Windows Insiders can now turn on Administrator Protection from settings

Microsoft is trying a new way of enabling Administrator Protection in Windows 11. The latest Windows Insider Canary build adds a setting that removes the requirement for IT admins to activate the feature.

Administrator Protection first appeared in the Windows 11 Insider Canary build on October 2, 2024. The feature meant that users logged into Windows 11 needed only standard user permissions and could grant "just-in-time" administration privileges when prompted.

Microsoft later explained that the purpose of the feature was to ensure users operated with the least privilege required rather than running as administrators. The company said: "These powerful administrative privileges represent a significant attack vector and are frequently abused by malicious actors to gain unauthorized access to user data, compromise privacy, and disable OS security features without a user's knowledge."

When a process requires administrator privileges, the user is prompted and can authorize the activity. However, the privilege only lasts for the duration of the process and is revoked once the process ends. The whole process is repeated when the user tries to perform another task that requires admin privileges.

The feature is currently off by default and requires a group policy change to enable it. The change in build 27774 allows Administrator Protection to be enabled from the Windows Security settings under the Account protection tab. The change means that Windows home users or unmanaged devices can now use the feature.

• Microsoft eggheads say AI can never be made secure – after testing Redmond's own products
• Windows Patch Tuesday hits snag with Citrix software, workarounds published
• Microsoft fixes under-attack privilege-escalation holes in Hyper-V
• New Outlook marches onto Windows 10 for what little time it has left

Microsoft has also added color-coded regions to the authorization prompt when the feature is enabled, extending over the app description to grab the user's attention.

The Windows vendor said the option to allow users to turn the feature on without IT admin assistance was "coming soon" when it described the Administrator Protection in November. There is, however, no indication of when the feature will turn up in generally available builds – the Canary Channel of the Windows Insider program is the bleeding edge in terms of publicly available Windows development.

Microsoft intends to enable the feature by default in Windows in the near future. This week's update will allow more users to check if the implementation of Administrator Protection breaks any applications. ®