Windows Insiders can now turn on Administrator Protection from settings Microsoft is trying a new way of enabling Administrator Protection in Windows 11. The latest Windows Insider Canary build adds a setting that removes the requirement for IT admins to activate the feature. Administrator Protection first appeared in the Windows 11 Insider Canary build on October 2, 2024. The feature meant that …
Exactly what I was wondering, and yes it came in with Vista about 18 years ago. But even in NT it was possible to have privileged and unprivileged accounts without resorting to granular policy settings à la Win 3.11/95/98.
The reason UAC wasn’t routinely used was that it broke so many apps, and not just legacy ones.
Mine’s the one covered in chewing gum, chalk dust and paint, from working in schools —>
@cyberdemon "How is this different from User Account Control, the annoying and quickly-ignored popup that was introduced in, if my memory serves, Vista?"
User authentication.
With Administrator Protection users have to verify their identity with Windows Hello* before they can authorize an admin-level operation,
With UAC there is no id check just an authorize dialog**.
*Don't know what sign in options Windows Hello offers never use it.
**the annoying and quickly-ignored popup ;)
You can get the same protection of the "Administrator Protections" w/o Windows Hello from changing the 'User Account Controls' in secpol.msc, under Computer Config\Security Settings\Local Policies\Security Options, scroll down to User Account Controls. Options include; hiding username, hiding last logon, prompt for credentials options...etc eliminating the UAC yes or no prompt and asking for credentials. Step by step instructions are plentiful via a Internet search.
If you are on Windows Home edition then you will need to find the registry edits for these settings.
I'm not keeping up with this, but one of the problems with UAC is that the "Administrator" doesn't run in real "Administrative mode" -- the system has to internally switch to a privileged account to do things the "Administrator" account can't really do. (It's a problem because sometimes the "Privileged: system has trouble doing things because it's lost the information attached to the "Administrator" account)
Is this change giving non-administrator users direct access to the privileged system? Or is it just a new way of accessing the triple level user-administrator-privileged system used with UAC?
.. that Microsoft is finally adding something that has been standard in most non-Microsoft systems for decades. But hey, even the whole multi-user idea they apparently still have to get used to.
BTW, it doesn't help much against malware as the absolute flood of popus in Microsoft products has already trained users to say yes to just about anything so they can actually get any work done..
Microsoft should have changed Windows setup decades ago to create a Basic User account FIRST, providing a notice that this will be the default user account. Then setup the administrator account requiring a different password than the default user account with the settings to require credentials when elevated rights are needed. Eliminating the need for this new setting and making the system more secure. Instead Microsoft is obsessed with hardware requirements to use TPM, Secure Boot and BitLocker which are all supported in Windows 10 negating their secure hardware nonsense. Microsoft's hardware requirements are to support their AI bloat and benefit their bottom line with the sale of new PCs. Ignoring the e-waste disaster they are creating!!
*shudder*
Repressed memories from years of doing tech support for friends and family!
If you’re lucky, they haul out a dusty diary/Filofax/paper-notepad and start flicking through it.. “hmm, administrator password you say? is it… no, that’s my Ocado password… maybe… no, that’s my Hotmail login…
The horror. The horror!
... then (AIUI) you'll need a Microsoft account in order to use it. So, no ta.
Bad enough I can't (seem to find a way to) use my fingerprint-reader without signing up. Dual-account strategy will have to continue to suffice.
They have done their best to make it all but mandatory. Wonder what the next gambit will be?
Making the facial recognition logon in Windows Hello mandatory because that will give them an excuse to leave the camera active all the time, and so stripping away the last bit of privacy you had.
If you're a business user you ought to ask an admin to show you just what it logs about you on a day. I think only mouse movements are not logged.
Using *nix, if I have a series of needs-root-perms commands, I sudo bash, enter the root password, run the series of comnands, then exit that shell, rather than sudo-ing and entering the root password for each comnand.
Hopefully, a similar approach would work under MS Windows using command.exe and this new privilege-escalation scheme ... but no guarantees.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
