Windows 11 Administrator protection will request additional validation for any changes to the system

Microsoft announced their plans to further increase Windows 11 security through a new Administration protection feature. They justify this new layer of protection by referencing the latest Microsoft Digital Defense Report 2024 which indicates that token theft incidents, which abuse user privileges, have grown to an estimated 39,000 per day.

To explain the situation in a few words, if the hackers steal the administrator credentials, they will have full access over the system. Furthermore, they can install malware driven software to make changes to it and steal your data easily.

What is Administrator protection and what does it do?

Microsoft’s idea with the new Administrator protection feature is to add a new validation layer even if you’re logged as administrator into your server or endpoint. When you want to make any system changes such as installing new software or accessing critical resources, a Windows Hello window will pop up requesting confirmation. It’s like a 2FA model, only that you do it on the same machine.

Here is Microsoft’s explanation of the model from the blog announcement:

At its core, Administrator protection operates on the principle of least privilege. The user is issued the deprivileged user token when they sign in to Windows. However, when admin privileges are needed, Windows will request that the user authorize the operation. Once the operation is authorized, Windows uses a hidden, system-generated, profile-separated user account to create an isolated admin token. This token is issued to the requesting process and is destroyed once the process ends. This ensures that admin privileges do not persist. The whole process is repeated when the user tries to perform another task that requires admin privileges.

So, even if a wrongdoer or a malware controlled app has access to your administrative credentials, when they try to make any changes to the system, they will encounter this Administrator protection isolated administrative token that will request additional validation using Windows Hello.

Is the Administrator protection mandatory?

The short answer is no. Microsoft doesn’t force you to enable Administrator protection, but it looks like it will prevent a lot of attacks on organization networks and even on private PCs.

You will be able to enable or disable the Administrator protection feature from the Windows Security > Account protection menu at any moment. The system will require a restart for the changes to take effect.

The Administrator protection option is already available for Insiders and Microsoft plans to include it in the public release as soon as possible.

I can already see some users and administrators annoyed by constantly dealing with the Windows Hello pop-ups and Microsoft should probably think about (if they didn’t already) ways to configure this option further. However, if you’re not forced to use it, you can still use different ways to protect your machine.

At this point, it seems like a smart way to counter potential attacks and minimize threats. Tell us what you think about the new Administrator protection in the comments below.