To utilize the various features of Windows, you’ll need to authenticate through Windows Hello. This involves setting up and using a fingerprint, facial recognition, or a PIN code for security purposes. Administrator Protection consists of three key components that enhance security for users:
Firstly, there’s Just-in-time elevation.
This feature ensures that users remain de-privileged until an admin operation is needed. When an admin function is executed, the system grants temporary elevation rights that expire once the task is completed. The admin token used for this task is discarded and needs to be regenerated for subsequent admin actions.
The second component is Profile separation. Administrator Protection utilizes hidden, system-generated user accounts with separated profiles to create an isolated admin token. This measure is effective in preventing user-level malware from compromising any elevated session, establishing a clear security boundary during admin tasks.
Lastly, there are No auto-elevations. Users are required to interactively authorize each admin operation. This mechanism keeps users in complete control, ensuring that admin privileges are not misused.
The integration with Windows Hello further bolsters security while also providing ease of use. In addition to preventing accidental system changes, Administrator Protection serves as a barrier against malware that may attempt to make hidden alterations without detection. Currently, this feature is turned off by default and needs to be enabled manually through Windows Security or group policy.
However, plans are in place for it to be automatically activated for all users in the future. Users can expect this new feature to be rolled out later this summer.