminApprovalMode"=dword:00000002

3 Disable Administrator Protection for Admin Approval Mode

This is the default setting.


A) Click/tap on the Download button below to download the file below, and go to step 4 below.​

Disable_Administrator_Protection_for_Admin_Approval_Mode.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"TypeOfAdminApprovalMode"=dword:00000001

4 Save the .reg file to your desktop.

5 If you have Smart App Control turned on, you will need to unblock the downloaded REG file.

6 Double click/tap on the downloaded .reg file to merge it.

7 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

8 Restart the computer to apply.

9 You can now delete the downloaded .reg file if you like.


That's it,
Shawn Brink


Related Tutorials

 

Attachments

Last edited:
Click to expand...
der_7e_schatten said:
Build 7961 post on Beta channel says it has been reintroduced, however it is still disabled on my laptop even with the group policy on. Is there a new group policy or method?
Click to expand...

Hello, :alien:

It's still gradually rolling out in the Beta and Dev channel, so not everyone will have it back yet.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    TerraMaster F8 SSD Plus NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Amazon Basics Wired Full Keyboard MD005
    Mouse
    Logitech MX Master 4
    Internet Speed
    2 Gbps Download and 100 Mbps Upload
    Browser
    Chrome and Edge
    Antivirus
    Microsoft Defender
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    CyberPower CP1500PFCLCD
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Surface Laptop 7 Copilot+ PC
    CPU
    Snapdragon X Elite (12 core) 3.42 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Monitor(s) Displays
    15" HDR
    Screen Resolution
    2496 x 1664
    Hard Drives
    1 TB SSD
    Internet Speed
    Wi-Fi 7 and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Microsoft Defender
OK I suppose it is a new feature ID that is still unknown at the moment. The two previous IDs are still enabled here
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Microsoft Surface Book 3
    CPU
    Intel(R) Core(TM) i7-1065G7
    Memory
    32 GB
    Graphics Card(s)
    Intel Iris Plus / NVidia GeForce 1660 Ti Max-Q
You must log in or register to reply here.

Similar Windows 11 Tutorials

  • Article Article
Browsers and Mail Enable or Disable HTTPS-First Mode in Microsoft Edge on Windows 11
Replies
0
Views
186
Brink
Brink
  • Article Article
Privacy and Security Enable or Disable Enhanced Security and Performance for Batch and CMD files in Windows 11
Replies
0
Views
1K
Brink
Brink
  • Article Article
Privacy and Security Enable or Disable Let Apps Take Screenshots and Record Screen in Windows 11
Replies
3
Views
1K
Ghot
Ghot
  • Article Article
Accessibility Change Voice Access Speech Recognition Mode in Windows 11
Replies
0
Views
84
Brink
Brink
  • Article Article
Accessibility Enable or Disable Screen Tint in Windows 11
Replies
0
Views
604
Brink
Brink
  • Article Article
Devices Enable or Disable Bluetooth Absolute Volume in Windows 11
Replies
0
Views
4K
Brink
Brink
  • Article Article
System Enable or Disable Reducing Protections for Agent Connectors in Windows 11
Replies
6
Views
3K
TairikuOkami
TairikuOkami

Latest Support Threads

Latest Tutorials

Back
Top Bottom