• On Windows 11, you can enable Administrator Protection to strengthen security for administrator accounts.
  • The feature prevents silent privilege elevation and requires confirmation using Windows Hello or consent prompts.
  • You can enable it through Group Policy under Security Options > Admin Approval Mode or in the Registry by setting the TypeOfAdminApprovalMode value to 2 .

UPDATED 12/16/2025: On Windows 11 , you can now enable the “Administrator Protection” feature to add an extra layer of security when running apps that require elevation. In this guide, I will explain how to configure this feature through Group Policy and Registry.

What is Administrator Protection?

Administrator Protection is a Windows 11 security feature that enhances the security of accounts with administrative privileges. Typically, users in the “Administrators” group can modify system settings and install apps without restrictions. While these capabilities are useful, they also present a significant security risk, as malicious actors can exploit them to compromise the system.

This feature helps mitigate these risks by reducing the chance of users making system-level changes by mistake and preventing malware from silently making unauthorized modifications.

How does Administrator Protection work?

This feature applies the “Principle of Least Privilege” (PoLP) , treating administrator accounts as standard users by default. Elevated privileges are granted only when explicitly approved, following a “just-in-time” (JIT) elevation process.

For instance, if you attempt to perform an administrative task (such as modifying system settings or installing an application), you must first approve the elevation. This can be done using Windows Hello authentication (the default method) or consenting to the prompt in a secure environment (without additional authentication).

Once the task is approved, Windows 11 temporarily creates an isolated administrator token using a system-generated, separate user account. This token is used only for the duration of the task and is destroyed immediately after. According to Microsoft, this ensures that administrator privileges are not persistent. Each subsequent request for elevated privileges repeats the entire process, maintaining a secure environment.

Furthermore, the prompt uses different color schemes to provide a visual cue to the potential risks associated with the action.

Is Administrator Protection the same as User Account Control?

Although it may look similar, Administrator Protection isn’t the same as User Account Control (UAC) . Microsoft defines UAC as “more of a defense-in-depth feature,” while Administrator Protection has been designed to ensure that any access to or tampering with the code or data of an elevated session doesn’t execute without proper confirmation by the user.

In short, User Account Control focuses on system-wide change notifications, while Administrator Protection strengthens the security model specifically for admin accounts by minimizing privilege misuse.

In this guide , I will outline the two ways to enable the new security feature for administrators on Windows 11.

  • Enable Administrator Protection on Windows 11 from Group Policy
  • Enable Administrator Protection on Windows 11 from Registry
  • FAQs about Administrator Protection on Windows 11

Enable Administrator Protection on Windows 11 from Group Policy

To enable Administrator Protection from the Group Policy Editor on Windows 11 Pro, follow these steps:

  1. Open Start .
  2. Search for gpedit and click the top result to open the Group Policy Editor .
  3. Browse the following path: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  4. Right-click the “User Account Control: Configure type of Admin Approval Mode” policy and choose the Properties option.
  5. Choose the “Admin Approval Mode with Administrator protection” option.
  6. Click the Apply button.
  7. Click the OK button.
  8. Restart the computer.

After you complete the steps, the settings will apply to Windows 11 Pro or Enterprise, and the next time you run an application that requires elevation, you will receive a prompt to consent to the action or authenticate using one of the available Windows Hello methods.

Enable Administrator Protection on Windows 11 from Registry

To turn on Administrator Protection on Windows 11 (Home and Pro) through the Registry, follow these steps:

  1. Open Start .
  2. Search for regedit and click the top result to open the Registry Editor.
  3. Open the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  4. Right-click the TypeOfAdminApprovalMode key and choose the Modify option.
  5. Change its value to 2 to enable the feature.
  6. Click the OK button.
  7. Restart the computer.

Once you complete the steps, the system will enable just-in-time access for actions requiring administrator privileges, replacing the User Account Control feature on your account.

If you want to revert the changes, use the same instructions, but at step 5 , set the value to 1 , save the settings, and restart the computer.

What is Administrator Protection on Windows 11?

Administrator Protection is a security feature designed to prevent unauthorized or automated elevation of privileges on administrator accounts. When enabled, it requires manual confirmation for sensitive actions and system-level changes.

Is Administrator Protection enabled by default?

No. On most systems, the feature is turned off by default. You must manually enable it through Settings, Group Policy, or PowerShell.

How is Administrator Protection different from User Account Control (UAC)?

UAC prompts for elevation whenever an app requests admin privileges, while Administrator Protection adds an additional safeguard that blocks automatic elevation and enforces stricter authentication controls.

Can I enable Administrator Protection using PowerShell or Group Policy?

Yes. On Windows 11 Pro and Enterprise, you can enable it using Group Policy or a PowerShell command that modifies the related security policy.

Does enabling Administrator Protection affect Microsoft Defender or Smart App Control?

No. The feature works alongside Windows security components. However, it can enhance system protection by preventing malicious elevation attempts that other layers might not catch.

Can I disable Administrator Protection later?

Yes, you can turn it off at any time from the same Registry or Group Policy location if you need to revert the behavior.

Update December 16, 2025: This guide has been updated to ensure accuracy and reflect changes to the process.

  • To set up a fingerprint reader on Windows 11, open Settings > Accounts > Sign-in options , select “Fingerprint recognition,” click “Set up,” click “Get started,” and use the sensor to register your fingerprint.

On Windows 11 , you can set up a fingerprint reader to sign in using only your finger, and here’s how. Windows Hello is the name of the feature that Microsoft has chosen to describe the support for more secure ways to sign in to Windows 11 using biometric and Personal Identification Number (PIN) authentication.

This feature allows you to replace a traditional complex and less secure password with a more secure and easy-to-use authentication method, including facial recognition , fingerprint, and PIN to unlock a Windows 11 computer.

This guide will teach you how to configure and remove Windows Hello using a fingerprint reader on Windows 11.

  • Enable Windows Hello fingerprint recognition
  • Remove Windows Hello fingerprint recognition
  • Windows Hello compatible hardware

Enable Windows Hello fingerprint recognition

To unlock Windows 11 using a fingerprint reader, use these steps:

  1. Open Settings on Windows 11.
  2. Click on Accounts .
  3. Click the Sign-in options tab.
  4. Under the “Ways to sign in” section, select the Fingerprint recognition setting.
  5. Click the “Set up” button to enable the Windows Hello fingerprint feature.
  6. Click the Get started button.
  7. Confirm your Windows 11 account password.
  8. Touch the fingerprint sensor as indicated in the wizard.
  9. Continue with the on-screen directions to capture your fingerprint from various angles. Quick tip: It’s recommended to click the “Add another finger” option to configure a second and even a third finger you can use if you encounter problems signing in.

Once you complete the steps, you should be able to lock your device (including using the “Windows key + L” keyboard shortcut) and then use the fingerprint reader to sign in with the finger that you configured.

Remove Windows Hello fingerprint recognition

To remove the Windows Hello fingerprint on Windows 11, use these steps:

  1. Open Settings .
  2. Click on Accounts .
  3. Click the Sign-in options tab.
  4. Under the “Ways to sign in” section, select the Fingerprint recognition setting.
  5. Click the Remove button.
  6. Click the Remove button again to disable the Windows Hello fingerprint option.
  7. Confirm the Windows 11 account password.
  8. Click the OK button.

After you complete the steps, you can continue signing in with a traditional password. If you have configured Facial recognition or PIN, you must remove those configurations using the same steps to disable the Windows Hello feature entirely on Windows 11.

Windows Hello compatible hardware

If you want to sign in to Windows 11 using your facial recognition or fingerprint, you can find many devices with Windows Hello built-in, such as the Surface Pro 8 , Surface Laptop 4 , Surface Go 3 , and many others.