Solved Say Hello to Windows 11 Administrator Protection: A more Secure UAC



We all know admin rights are essential, but they’re also one of the biggest security risks. With Windows 11 introducing Administrator Protection in Canary Build 27718, we now have a smarter way to manage elevated privileges.

The latest windows insider canary mentions the administrator protection

Instead of permanent admin accounts with too many privileges that hang around long after they’re needed, this new approach uses a System Managed Admin Account, AKA Super Admin account, that dynamically handles privileges only when they’re needed.

What Makes This Administrator Protection a Game-Changer?​

Traditionally, when a user is given admin rights on a Windows device, whether it’s a local account or a Microsoft account, those privileges are always active, making the device an attractive target for attackers. If the account is compromised, attackers can immediately use those rights to install malware or gain even more control over the system.

Legacy UAC​

That’s where the good old User Account Control (UAC) tries to add some protection. When a user with admin privileges signs in, UAC creates a “split token” for the session. This split token divides the user’s identity into two separate parts: a standard user token and an admin token.

a simple overview of how uac split token works

By default, the user operates under the standard token, think of it as being in “Clark Kent” mode. While the admin rights exist in the second token, they stay inactive until an action requiring admin rights is performed.

To activate the admin privileges (switch to “Superman” mode), the user must do something that needs higher permissions, like running a program as an administrator. This triggers a UAC prompt, asking the user to confirm if they want to use their full admin rights. Until the user says yes, those admin powers remain turned off, minimizing the risk if an attacker only gains access to the standard token.

Admin Approval Mode with Administrator Protection​

But even with UAC’s split token system, attackers can still find ways to bypass it or manipulate the UAC prompt. This is where Administrator Protection changes the game. When enabled, instead of using the regular admin account for elevated actions, Administrator Protection creates a separate, hidden system managed admin account linked to the user but with one major twist: this hidden account only activates when elevated rights are needed.

This means its privileges are inactive until a secure request is made. Once the task is complete, the privileges are locked away again, making it nearly impossible for malicious actors to take advantage of these temporary admin rights. By isolating these admin actions into a separate profile, Administrator Protection provides an extra layer of security, ensuring that even if an attacker gains access to the regular admin account, they can’t misuse the hidden admin privileges.

How Do You Enable It?​

Setting It Up with Group Policy:

  1. Open Group Policy Management Console.
  2. Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.
  3. Find the option User Account Control: Configure Type of Admin Approval Mode and set it to Admin Approval Mode With Administrator Protection
Configuring the admin approval mode with administrator protection by configuring a gpo setting

Deploying with Intune:

  1. Create a Device Configuration Profile.
  2. Choose Windows 10 and later as the platform.
  3. In the Settings Catalog, search for
    User Account Control Type of Admin Approval Mode: “Admin Approval Mode with Administrator Protection”.
    User Account Control Behavior Of The Elevation Prompt: “Prompt for consent on the secure desktop”.
Configuring administrator protection by configuring an Intune Settings catalog and defining the user account control type of admin approval mode

What Does Administrator Protection Look Like in Action?​

When Administrator Protection is turned on, and you try to run something as a local administrator, you’ll notice a change. Instead of seeing the usual User Account Control (UAC) screen, you’ll be greeted by the Windows Security prompt.

when elevating a process with administrator protection is enabled, you will notice a new Windows Security prompt instead of the legacy UAC prompt

With this visual change, it’s easy to see at a glance when Administrator Protection is active and handling your elevation requests, making security much more transparent and easier to manage for admins and users alike!

This new prompt signals that Windows is using the System Managed Admin Account to process elevation requests, providing an extra layer of security. It not only enhances the protection for admin tasks but also makes it clear when isolated admin rights are being used, setting it apart from standard UAC prompts.

But how does this magic work?

How Does Administrator Protection Really Work?​

When you enable *Administrator Protection, Windows automatically creates a System Managed Admin Account for any user accounts with local admin rights (except for your Windows LAPS account). This system-managed administrator account remains hidden and inactive until it’s specifically needed. Instead of simply elevating the privileges of the logged-in user, Windows now switches to this separate, isolated admin account to perform the requested action.

inside the security log we will notice that a new process is being created that will run under the system managed account with the tokenelevationtype full 2
image-6.png

This change ensures that no admin privileges are directly tied to the user’s account, reducing the risk of misuse or exploitation. You can see a detailed breakdown of how this flow works in the illustration below, showing how Windows securely handles elevation requests through this system-managed account rather than the standard UAC process.

*Requirement: Windows Canary Build 27718

administrator protection techinical overview
After the elevated task is done, the session ends, and the privileges are immediately revoked. This approach is like turning on a spotlight for a second, just enough to illuminate the task at hand, before plunging everything back into darkness.

Breaking Down the Benefits​

  1. Reduces Risk of Privilege Escalation: With the new system-managed account, admin tokens are no longer lingering around for the entire session. Instead, they’re granted just-in-time and only for the exact duration needed, making it much harder for attackers to exploit them.
  2. Minimizes Attack Surface: Attackers can’t target what doesn’t exist. By limiting the active lifespan of these admin privileges, the system minimizes opportunities for malicious actors to gain a foothold.
  3. Stronger Compliance: Enforcing a least privilege model is difficult when admin rights are always active. With Administrator Protection, elevated permissions are only active when required, ensuring you can confidently follow a true “need-to-use” basis for admin access.

What’s the Impact on Your Environment?​

Think of the typical user who has been given admin rights for maintenance tasks or local troubleshooting. With Administrator Protection enabled, they can still perform these tasks, but when they do elevate a process, the process will be executed in the additional system managed account.

when looking at the elevated cm, we will noticed that this process runs in a seperate user account

Even if malware tries to hijack the session, it won’t be able to use those elevated privileges, because the System Managed Admin Account only activates in a controlled manner. This not only helps in stopping lateral movement but also significantly cuts down the chance of privilege escalation attacks.

The Bottom Line: A Safer, Smarter Way to Handle Admin Rights​

The introduction of Administrator Protection is part of a larger trend of moving away from static and always-on permissions to more dynamic, session-based management of privileges. It’s a major shift that aligns with modern security practices like Zero Trust, where you never trust a device or user blindly.

If you want to know more about how this feature operates behind the scenes, including technical details on session isolation and privilege management within some funny-looking DLL files, check out the detailed technical analysis in this blog post here.

Conclusion​

While Administrator Protection in Windows 11 minimizes the risks associated with local admin rights, keeping your software updated and compliant is just as vital.
 
Personally, I am happy with it the way it is.
 

My Computers

System One System Two

  • OS
    Windows Pro 23H2 Build 22631.4249
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz (4th Gen?)
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    Onboard
    Monitor(s) Displays
    4 x LG 23MP75 - 2 x 24MK430H-B - 1 x Wacom Pro 22" Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list.
    OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech G402 / G502 / Mx Masters / MX Air Cordless
    Internet Speed
    100/40Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    I’m on a horse.
  • Operating System
    Windows 11 Pro 23H2 Build: 22631.4249
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7i EVO OLED 14" Touchscreen i5 12 Core 16GB/512GB
    CPU
    Intel Core 12th Gen i5-1240P Processor (1.7 - 4.4GHz)
    Memory
    16GB LPDDR5 RAM
    Graphics card(s)
    Intel Iris Xe Graphics Processor
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512GB
    Other Info
    …still on a horse.
Personally, I am happy with it the way it is.
UAC is good, but flawed. Unless it is set to the highest setting (always notify) it is essentially useless and easily bypassed. Even with the highest setting enabled, there are still methods to bypass it.

This hardens the security so that the admin session cannot be grabbed and given to another process as easily. It is only elevated and active when it needs to be, which is when the prompt is shown. I am surprised this was not the default ages ago.

Hence this good explanation from the article:

After the elevated task is done, the session ends, and the privileges are immediately revoked. This approach is like turning on a spotlight for a second, just enough to illuminate the task at hand, before plunging everything back into darkness.


For now this only applies to people that have access to group policy or intune, But I would like this implemented for all editions.


For anyone wanting an even deeper look, see here:

 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell G15 5525
    CPU
    Ryzen 7 6800H
    Memory
    32 GB DDR5 4800mhz
    Graphics Card(s)
    RTX 3050 Mobile 4GB Vram
    Monitor(s) Displays
    Gigabyte M27Q (rev. 2.0) 2560 x 1440 @ 170hz HDR
    Screen Resolution
    Internal laptop screen: 1920 x 1080 @ 120hz
    Hard Drives
    2TB Solidigm™ P41 Plus nvme
    Internet Speed
    800mbps down, 20 up
  • Operating System
    Chrome OS
    Computer type
    Laptop
    Manufacturer/Model
    HP Chromebook
    CPU
    Intel Pentium Quad Core
    Memory
    4GB LPDDR4
    Monitor(s) Displays
    14 Inch HD SVA anti glare micro edge display
    Hard Drives
    64 GB emmc
Brink has a helpful tutorial about this here at Eleven Forum. From several days ago.

 

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Homebuilt
    CPU
    Intel Core i9 13900K
    Motherboard
    Asus ProArt Z790 Creator WiFi - Bios 2703
    Memory
    Corsair Dominator Platinum 64gb 5600MT/s DDR5 Dual Channel
    Graphics Card(s)
    Sapphire NITRO+ AMD Radeon RX 7900 XTX Vapor-X 24GB
    Sound Card
    External Fiio K5 Pro ESS DAC - Headphone Amplifier
    Monitor(s) Displays
    Panasonic MX950 Mini LED 55" TV 120hz
    Screen Resolution
    3840 x 2160 120hz
    Hard Drives
    Samsung 980 Pro 2TB (OS)
    Samsung 980 Pro 1TB (Files)
    Lexar NZ790 4TB
    LaCie d2 Professional 6TB external - USB 3.1
    Seagate One Touch 18TB external HD - USB 3.0
    PSU
    Corsair RM1200x Shift
    Case
    Corsair RGB Smart Case 5000x (white)
    Cooling
    Corsair iCue H150i Elite Capellix XT
    Keyboard
    Logitech K860
    Mouse
    Logitech MX Ergo Trackball
    Internet Speed
    Fibre 900/500 Mbps
    Browser
    Microsoft Edge Chromium
    Antivirus
    Bitdefender Total Security
    Other Info
    AMD Radeon Software & Drivers 24.10.1
    AOMEI Backupper Pro
    Dashlane password manager
    Logitech Brio 4K Webcam
    Orico 10-port powered USB 3.0 hub
  • Operating System
    Windows 11 Pro 24H2 26100.2454
    Computer type
    Laptop
    Manufacturer/Model
    Asus Vivobook X1605VA
    CPU
    Intel® Core™ i9-13900H
    Motherboard
    Asus X1605VA bios 308
    Memory
    32GB DDR4-3200 Dual channel
    Graphics card(s)
    *Intel Iris Xᵉ Graphics G7 (96EU) 32.0.101.6078
    Sound Card
    Realtek | Intel SST Bluetooth & USB
    Monitor(s) Displays
    16.0-inch, WUXGA 16:10 aspect ratio, IPS-level Panel
    Screen Resolution
    1920 x 1200 60hz
    Hard Drives
    512GB M.2 NVMe™ PCIe® 3.0 SSD
    Other Info
    720p Webcam
Brink has a helpful tutorial about this here at Eleven Forum. From several days ago.

I should have known. He beats me everytime. lol.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell G15 5525
    CPU
    Ryzen 7 6800H
    Memory
    32 GB DDR5 4800mhz
    Graphics Card(s)
    RTX 3050 Mobile 4GB Vram
    Monitor(s) Displays
    Gigabyte M27Q (rev. 2.0) 2560 x 1440 @ 170hz HDR
    Screen Resolution
    Internal laptop screen: 1920 x 1080 @ 120hz
    Hard Drives
    2TB Solidigm™ P41 Plus nvme
    Internet Speed
    800mbps down, 20 up
  • Operating System
    Chrome OS
    Computer type
    Laptop
    Manufacturer/Model
    HP Chromebook
    CPU
    Intel Pentium Quad Core
    Memory
    4GB LPDDR4
    Monitor(s) Displays
    14 Inch HD SVA anti glare micro edge display
    Hard Drives
    64 GB emmc

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Homebuilt
    CPU
    Intel Core i9 13900K
    Motherboard
    Asus ProArt Z790 Creator WiFi - Bios 2703
    Memory
    Corsair Dominator Platinum 64gb 5600MT/s DDR5 Dual Channel
    Graphics Card(s)
    Sapphire NITRO+ AMD Radeon RX 7900 XTX Vapor-X 24GB
    Sound Card
    External Fiio K5 Pro ESS DAC - Headphone Amplifier
    Monitor(s) Displays
    Panasonic MX950 Mini LED 55" TV 120hz
    Screen Resolution
    3840 x 2160 120hz
    Hard Drives
    Samsung 980 Pro 2TB (OS)
    Samsung 980 Pro 1TB (Files)
    Lexar NZ790 4TB
    LaCie d2 Professional 6TB external - USB 3.1
    Seagate One Touch 18TB external HD - USB 3.0
    PSU
    Corsair RM1200x Shift
    Case
    Corsair RGB Smart Case 5000x (white)
    Cooling
    Corsair iCue H150i Elite Capellix XT
    Keyboard
    Logitech K860
    Mouse
    Logitech MX Ergo Trackball
    Internet Speed
    Fibre 900/500 Mbps
    Browser
    Microsoft Edge Chromium
    Antivirus
    Bitdefender Total Security
    Other Info
    AMD Radeon Software & Drivers 24.10.1
    AOMEI Backupper Pro
    Dashlane password manager
    Logitech Brio 4K Webcam
    Orico 10-port powered USB 3.0 hub
  • Operating System
    Windows 11 Pro 24H2 26100.2454
    Computer type
    Laptop
    Manufacturer/Model
    Asus Vivobook X1605VA
    CPU
    Intel® Core™ i9-13900H
    Motherboard
    Asus X1605VA bios 308
    Memory
    32GB DDR4-3200 Dual channel
    Graphics card(s)
    *Intel Iris Xᵉ Graphics G7 (96EU) 32.0.101.6078
    Sound Card
    Realtek | Intel SST Bluetooth & USB
    Monitor(s) Displays
    16.0-inch, WUXGA 16:10 aspect ratio, IPS-level Panel
    Screen Resolution
    1920 x 1200 60hz
    Hard Drives
    512GB M.2 NVMe™ PCIe® 3.0 SSD
    Other Info
    720p Webcam
Well this has my interest. Thanks @andrew129260! I had somehow missed hearing about this.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical with Cherry MX Clears
    Antivirus
    Microsoft Defender
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical with Cherry MX Clears

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell G15 5525
    CPU
    Ryzen 7 6800H
    Memory
    32 GB DDR5 4800mhz
    Graphics Card(s)
    RTX 3050 Mobile 4GB Vram
    Monitor(s) Displays
    Gigabyte M27Q (rev. 2.0) 2560 x 1440 @ 170hz HDR
    Screen Resolution
    Internal laptop screen: 1920 x 1080 @ 120hz
    Hard Drives
    2TB Solidigm™ P41 Plus nvme
    Internet Speed
    800mbps down, 20 up
  • Operating System
    Chrome OS
    Computer type
    Laptop
    Manufacturer/Model
    HP Chromebook
    CPU
    Intel Pentium Quad Core
    Memory
    4GB LPDDR4
    Monitor(s) Displays
    14 Inch HD SVA anti glare micro edge display
    Hard Drives
    64 GB emmc
Hello.
 

My Computer

System One

  • OS
    Windows 11 Pro + Win11 Canary VM.
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Zenbook 14
    CPU
    I9 13th gen i9-13900H 2.60 GHZ
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB soldered
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    laptop OLED screen
    Screen Resolution
    2880x1800 touchscreen
    Hard Drives
    1 TB NVME SSD (only weakness is only one slot)
    PSU
    Internal + 65W thunderbolt USB4 charger
    Case
    Yep, got one
    Cooling
    Stella Artois (UK pint cans - 568 ml) - extra cost.
    Keyboard
    Built in UK keybd
    Mouse
    Bluetooth , wireless dongled, wired
    Internet Speed
    900 mbs (ethernet), wifi 6 typical 350-450 mb/s both up and down
    Browser
    Edge
    Antivirus
    Defender
    Other Info
    TPM 2.0, 2xUSB4 thunderbolt, 1xUsb3 (usb a), 1xUsb-c, hdmi out, 3.5 mm audio out/in combo, ASUS backlit trackpad (inc. switchable number pad)

    Macrium Reflect Home V8
    Office 365 Family (6 users each 1TB onedrive space)
    Hyper-V (a vm runs almost as fast as my older laptop)
very similar to SUDO, Super Users DO, in Linux which does harden system security.
i wonder will it be needed when installing updates via Windows update as that would require admin privileges.

best of luck, Steve ..
 

My Computers

System One System Two

  • OS
    Win 11 Home 24H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP 24" AiO
    CPU
    Ryzen 7 5825u
    Motherboard
    HP
    Memory
    64GB DDR4 3200
    Graphics Card(s)
    Ryzen 7 5825u
    Sound Card
    RealTek
    Monitor(s) Displays
    24" HP
    Hard Drives
    1TB WD Blue SN580 M2 SSD Partitioned.
    250GB C:/Windows .. 750GB D:/Home.
    2x 1TB USB HDD External Backup/Storage.
    Internet Speed
    900MB full fibre
    Browser
    Vivaldi .. Browser, Calendar, eMail.
    Antivirus
    AVG Internet Security
    Other Info
    Mainly Open Source Software
  • Operating System
    Windows 11 Home 24H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP 24" AiO
    CPU
    Ryzen 5 5500u
    Motherboard
    HP
    Memory
    32GB DDR4 3200
    Graphics card(s)
    AMD Radeon GPU
    Sound Card
    RealTek
    Monitor(s) Displays
    HP
    Hard Drives
    1TB WD blue SN580 M2 SSD Partitioned.
    250GB C:/Windows .. 750GB D:/Home.
    2x 1TB HDD External Backup/Storage.
    Internet Speed
    900MB Full Fibre
    Browser
    Microsoft Edge
    Antivirus
    AVG Internet Security
    Other Info
    Mainly Windows Software
    'The Wife's Computer'
very similar to SUDO, Super Users DO, in Linux which does harden system security.
i wonder will it be needed when installing updates via Windows update as that would require admin privileges.

best of luck, Steve ..
Not really. This topic above is more about protecting the UAC dialog and admin elevation.

However,
Sudo has arrived in windows 11

 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell G15 5525
    CPU
    Ryzen 7 6800H
    Memory
    32 GB DDR5 4800mhz
    Graphics Card(s)
    RTX 3050 Mobile 4GB Vram
    Monitor(s) Displays
    Gigabyte M27Q (rev. 2.0) 2560 x 1440 @ 170hz HDR
    Screen Resolution
    Internal laptop screen: 1920 x 1080 @ 120hz
    Hard Drives
    2TB Solidigm™ P41 Plus nvme
    Internet Speed
    800mbps down, 20 up
  • Operating System
    Chrome OS
    Computer type
    Laptop
    Manufacturer/Model
    HP Chromebook
    CPU
    Intel Pentium Quad Core
    Memory
    4GB LPDDR4
    Monitor(s) Displays
    14 Inch HD SVA anti glare micro edge display
    Hard Drives
    64 GB emmc

Latest Support Threads

Back
Top Bottom