Learn how to enable the administrator protection feature in Windows 11 to improve security by limiting automatic admin privileges.
Most Windows users use only one user account, and it generally has administrator privileges. When you want to install an app or change advanced system settings, Windows 11 displays the UAC (User Account Control) prompt, and accepting it lets the app run with the same privileges as your user account. As you might expect, the downside of this approach is that your user account still retains full admin privileges, and the app you approve uses those same privileges until it exits.
To fix this drawback, Microsoft introduced a new security feature called Administrator Protection. Once enabled, Windows treats your user account as a standard account, even if you belong to the administrator group. When a task requires admin privileges, Windows prompts for your PIN or password. After authentication, Windows creates a special admin context using a separate & system-managed admin account and runs the task within it. Once the task is finished, that admin context is deleted. That way, no app will have automatic or permanent admin privileges just because you are logged in as an administrator.
In this quick and easy guide, let me show you the steps to enable administrator protection in Windows 11. Let’s get started.
Before You Start
- The steps below require Windows 11 Pro or Enterprise, as the Group Policy Editor is not available in Home.
Steps to Enable Administrator Protection in Windows 11
- Press “Windows key + R” to open the Run dialog.
- Type “gpedit.msc” and click “OK“.
- Go to the “Computer Configuration” > “Windows Settings” folder.
- Go to the “Security Settings” > “Local Polices” > “Security Options” folder.
- Double-click the “User Account Control: Configure type of Admin Approval Mode” policy.
- Select “Admin Approval Mode with Administrator protection” from the dropdown menu.
- Click “OK“.
- Close the Group Policy Editor.
- Restart your system
- With that, you’ve enabled administrator protection.
Detailed Steps (With Screenshots)
Being an advanced feature, you need to modify the Group Policy Editor to enable this feature. So, to start off, open the Run dialog by pressing the “Windows key + R“. Next, type “gpedit.msc“, and click “OK“.
Once the Group Policy Editor opens, go to the following folder:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
On the right panel, scroll down and double-click the “User Account Control: Configure type of Admin Approval Mode” policy.
Now, ensure you are in the “Local Security Settings” tab and select “Admin Approval Mode with Administrator protection” from the dropdown menu. Click the “OK” button to save the changes.
Finally, close the Group Policy Editor by clicking the “X” icon on the title bar. Next, restart your computer to apply the changes. After restarting, the administrator protection feature is fully enabled. From now on, whenever a task requires admin privileges, you must authenticate with a PIN or password, and Windows handles the admin privileges using its isolated admin context.
That is all. If you have any questions or need help, comment below. I’ll be happy to assist.
