Microsoft is taking significant strides to enhance the security of Windows 11, with a particular focus on the newly enforced TPM 2.0 requirement. As part of this ongoing commitment, the tech giant is currently testing an innovative feature known as Administrator protection within its preview builds.
This feature aims to refine the way administrator rights are managed by limiting access to specific events rather than maintaining constant availability. Currently, Administrator protection can be found within the Windows Security app, albeit hidden by default.
In our exploration, we enabled this feature and discovered a new option for Administrator protection within the Windows Security app. Although it remains inactive at present, future updates are expected to allow users to grant temporary administrator rights as needed. This will introduce an additional layer of authentication, integrating Windows Hello into the process.
To utilize this feature, users will need to enter their PIN or preferred authentication method to obtain administrator rights. This approach effectively keeps the administrator profile concealed and secure, only activating when necessary. When a task requiring elevated privileges is initiated, the operating system generates a temporary admin token specifically for that action. Once the task is completed, Windows promptly deletes the temporary access token, thereby preventing any further access to the admin profile.
While having unrestricted administrator rights can streamline operations by reducing the frequency of prompts, this new feature enhances security by minimizing exposure to malware and other potential threats that seek vulnerabilities.
How to Enable Administrator Protection in Windows 11
Enabling Administrator protection is straightforward through the Windows Security app. Simply launch the app, navigate to the Account Protection section, scroll down to the Administrator protection option, and toggle it on.
If you encounter issues with the Windows Security app or wish to implement this feature for all users, the Group Policy Editor provides an alternative method. Follow these steps:
- Open Windows Search, type gpedit.msc, and press Enter.
- Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
- Double-click on the User Account Control: Configure type of Admin Approval Mode policy.
- From the drop-down list, select Admin Approval Mode with Administrator protection and click Apply.
- Next, access the User Account Control: Behavior of the elevation prompt for administrators running with Administrator protection policy.
- Select the Prompt for credentials option, click Apply, and then confirm with OK.
- Close the Group Policy Editor and restart your PC.
This guide outlines how to effectively manage the Administrator protection feature on your system. It is anticipated that Microsoft will enable this feature by default in future updates, providing an additional layer of security that, while introducing an extra step for granting admin rights, is advisable to keep activated.
