Windows 11 Tests New Admin Protection Feature: PIN/Fingerprint Verification Required for Admin Permission Requests
Brook.X
In macOS, when users attempt to change certain system settings or access options protected by sensitive permissions, they must confirm their identity through a password or fingerprint verification. This precaution helps prevent unauthorized or malicious actions by software without explicit user consent.
Microsoft is now introducing a similar feature to Windows 11, dubbed "Admin Protection." Once enabled, any software or process requesting admin privileges must undergo verification via Windows Hello.
The verification methods supported include, but are not limited to, Microsoft account passwords, PINs, fingerprint, or facial recognition. Admin privileges are only granted after successful verification.
The current system in Windows prompts a window asking users to click "Yes" or "No" for admin permissions, without requiring additional verification. This could potentially be exploited by malicious software under certain circumstances.
Microsoft's blog states:
"Admin Protection requires users to authenticate via Windows Hello's integrated identity verification for any operation needing admin privileges. This includes installing software, changing system settings like modifying the registry, and accessing sensitive data, among others."
This feature significantly reduces the risk of unintended system changes by the user and, more importantly, helps prevent silent system alterations by malware without the user's awareness.
Admin Privileges Act Like a Sandbox, Requiring Re-authentication Each Time:
To avoid granting software or processes permanent admin privileges after a single authorization, Microsoft has implemented a one-off authorization mechanism. Once a user authenticates via Windows Hello, the system generates a hidden, profile-separate account to create an isolated admin token for the software or process.
This admin token is issued to the requesting process and is immediately destroyed after the process ends, not supporting reuse. If the process requires admin privileges again, it must re-initiate a request and undergo user verification.
Testing of This Feature Begins Today:
Starting with today's release of Windows 11 Build 27754 Canary version, Microsoft is testing the Admin Protection feature. Users who upgrade to this version can enable the Admin Protection option in the Microsoft Defender account protection menu.
This feature can also be enabled through Group Policy (Registry), with the policy setting located at: Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options, User Account Control, changing the local security setting to Admin Approval Mode with Admin Protection.
![[Tips] Four ways to switch the style of the taskbar search box after installing the March update of Windows 11](https://img.lancdn.com/landian/2023/03/97863-1.png)
![[Tips] Four ways to switch the style of the taskbar search box after installing the March update of Windows 11](https://img.lancdn.com/landian/2023/03/97863-2.png)
![[Tips] Four ways to switch the style of the taskbar search box after installing the March update of Windows 11](https://img.lancdn.com/landian/2023/03/97863-3.png)
![[Tips] Four ways to switch the style of the taskbar search box after installing the March update of Windows 11](https://img.lancdn.com/landian/2023/03/97863-4.png)
