Microsoft introduces an additional security layer for administrator accounts in Windows 11 to limit the misuse of privileges and block malware.
Microsoft is working on a new security feature for Windows 11 called Administrator Protection, as announced in a blog. This feature is designed to better protect users with administrator rights against unwanted system changes and malware attacks. The feature is currently available to testers in the Windows Insider program.
Additional Verification
The extra security for administrators enforces the principle of least privilege more strictly. Users no longer receive permanent administrator rights by default. When they perform an action that requires such rights, Windows requests additional verification via Hello. This applies to actions such as installing software, adjusting system time, or modifying the registry.
Once a user approves such an action, Windows creates a temporary and isolated admin token through a hidden system account. After the task is completed, this token is automatically destroyed. This approach aims to prevent malware from silently acquiring elevated privileges and changing system settings without the user’s knowledge.
Administrator Protection works completely separately from standard account controls, which serve as additional security. Microsoft emphasizes that this new layer forms a separate security boundary with its own architecture.
Management and Deployment
IT administrators can activate Administrator Protection through local settings, group policy, or mobile management tools such as Microsoft Intune. In group policy, the feature can be activated via the Admin Approval Mode with Administrator protection policy. It’s also possible to customize the prompt behavior, for example, whether users need to enter a password or simply give permission.
For large-scale deployment within organizations, Intune offers support through the settings catalog. After enabling, a device restart is required. According to Microsoft, the goal is to activate this feature by default in Windows 11 soon.
The tech giant encourages organizations to test the feature and provide feedback. With this measure, Microsoft aims to reduce the number of incidents where malicious actors abuse administrator rights. An estimated 39,000 cases of token theft occur daily.
Microsoft is thoroughly overhauling Windows security. Other measures it plans to take include removing external software from the Windows kernel and a “quick recovery mode”. The Crowdstrike debacle from a year ago has not been forgotten.