- Microsoft is currently testing "Administrator Protection" in the latest Canary build, paving the way for "Adminless" Windows 11.
- Instead of UAC prompts, users will have to authenticate using PIN or other Windows Hello methods to grant temporary admin privileges.
- Administrator rights will be granted as needed and they will not be always available, improving the security of Windows 11 PCs significantly.
Last year, Chinese hackers breached Microsoft Exchange Online software and accessed US government emails of 22 organizations, potentially risking national security. After the incident, the US Cyber Safety Review Board released a critical report saying “a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management…“
Since then, Microsoft under Satya Nadella, made security its top priority and started the Secure Future Initiative (SFI) in November 2023. Nadella wrote in a memo to Microsoft employees, “If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security.“
However, in July 2024, the CrowdStrike update crashed thousands of Windows systems around the world, resulting in widespread disruption. Now, Microsoft is mulling whether to allow third-party security vendors to load drivers at the kernel level.
On the consumer side, the recent Recall fiasco exposed Microsoft’s lackluster security model for the AI feature. Following that, Microsoft stopped the rollout and now, the company has overhauled the security model for Recall, allowing users to uninstall it completely.
Now, Microsoft is taking a major step in protecting personal Windows 11 PCs. The company is planning to bring “Adminless” Windows 11 so that administrator privileges are not exploited by unknown apps and malicious scripts.
It’s the first time Microsoft is overhauling how the Windows operating system operates under the hood. David Weston, Microsoft VP of OS Security and Enterprise says, “This is the most impactful security feature to hit Windows in recent memory.“
What is Adminless Windows 11?
Unlike macOS and Linux, Windows grants admin access to the first user account by default, created during installation or setup. This has been the case on Windows for many years, however, admin access is protected by the UAC prompt.
Now, the latest Windows 11 Insider Preview Build 27718 in the Canary channel introduces something called “Administrator protection”. Currently, the feature is disabled by default, but users can enable it via Group Policy.
It creates an admin account under the hood (e.g. admin_username
) and elevates the admin privilege temporarily through the “runas
” command for the current session. The escalation is done via secure methods like PIN/fingerprint/Windows Hello authentication. This way, the administrative privileges are not granted permanently.
Basically, admin rights are only temporarily active when it’s required, and it’s not constantly available. Microsoft calls it “just-in-time” admin privileges. The Windows blog reads:
“Administrator protection is an upcoming platform security feature in Windows 11, which aims to protect free floating admin rights for administrator users allowing them to still perform all admin functions with just-in-time admin privileges. This feature is off by default and needs to be enabled via group policy. We plan to share more details about this feature at Microsoft Ignite.”
So instead of allowing UAC prompts, users will have to enter a PIN or authenticate using other Windows Hello methods to temporarily grant admin rights, similar to macOS and Linux. Under the hood, admin rights are elevated only on a need basis and it’s not always available. Microsoft says more details on the feature will be shared at the Microsoft Ignite event in November.
My Experience Using Adminless Windows 11
I enabled the Administrator Protection feature through the Group Policy Editor on the Canary build. You can enable it by navigating to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Here, open “User Account Control: Configure type of Admin Approval Mode” and change it to “Admin Approval Mode with Administrator protection.” Now, reboot your PC.
Once enabled, whenever you install a program, you will be asked to enter a PIN or authenticate using other methods. The User Account Control (UAC) prompt will no longer appear. Even for opening Task Manager or other system tools like Registry Editor or Group Policy Editor, users will have to authenticate via secure methods.
In addition, to make changes to Windows Security settings, you will have to confirm the action by entering a PIN. Sure, it might annoy some power users, but that’s the trade-off between security and convenience.
In the screenshots above, you can notice that when running Command Prompt as admin, CMD says that it’s running under a newly created admin_username
account with admin rights. Instead of granting full admin rights to the user account, an under-the-hood admin account is used for elevating temporary admin privileges. This separation from the main user account enhances the security.
Overall, I really like that Microsoft is putting significant efforts into improving the security of Windows PCs on the consumer side. Similar to macOS and Linux which offer a sudo-less/root-less environment by default, Windows 11 is moving in that direction with Administrator Protection. I hope that when this update arrives on Windows 11 in the future, it will be enabled by default.