What Is Windows 11 Administrator Protection? Microsoft Boosts Admin Security

Microsoft announced Administrator Protection for Windows 11 at its Build 2025 conference. Administrator Protection will affect how developers create applications for Windows 11.

What is Windows Administrator Protection?

Windows 11 Administrator Protection provides local administrators with more protection without putting limitations on functionality they might need to get their jobs done.

Microsoft revealed in its 2024 Digital Defense Report that there were 39,000 token theft attacks every day on Windows devices. When users run applications as an administrator,  they are exposed to more risk. Elevated applications can be more easily be infected by malware as they have access to system resources, like login tokens that Windows uses to authenticate users.

Protected Admins vs standard users

Administrator account in Windows 11 are also called Protected Administrators. Most of the time, Protected Admins are not elevated to administrator status – they have standard user access instead. But you can easily elevate if you need to. For example, you might want to run an application that only works with admin privileges or you need to perform a system-wide change through the Control Panel or the Settings app.

Elevation is controlled in Windows 11 by User Account Control (UAC). UAC’s default configuration includes automatic elevations. For some system-wide operating system tasks, you will be silently elevated to administrator permissions without providing any form of consent. Although it is possible  to disable automatic elevations today in Windows.

Microsoft recommends that wherever possible, you don’t log in as a Protected Administrator and that should use a standard user account. The only way to get administrator privileges as a standard user is with ‘over-the-shoulder elevation’, meaning that somebody who knows the password to a local administrator account has to give you the username and password. Or you hand over the password to the user but that defeats the point of issuing a standard user account in the first place unless you have a process to change the password each time over-the-shoulder elevation is performed.

Organizations that can afford to will have users log in as standard users and then add a Privileged Access Management (PAM) solution, like Beyond Trust PowerBroker or the Endpoint Privilege Management in Microsoft Intune, which allow organizations to centrally manage elevations to administrator level access. But those solutions come at a cost and they needs to be set up and managed.

Windows 11 Administrator Protection is for organizations that can’t stretch to an Endpoint Privilege Management solution and needs users to log on as an admin, at least some of the time.

How does Administrator Protection work?

If Administrator Protection is enabled, when a Protected Administrator elevates to administrator privileges, the application or process runs under a separate user profile. User profiles provide a security boundary. Administrator Protection uses a System Managed Administrator Account (SMAA) and a separate user profile to run the elevated application or process. This new architecture provides extra protection.

Just-in-time elevation

Elevated sessions are established with Just-in-Time elevation. Elevation happens as you’re requesting it and it is stripped down as soon as the application or process is closed. You only get elevated privileges again when you request them.

Windows Hello integration

Administrator Protection has been integrated into Windows Hello. Every time a Protected Admin wants wants to elevate, they will need to provide consent with either a PIN or a biometric gesture, like facial recognition, fingerprints, or another method supported by Windows Hello.

Auto elevation is being removed as a default configuration in Windows 11

Auto elevation is being removed in Windows 11. Protected Admins will always have to consent to elevations to help prevent malware silently doing stuff in the background that otherwise the user might not be aware of.

Caveats of Administrator Protection

Windows 11 Administrator Protection has a few caveats.

More elevation prompts

As auto elevation is being removed, Protected Administrators (PA) will see more elevation prompts. If a PA needs to do something that was previously auto-elevated, like a system-wide change in the Settings app, when Administrator Protection is enabled, they’ll be prompted to provide consent. Although for most users, once their device is configured, they shouldn’t need to change system-wide settings often.

Separate user profile

Administrator Protection will result in a separate user profile where PAs might save files or configure custom settings. When the same application or process runs without elevated privileges, PAs won’t have access to files and settings because they are stored in a separate user profile.

Users might be forced to run apps elevated more often to prevent switching between user profiles, to ensure consistent access to files and configuration settings. Microsoft is telling developers that applications should run in user mode so that they don’t require admin privileges to run.

When will Administrator Protection be available?

Administrator Protection will become the default configuration in Windows 11 soon. Microsoft says it’s not something that you opt in to, but there will be the option to turn it off. While an exact release date hasn’t been confirmed, I expect that we’ll see Administrator Protection become part of windows 11 in 25H2, which will be released in the second half of 2025.

Administrator Protection secures developers

I have mixed feelings about Administrator Protection. I wish more organizations would provision standard user accounts and understand the risks of administrator privileges. When you run a standard user account, if you’re going to do over-the-shoulder elevation, you face the same caveats as Administrator Protection. But you do get that security boundary provided by a separate user profile.

It’s important to understand the difference between a PA and a standard user account, which is what Microsoft has always recommended you should use. But many organizations don’t understand the difference and a PA, which is the default kind account when you set up Windows 11.

Whether you choose to use a PA or standard user account will depend on the user’s job function. Developers are likely to always need admin access to their devices. Apps like Visual Studio Code, and other tools, require administrator access to the operating system for debugging etc., so Administrator Protection will help to protect developers in situations where Endpoint Privilege Management isn’t practical.