This week is all about the new functionality on Windows devices to help protect administrator users. That new functionality is Administrator protection. Administrator protection is aimed at protecting the users while still allowing them to perform their required elevated actions with just-in-time administrator privileges. That makes sure that when dealing with users that have local administrator privileges, instead of those users always having those high privileges, Administrator protection makes sure that those users must consent to actually activate those higher privileges. That makes sure that, by default, the user is now operating according to the least privilege concept and only gets those higher privileges when actually needed. In the end that lowers the attack vector for those users and makes sure that nothing happens without the user actually allowing it to happen. This post will start with a short introduction about Administrator protection, followed with the steps to actually configure it. This post will end with the main user experience.
Important: At this moment Administrator protection is only available in Windows Insiders Preview builds.
Introducing Administrator protection on Windows devices
When looking at Administrator protection for Windows 11, it all starts with the verification that users must perform to verify their identity. That verification is done via Windows Hello integrated authentication. Once successfully authenticated, the user consents to the action that requires administrator privileges. That makes sure that the risk of the user making a system-level change by mistake is minimal, and helps with preventing malware from silently making changes without the user knowing.
Besides that, the security model used for Administrator protection is pretty interesting. For that it’s the best to quote the Windows IT Pro Blog, as that contains a pretty straight forward explanation of what happens: “At its core, Administrator protection operates on the principle of least privilege. The user is issued the deprivileged user token when signing in to Windows. However, when admin privileges are needed, Windows will request that the user authorizes the operation. Once the operation is authorized, Windows uses a hidden, system-generated, profile-separated user account to create an isolated admin token. This token is issued to the requesting process and is destroyed once the process ends. This ensures that admin privileges do not persist. The whole process is repeated when the user tries to perform another task that requires admin privileges.“
When looking at a brief summary of the key highlights of Administrator protection, it comes down to the following:
- it is fully integrated with Windows Hello for simple and secure authorization,
- the user is granted just-in-time elevation rights only for the duration of a specific operation,
- it uses a hidden, system-generated, profile-separated user account to create an isolated administrator token,
- and the user needs to interactively authorize every operation with administrative privileges
Configuring Administrator protection on Windows devices
After being familiar with the main concept of Administrator protection for Windows 11, it’s time to have a look at the configuration. For managing managing Administrator protection, there are two relevant settings at this moment. The first and most important setting is User Account Control Type Of Admin Approval Mode, as that setting is used to enable Administrator protection. The other setting is User Account Control Behavior Of The Elevation Prompt For Administrator Protection, as that setting is used to configure the behavior of the elevation prompt (prompt for credentials versus prompt for consent). Both of those settings are already available within the Settings Catalog in Microsoft Intune. The following 8 steps can be used to configure those settings for enabling Administrator protection with credentials prompt, by using Settings Catalog.
- Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Configuration profiles
- On the Windows | Configuration profiles blade, click Create > New Policy
- On the Create a profile blade, select Windows 10 and later > Settings catalog and click Create
- On the Basics page, provide at least a unique name to distinguish it from similar profiles and click Next
- On the Configuration settings page, as shown below in Figure 1, perform the following actions and click Next
- Click Add settings, navigate to Local Policies Security Options and select the following settings in Settings picker
- User Account Control Type Of Admin Approval Mode
- User Account Control Behavior Of The Elevation Prompt For Administrator Protection
- Select the following values for the different settings
- Admin Approval Mode with Administrator Protection to enable Administrator protection
- Prompt for credentials on the secure desktop to make sure that the user is required to provide their credentials on the secure desktop to allow the elevation to continue
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the assignment for the required user or devices and click Next
- On the Review + create page, verify the configuration and click Create
Important: After applying the configuration, devices must be restarted to effectuate Administrator protection.
Experiencing Administrator protection on Windows devices
When the configuration for Administrator protection on Windows 11 is applied, it’s time to have a good look at the experience. Before that, however, make sure that the device is restarted to effectuate the configuration. After that, let’s start with the user experience. Before turning on Administrator protection, the user would be able to run administrative tools like Computer Management without any hassle. Now, after enabling Administrator protection with prompt for credentials, the user experience will change as shown below in Figure 2. The user will be prompted to provide credentials to actually start the elevated operation.
Besides that experience, it’s also good to have a look at the hidden, system-generated, profile-separated user account that is used for the elevation. Some obvious locations are shown in Figure 3. That hidden, system-generated, profile-separated user account starts with “ADMIN_“, is added to the Administrators group, and has its own profile. Besides that, it’s easy to see the usage of the different accounts. Simply start the Terminal app and run whoami (or look at the start location) and use Run as administrator to start the Terminal app and run whoami (or look at the start location). That will show a clear differentiation between the accounts that are used. That also clearly shows that this will still be challenging in developer scenarios.
Note: Be careful with managing the membership of the Administrators group, as Administrator protection relies on that.
More information
For more information about the introduction of Administrator protection, refer to the following docs.
- Administrator protection on Windows 11 | Microsoft Community Hub
- LocalPoliciesSecurityOptions Policy CSP | Microsoft Learn
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.