- Mar 1, 2024
- 1,659
What is Administrator Protection in Windows 11
Administrator Protection is a security feature in Windows 11 that secures your device security beyond User Access Control (UAC). Instead of granting an admin user unrestricted permissions, the system generates temporary, isolated tokens. After your admin task is over, the token is destroyed. As of May 2025, the feature is not available in Windows 11 general release.
The tokens authenticate via Windows Hello and are invisible to the user, who only sees a Windows Hello PIN or biometrics. To prevent misuse, they exist for the duration of a single admin request. This way the malware cannot make any changes to your device since it cannot access the hidden layer under Windows Security.
Every admin operation has to be authorized separately through the two-step verification in Windows Hello. Even if you’re the most privileged user in a network, the system now assigns you at the “least privileged” access level. This adds a robust layer of security against credential theft, such as Windows NTLM threats.
Note: the Administrator Protection feature is not available for Windows 10 users as it requires Trusted Platform Module (TPM) access.
How to Enable Administrator Protection on Your Windows 11 Device
The feature will gradually roll out to all Windows 11 users (Home/Pro etc.) on Build 27774 and later. Check Settings -> System -> About -> Windows specifications -> OS build. Currently, it is on the Insider Canary release, so you need to keep checking your Windows 11 updates.
To trigger the Administrator Protection workflow, you will need to switch from a standard user account to an administrator account. For this, type Win + R and enter netplwiz. Double-click your signed-in user account, such as “Administrator.”
Under Group Membership, you may find that you are using an Administrator account. If you’re on a Standard user level, modify it, click Apply -> OK, and then sign out of your login session, and do a restart.
Next, you need to set up Windows Hello as a sign-in method on your device. Go to Settings -> Accounts -> Sign-in options, and under PIN (Windows Hello), set up your preferred PIN. Confirm it and then click OK.
Using a PIN with Windows Hello works for most users. If available, you can also use Facial recognition or Fingerprint.
Finally, to configure Administrator Protection in Windows 11, launch Windows Security from the search menu or taskbar.
Go to Account protection -> Administrator Protection settings, which is at the bottom of the page. Here, you need to enable the Administrator Protection toggle.
Another way to enable Administrator Protection is through the Local Group Policy Editor (again, only in Windows 11 Insider build 27774 or later.) Go to Computer Configuration ->Windows Settings -> Security Settings -> Local Policies -> Security Options.
Now, double-click User Account Control: Configure type of Admin Approval Mode -> Admin Approval Mode with Administrator Protection. There, you need to choose Windows Hello authentication under Prompt for credentials on the secure desktop.
With both methods activated, once you initalize an admin-related task, the system will show a Windows Hello PIN prompt to get your authorization. This is much safer than using a password as the actual authorization is invisible and happens in the background. After you finish your task, say installing a software that requires permissions, the one-time access is withdrawn.
There’s just one more minor prerequisite. To enable this new feature, your user profiles should work correctly. In case, your user profile service fails the sign in, we have a few ways to get it back on track.
How to Configure Your Windows 11 PC for Administrator Protection - Make Tech Easier
Windows 11 is implementing an Administrator Protection feature which enables admin privileges using Windows Hello on a just-in-time basis.
www.maketecheasier.com
