Administrator Protection on Windows 11

Pascal
Jan 12
3 min read

Updated: Feb 19

Introduction

In this blog post, we're going to discuss a feature in Windows 11 called Administrator Protection. This new feature is designed to strengthen the security of Windows 11 by ensuring that users with administrative rights are presented with an additional prompt for authentication in the form of Windows Hello for Business.

As we know, administrative privileges give us the ability to make system changes, install software, and change settings. While these capabilities are essential, they are also a common target for attackers who abuse them to compromise security. Recent data from the Microsoft Digital Defense Report 2024 highlights this problem, with an estimated 39,000 token theft incidents occurring per day.

With the arrival of Administrator Protection on Windows 11, an additional layer of security is added by requiring the user to authenticate administrative tasks via Windows Hello before performing administrator-level actions. These actions include:

Installing software
Changing system settings, such as time or registry settings
Access to sensitive data

The added layer of authentication helps reduce the risk of accidental or malicious changes to Windows, better protecting both users and organizations! By combining ease of use with enhanced security, Administrator Protection is a significant step forward in securing Windows 11 devices and ensuring a robust digital environment for everyone.

Print screen waarin de gebruiker wordt gevraagd om een extra authenticatiestap uit te voeren voordat een administratieve taak wordt toegestaan.

Basic principles

Administrator Protection is based on the least privileged model. This means that as soon as a user logs in to Windows, a token is issued with limited rights. As soon as administrative rights are required, Windows (as shown in the print screen) asks to authorize the administrative action in question. When the action is authorized, Windows creates an isolated administrative token using a hidden user account. This token is assigned to the process that requires the action and is deleted as soon as the process is completed. This way, administrative rights never remain active unnecessarily. This process is executed again for each new administrative task.

Architectural features

Integration with Windows Hello: Administrator Protection uses Windows Hello for simple and secure authorization.
Just-in-time Elevation: By default, users are restricted in their rights and are temporarily granted administrative rights, only for the duration of an administrative task. The administrative token is deleted after use and regenerated for the next task.
Profile Separation: Administrator Protection uses hidden, native, separated user accounts to create isolated administrator tokens. This prevents user-level malware from compromising the elevated session, strengthening the security perimeter.
No Automatic Elevation: Users must manually authorize every administrative action. This ensures that administrators always remain in control and that administrative rights cannot be abused. Integration with Windows Hello provides additional security and ease of use.

Een illustratie van Administrator Protection architectuur

Configure Administrator Protection

Administrator Protection via Microsoft Intune

Although Administrator Protection can also be configured via Group Policy Object (GPO), we will initially use Microsoft Intune to configure Administrator Protection.

Configure via Settings Catalog

To configure Administrator Protection via Microsoft Intune, the Settings Catalog must be used. In the Settings Catalog, it is essential to configure the following settings:

User Account Control Behavior Of The Elevation Prompt For Administrator Protection (Windows Insider Only)
This setting should be set to:
Prompt for credentials on the secure desktop
User Account Control Type Of Admin Approval Mode (Windows Insiders only) This setting should be set to:
Admin Approval Mode with Administrator protection.

Settings Catalog instellingen voor Administrator Protection

Then associate this policy to the desired device group(s).

Administrator Protection via Group Policy Object

If Administrator Protection is configured via GPO, this can be done using Computer Configuration within Group Policy Management.

Adjust settings in Security Options

The following settings under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options need to be adjusted:

User Account Control: Configure type of Admin Approval Mode Should be set to:
Admin Approval Mode with Administrator protection.
Admin Approval Mode with Administrator protection
Should be set to:
Prompt for credentials on Secure Desktop.

Group Policy Object instellingen voor Administrator Protection

Conclusion

Administrator Protection is a very desirable feature, because it gives us better awareness of all administrative tasks. However, in my test it must be considered that this feature is only functional with the Windows Insider build Canary Channel number 10.0.27749.1000. Although the settings are properly implemented on the December build 26100.2605, it unfortunately does not work. So unfortunately, we will have to wait a while before this new solution is available to be implemented widely.

In addition, I have heard in the corridors that Administrator Protection does not function well when using Endpoint Privilege Management. Unfortunately, I cannot test this, but we know that this solution is still in development.