Administrator Protection enabled

How to enable Administrator Protection on Windows 11

Administrator Protection treats Windows 11 admin accounts as standard to prevent system changes mistakes and attacks by requiring authentication.

Avatar for Mauro Huculak
By (@Pureinfotech) , Windows How-To Expert and IT Specialist with 22 years of experience.
  • On Windows 11, you can enable Administrator Protection to strengthen security for administrator accounts.
  • The feature prevents silent privilege elevation and requires confirmation using Windows Hello or consent prompts.
  • You can enable it through Group Policy under Security Options > Admin Approval Mode or in the Registry by setting the TypeOfAdminApprovalMode value to 2.

UPDATED 11/12/2025: On Windows 11, you can now enable the “Administrator Protection” feature to add an extra layer of security when running apps that require elevation. In this guide, I will explain how to configure this feature through Group Policy and Registry.

What is Administrator Protection?

Administrator Protection is a Windows 11 security feature that enhances the security of accounts with administrative privileges. Typically, users in the “Administrators” group can modify system settings and install apps without restrictions. While these capabilities are useful, they also present a significant security risk, as malicious actors can exploit them to compromise the system.

This feature helps mitigate these risks by reducing the chance of users making system-level changes by mistake and preventing malware from silently making unauthorized modifications.

How does Administrator Protection work?

This feature applies the “Principle of Least Privilege” (PoLP), treating administrator accounts as standard users by default. Elevated privileges are granted only when explicitly approved, following a “just-in-time” (JIT) elevation process.

For instance, if you attempt to perform an administrative task (such as modifying system settings or installing an application), you must first approve the elevation. This can be done using Windows Hello authentication (the default method) or consenting to the prompt in a secure environment (without additional authentication).

Once the task is approved, Windows 11 temporarily creates an isolated administrator token using a system-generated, separate user account. This token is used only for the duration of the task and is destroyed immediately after. According to Microsoft, this ensures that administrator privileges are not persistent. Each subsequent request for elevated privileges repeats the entire process, maintaining a secure environment.

Furthermore, the prompt uses different color schemes to provide a visual cue to the potential risks associated with the action.

Is Administrator Protection the same as User Account Control?

Although it may look similar, Administrator Protection isn’t the same as User Account Control (UAC)Microsoft defines UAC as “more of a defense-in-depth feature,” while Administrator Protection has been designed to ensure that any access to or tampering with the code or data of an elevated session doesn’t execute without proper confirmation by the user.

In short, User Account Control focuses on system-wide change notifications, while Administrator Protection strengthens the security model specifically for admin accounts by minimizing privilege misuse.

In this guide, I will outline the two ways to enable the new security feature for administrators on Windows 11. This feature is available starting with the 2025-11 Security Update (KB5068861) (26200.7171).

Warning: Before proceeding, it’s crucial to acknowledge the risks associated with modifying the Windows Registry. Incorrect changes can lead to system instability or operational issues. Therefore, ensure you have a full system backup before making any changes. Proceed with caution and understanding.

Enable Administrator Protection on Windows 11 from Group Policy

To enable Administrator Protection from the Group Policy Editor on Windows 11 Pro, follow these steps:

  1. Open Start.

  2. Search for gpedit and click the top result to open the Group Policy Editor.

  3. Browse the following path:

    Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

  4. Right-click the “User Account Control: Configure type of Admin Approval Mode” policy and choose the Properties option.

    User Account Control: Configure type of Admin Approval Mode

  5. Choose the “Admin Approval Mode with Administrator protection” option.

    Admin Approval Mode with Administrator protection

  6. Click the Apply button.

  7. Click the OK button.

  8. Restart the computer.

After you complete the steps, the settings will apply to Windows 11 Pro or Enterprise, and the next time you run an application that requires elevation, you will receive a prompt to consent to the action or authenticate using one of the available Windows Hello methods.

Enable Administrator Protection on Windows 11 from Registry

To turn on Administrator Protection on Windows 11 (Home and Pro) through the Registry, follow these steps:

  1. Open Start.

  2. Search for regedit and click the top result to open the Registry Editor.

  3. Open the following path:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

  4. Right-click the TypeOfAdminApprovalMode key and choose the Modify option.

  5. Change its value to 2 to enable the feature.

    Registry enable admin protection

  6. Click the OK button.

  7. Restart the computer.

Once you complete the steps, the system will enable just-in-time access for actions requiring administrator privileges, replacing the User Account Control feature on your account.

If you want to revert the changes, use the same instructions, but at step 5, set the value to 1, save the settings, and restart the computer.

FAQs about Administrator Protection on Windows 11

Here’s a list of frequently asked questions (FAQs) and answers about Administrator Protection on Windows 11.

What is Administrator Protection on Windows 11?

Administrator Protection is a security feature designed to prevent unauthorized or automated elevation of privileges on administrator accounts. When enabled, it requires manual confirmation for sensitive actions and system-level changes.

Is Administrator Protection enabled by default?

No. On most systems, the feature is turned off by default. You must manually enable it through Settings, Group Policy, or PowerShell.

How is Administrator Protection different from User Account Control (UAC)?

UAC prompts for elevation whenever an app requests admin privileges, while Administrator Protection adds an additional safeguard that blocks automatic elevation and enforces stricter authentication controls.

Can I enable Administrator Protection using PowerShell or Group Policy?

Yes. On Windows 11 Pro and Enterprise, you can enable it using Group Policy or a PowerShell command that modifies the related security policy.

Does enabling Administrator Protection affect Microsoft Defender or Smart App Control?

No. The feature works alongside Windows security components. However, it can enhance system protection by preventing malicious elevation attempts that other layers might not catch.

Can I disable Administrator Protection later?

Yes, you can turn it off at any time from the same Registry or Group Policy location if you need to revert the behavior.

Update November 12, 2025: This guide has been updated to ensure accuracy and reflect changes to the process.

About the author
Avatar for Mauro Huculak

Mauro Huculak is a Windows How-To Expert and founder of Pureinfotech in 2010. With over 22 years as a technology writer and IT Specialist, Mauro specializes in Windows, software, and cross-platform systems such as Linux, Android, and macOS.

Certifications: Microsoft Certified Solutions Associate (MCSA), Cisco Certified Network Professional (CCNP), VMware Certified Professional (VCP), and CompTIA A+ and Network+.

Mauro is a recognized Microsoft MVP and has also been a long-time contributor to Windows Central.

You can follow him on YouTube, Threads, BlueSky, X (Twitter), LinkedIn and About.me. Email him at [email protected].