Windows 11 Security Shake‑Up: Admin Protection Flaws + Kerberos RC4 Endgame

This Week in IT

LISTEN ON:

Windows 11’s Administrator Protection, which is meant to lock down elevation, was hacked in testing and forced Microsoft to rethink the design. At the same time, Kerberos is finally saying goodbye to RC4, with enforcement deadlines that could break Active Directory legacy authentication if you don’t prepare. And Microsoft just gave admins a first‑party way to monitor configuration drift across Microsoft 365 with new Graph UTCM APIs.

Thanks to Cayosoft for sponsoring this episode!

Links and resources

Episode overview

This Week in IT, I cover three major Microsoft‑related topics:

1. Windows 11 Administrator Protection Flaws and Fixes

Microsoft has been testing a new Windows 11 feature called Administrator Protection, intended to replace or enhance UAC by creating a real security boundary. A Project Zero researcher (James Forshaw) found multiple privilege‑elevation bypasses, many of which originated from long‑standing UAC issues.

Microsoft quietly patched these vulnerabilities and continues testing before releasing the feature to the stable channel.

Administrator Protection is positioned as a middle‑ground solution for organizations that lack full privileged-access-management tools (e.g., Intune, BeyondTrust).

2. Kerberos RC4 Authentication Retirement (Active Directory)

Microsoft will fully deprecate RC4 authentication in July.
Timeline highlights:

January patch added new auditing features to detect RC4 usage.
April: Kerberos AES becomes the default.
July: RC4 is turned off entirely (though exceptional manual overrides may remain).

Organizations relying on legacy apps must audit and remediate now to avoid failures.

3. Unified Tenant Configuration Management (UTCM) Preview

Microsoft introduced UTCM, a new feature for Microsoft 365 that allows admins to:

Take configuration snapshots of a tenant (covering Entra, Exchange Online, Intune, Teams, Defender, Purview, etc.).
Compare snapshots to detect configuration drift without heavy PowerShell scripts.

Key limitations during preview:

Snapshots every six hours.
Up to 800 resources/day, max 20,000 resources/month.
Stored for 7 days.

Auto‑remediation (automatically reverting drift) is planned for the future.

Russell Smith

Editorial Director at Petri IT Knowledgebase. Russell has more than 20 years' experience working in IT. From small business to large government IT infrastructure projects. Russell started his writing career for Windows IT Pro magazine in the early 2000s. Since then, Russell has contributed to a variety of publications, including Petri, CDW's list of publications, and various industry blogs including Netwrix, BeyondTrust, and others. In addition to more than 1000 articles Russell has authored, he has also written a book on Windows security and co-authored another for Microsoft's MOAC series. Russell has also authored several courses for Pluralsight.