Windows 11 battens down security with new admin rights check feature

As mentioned in the recent Windows Insider blog post, the latest preview version of Windows 11 for Insiders on the Dev Channel includes a new feature called “Administrator Protection,” which “aims to protect free floating admin rights for administrator users allowing them to still perform all admin functions with just-in-time admin privileges.”

In a deeper dive via this Windows IT Pro blog post, we’re told that Administrator Protection kicks in whenever you want to do anything that requires administrator privileges, such as install software, change system settings, or access sensitive data. To do any of that, you’ll need to authenticate via Windows Hello on demand (which means setting up and using your fingerprint, face scan, or PIN code).

Microsoft

There are three fundamentals that make Administrator Protection work:

Just-in-time elevation: With Administrator protection, the user stays de-privileged and is granted just-in-time elevation rights only for the duration of an admin operation. The admin token is discarded after use and is recreated when another task requiring admin privileges is performed.​

​Profile separation: Administrator protection uses hidden, system-generated, profile-separated user accounts to create isolated admin token. This helps ensure that user-level malware cannot compromise the elevated session, thus making elevation a security boundary.

No auto-elevations: With Administrator protection, the user needs to interactively authorize every admin operation. This ensures that the administrator user stays in full control and that admin privileges are not abused. Integration with Windows Hello further enhances security while providing a convenient experience.​

Not only does Administrator Protection help you avoid making accidental changes to your system, it also protects against malware that might otherwise make hidden changes that go undetected.

For now, Administrator Protection is off by default and must be turned on manually via Windows Security or via group policy. However, in the future, Administrator Protection will be enabled by default. Expect this new feature to be rolled out to all users later this summer.