Administrator Protection in Windows 11 was announced at Ignite a couple of weeks ago which adds a well needed more secure option than UAC to protect our accounts with Local Administrator permissions. Administrator Protection reminds a bit on how Microsoft Endpoint Privilege Management works with a separate virtual account. Instead of the traditional UAC elevation a separate user account is used, which means that the logged-on user session is never elevated. This is great, no more UAC Bypass
The first time you elevate a command using the “Run as administrator” option with Administrator Protection configured with using a user that is a member of the local administrator group, a separate “virtual” account is created on the device with the “Admin_” Prefix added to the username as shown below.
We also get a user profile created for each of the ADMIN_ accounts on first elevation
After elevating a command prompt we can check with Whoami which account is used to verify that Administrator Protection is configured and working correctly.
Configuration
Let’s go back to how we configure it. It will be possible to configure it using MDM, GPO or Settings in future releases. It can also be configured using the Local Settings policy.
There are two new settings (They also exist on Windows 11 24H2 version but has no effect)
And how we want the Account Protection o work either with credential or consent
End user experience
We get a new prompt for credentials in my test that prompts for the Windows Hello PIN if I registered for Windows Hello when logging on.
What is interesting is that I have signed in to the device with another user account than Jorgen but it still by default prompts me for the first account that was used to elevate a command on the device which has enrolled in Windows Hello for Business.
If I click on “Sign-in Options” I can select any account that has enrolled in Windows Hello for Business on the device.
What challenges can use a separate account have compared to using UAC? If we use it for application installation the application can make changes to the “wrong” user profile but it should be a small risk.
Developers is a challenge as they depending on what they develop and ow they test it has a need to run tools and debug as a local admin. Using Administrator protection will have the same challenges as when we use EPM, the tool used is run in the “wrong” context not allowing access to repositories for example.
For other purposed installing printers, software, make changes and troubleshoot the device to mention a few this will work great and is a great security enhancement.
Important:
1. If remediation scripts is being used to control which users are members of the local administrator group is used it must be configured to leave all accounts starting with “Admin_” otherwise it is impossible to elevate as the account is removed from the Local Administrator group.
2. If the Intune Local user group membership feature is used in “replace” mode to control who is a local administrator on the device, that policy will also delete all virtual accounts from the Local administrators group making it impossible to elevate.
All tests were done on Windows 11 Build 10.0.27758 (Insider).