ANAVEM
EnglishFrancais
ANAVEM
Languagefr
How to Enable Administrator Protection for Admin Approval Mode in Windows 11

How to Enable Administrator Protection for Admin Approval Mode in Windows 11

Configure Windows 11's Administrator Protection feature to replace UAC prompts with Windows Hello authentication for enhanced security. Learn three methods: Windows Security UI, Group Policy, and Registry editing.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
March 18, 2026 12 min 0
easywindows11 10 steps 12 min

What is Administrator Protection in Windows 11?

Administrator Protection is a significant security enhancement in Windows 11 that replaces traditional User Account Control (UAC) prompts with Windows Hello authentication for administrative tasks. Instead of clicking "Yes" on a UAC dialog, you'll need to authenticate using your PIN, fingerprint, or face recognition when performing elevated operations.

How Does Administrator Protection Improve Security?

This feature addresses a fundamental weakness in traditional UAC: users often click "Yes" without thinking, creating a security risk. Administrator Protection forces deliberate authentication using biometric or PIN-based Windows Hello, making it much harder for malicious software to gain administrative privileges without user knowledge. The system uses just-in-time privileges with isolated tokens, providing better protection against privilege escalation attacks.

Which Windows 11 Versions Support Administrator Protection?

Administrator Protection is available starting with Windows 11 build 26120.4733 (24H2 Beta channel) and build 26200.5702 (25H2 Dev channel). The feature works on Pro, Enterprise, and Education editions through Group Policy, while Home edition users can access it through the Windows Security interface in later builds. Note that Microsoft temporarily disabled this feature in December 2025 due to application compatibility issues, though it remains configurable through policy settings.

This tutorial will walk you through three methods to enable Administrator Protection: the user-friendly Windows Security interface, Local Security Policy for enterprise environments, and Registry editing for advanced users. You'll also learn how to test the feature, configure advanced settings, and troubleshoot common issues.

Related: What is SIEM? Definition, How It Works & Use Cases

Related: What is JWT? Definition, How It Works & Use Cases

Related: KeePassXC

Related: Vaultwarden 1.35.4 fixes three critical vulnerabilities

Related: Enable or Disable Copilot File Search on Windows 11

Implementation Guide

Full Procedure

01

Verify Windows 11 Build and Edition Compatibility

Before configuring Administrator Protection, confirm your system meets the requirements. This feature requires specific Windows 11 builds and editions.

Open Command Prompt as administrator and run:

winver

Check that your build number is 26120 or higher for 24H2, or 26200+ for 25H2. Also verify your Windows edition:

dism /online /get-currentedition

Administrator Protection works on Pro, Enterprise, and Education editions. Home edition users can use the Windows Security method if available.

Pro tip: If you're on an older build, update Windows through Settings > Windows Update to get the latest features.

Verification: The winver command should show build 26120.4733 or higher, and your edition should be Pro, Enterprise, or Education for full functionality.

02

Configure Windows Hello Authentication

Administrator Protection requires Windows Hello for authentication. Set up at least one Windows Hello method before enabling the feature.

Open Settings by pressing Win + I, then navigate to Accounts > Sign-in options. Configure one of these methods:

  • Windows Hello PIN: Click "PIN (Windows Hello)" and set up a numeric PIN
  • Fingerprint: Click "Fingerprint recognition (Windows Hello)" if you have a compatible reader
  • Face recognition: Click "Facial recognition (Windows Hello)" if you have a compatible camera

Test your Windows Hello method by locking your screen (Win + L) and signing back in using your configured method.

Warning: Without Windows Hello configured, Administrator Protection prompts will fail, potentially locking you out of administrative functions.

Verification: Lock and unlock your PC using Windows Hello. The authentication should work smoothly before proceeding.

03

Enable Administrator Protection via Windows Security (Recommended Method)

The easiest method is through the Windows Security interface, available on all Windows 11 editions with recent updates.

Open Windows Security by searching for it in the Start menu or pressing Win + I and navigating to Privacy & security > Windows Security.

In Windows Security, click on Account protection in the left sidebar. Look for the Administrator protection settings section.

Click on Administrator protection settings to expand the options. Toggle the Administrator protection switch to On.

You'll see a confirmation dialog explaining that administrative tasks will now require Windows Hello authentication. Click Yes to confirm.

Pro tip: If you don't see the Administrator protection option, ensure you have the latest Windows updates installed, particularly KB5067036 or later.

Verification: The toggle should show "On" and display "Administrator protection is turned on. Administrative tasks will require Windows Hello authentication."

04

Alternative: Enable via Local Security Policy (Pro/Enterprise)

For Pro and Enterprise editions, you can configure Administrator Protection through Local Security Policy for more granular control.

Press Win + R, type secpol.msc, and press Enter to open Local Security Policy.

Navigate to Local Policies > Security Options in the left panel. Scroll down to find the UAC-related policies.

Double-click on User Account Control: Configure type of Admin Approval Mode. In the dropdown menu, select Admin Approval Mode with Administrator protection and click OK.

Optionally, configure the elevation prompt behavior by double-clicking User Account Control: Behavior of the elevation prompt for administrators running with Administrator protection. Choose your preferred option (recommended: "Prompt for credentials").

Policy Options:
- Prompt for credentials (Recommended)
- Prompt for consent
- Elevate without prompting (Not recommended)

Verification: The policy should show "Admin Approval Mode with Administrator protection" as the selected option.

05

Alternative: Enable via Registry Editor (All Editions)

For advanced users or when other methods aren't available, you can enable Administrator Protection through the Windows Registry.

Warning: Editing the registry incorrectly can cause system instability. Create a registry backup before proceeding.

Press Win + R, type regedit, and press Enter to open Registry Editor.

Navigate to the following registry path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Look for the TypeOfAdminApprovalMode DWORD value. If it doesn't exist, right-click in the right panel, select New > DWORD (32-bit) Value, and name it TypeOfAdminApprovalMode.

Double-click TypeOfAdminApprovalMode and set its value to 2. Ensure "Decimal" is selected as the base.

Registry Values:
0 = Disabled
1 = Legacy Admin Approval Mode (Default UAC)
2 = Admin Approval Mode with Administrator protection

Verification: The TypeOfAdminApprovalMode value should show "2" in the Data column.

06

Restart Your Computer to Apply Changes

Administrator Protection changes require a system restart to take effect. Save any open work before proceeding.

Restart your computer using one of these methods:

  • Click Start menu > Power > Restart
  • Press Alt + F4 on desktop and select "Restart"
  • Use Command Prompt: shutdown /r /t 0

After restart, Windows will apply the new Administrator Protection settings. The first administrative task you perform will demonstrate the new authentication method.

Pro tip: Plan the restart during a maintenance window if this is a production system, as the new authentication method might affect automated processes.

Verification: After restart, attempt an administrative task like opening Command Prompt as administrator. You should see a Windows Hello authentication prompt instead of the traditional UAC dialog.

07

Test Administrator Protection Functionality

Verify that Administrator Protection is working correctly by performing administrative tasks that would normally trigger UAC prompts.

Try these test scenarios:

  1. Open Command Prompt as Administrator: Right-click Start button > "Terminal (Admin)" or search "cmd" and select "Run as administrator"
  2. Modify system files: Try editing a file in C:\Windows\System32 (create a test file first)
  3. Install software: Download and run any installer that requires elevation

Instead of the traditional UAC dialog, you should see a Windows Security prompt asking for Windows Hello authentication (PIN, fingerprint, or face recognition).

The prompt will show:

Windows Security
Administrator Protection
Use Windows Hello to verify it's you
[Windows Hello authentication method]
Warning: If Windows Hello authentication fails repeatedly, you may be locked out of administrative functions. Ensure your Windows Hello methods work reliably before enabling this feature.

Verification: Administrative tasks should prompt for Windows Hello authentication instead of showing traditional UAC dialogs.

08

Configure Advanced Administrator Protection Settings

Fine-tune Administrator Protection behavior through additional Group Policy settings for enhanced security and usability.

Open Local Security Policy (secpol.msc) and navigate to Local Policies > Security Options. Configure these additional UAC policies:

User Account Control: Behavior of the elevation prompt for administrators running with Administrator protection:

  • Prompt for credentials: Always requires Windows Hello (most secure)
  • Prompt for consent: Shows consent dialog with Windows Hello option
  • Elevate without prompting: Bypasses prompts (not recommended)

User Account Control: Detect application installations and prompt for elevation: Keep enabled to catch installer elevation attempts.

For enterprise environments, you can also configure:

Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business

Set policies for PIN complexity, biometric requirements, and fallback authentication methods.

Pro tip: In enterprise environments, test Administrator Protection with your organization's critical applications before wide deployment, as some legacy software may have compatibility issues.

Verification: Test different administrative scenarios to ensure the configured prompt behavior works as expected.

09

Disable Administrator Protection (If Needed)

If you need to disable Administrator Protection due to compatibility issues or other requirements, you can reverse the configuration using any of the methods used to enable it.

Via Windows Security: Open Windows Security > Account protection > Administrator protection settings, and toggle Administrator protection to Off.

Via Local Security Policy: Open secpol.msc, navigate to Local Policies > Security Options, and change User Account Control: Configure type of Admin Approval Mode back to Legacy Admin Approval Mode (Default).

Via Registry: Open regedit, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, and change TypeOfAdminApprovalMode value from 2 back to 1.

After making changes, restart your computer for the changes to take effect.

Warning: Microsoft temporarily disabled this feature in December 2025 due to application compatibility issues. If you experience problems, disable the feature and monitor for future updates.

Verification: After restart and disabling, administrative tasks should return to showing traditional UAC prompts instead of Windows Hello authentication.

10

Monitor and Troubleshoot Administrator Protection

Keep track of Administrator Protection performance and resolve common issues that may arise.

Monitor authentication events in Event Viewer:

eventvwr.msc

Navigate to Windows Logs > Security and look for Event IDs related to elevation attempts:

  • Event ID 4648: Logon with explicit credentials (successful elevations)
  • Event ID 4625: Failed logon attempts (failed authentications)
  • Event ID 5156: Windows Filtering Platform connection events

Common troubleshooting steps:

  1. Windows Hello not working: Reconfigure Windows Hello in Settings > Accounts > Sign-in options
  2. Applications failing to elevate: Check application compatibility or temporarily disable Administrator Protection
  3. Performance issues: Monitor system resources during authentication prompts

Create a PowerShell script to check Administrator Protection status:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "TypeOfAdminApprovalMode" | Select-Object TypeOfAdminApprovalMode
Pro tip: Keep a record of applications that have issues with Administrator Protection for future reference and testing after Windows updates.

Verification: Event Viewer should show successful authentication events, and the PowerShell command should return "2" when Administrator Protection is enabled.

Frequently Asked Questions

What happens if Windows Hello fails during Administrator Protection authentication?+
If Windows Hello authentication fails repeatedly, you may be temporarily locked out of administrative functions. You can usually resolve this by using an alternative Windows Hello method (PIN instead of fingerprint, for example) or by signing out and back in to refresh the authentication session. In extreme cases, you may need to boot into Safe Mode and disable Administrator Protection through the Registry.
Can I use Administrator Protection on Windows 11 Home edition?+
Yes, Windows 11 Home edition supports Administrator Protection through the Windows Security interface, but only in builds 27774.1000 and later with the appropriate updates installed. Home edition users cannot use Local Security Policy (secpol.msc) but can enable the feature through Windows Security or Registry editing. The functionality is identical across all editions once enabled.
Does Administrator Protection work with all applications and installers?+
Most modern applications work correctly with Administrator Protection, but some legacy software and certain installers may experience compatibility issues. Microsoft temporarily disabled the feature in December 2025 due to these compatibility concerns. If you encounter problems with specific applications, you can temporarily disable Administrator Protection or add exceptions through Group Policy in enterprise environments.
How is Administrator Protection different from standard UAC prompts?+
Traditional UAC shows a dialog asking "Do you want to allow this app to make changes?" with Yes/No buttons. Administrator Protection replaces this with a Windows Hello authentication prompt requiring your PIN, fingerprint, or face recognition. This prevents casual clicking of "Yes" and ensures deliberate authentication. The underlying elevation mechanism is the same, but the authentication method is much more secure.
Can I configure different authentication requirements for different types of administrative tasks?+
Yes, through Local Security Policy you can configure the elevation prompt behavior specifically for Administrator Protection. Options include always prompting for credentials (most secure), prompting for consent with Windows Hello option, or elevating without prompting (not recommended). You can also configure separate policies for different user types and application categories, though this requires careful planning in enterprise environments.
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#windows11#security#authentication

Further Intelligence

Deepen your knowledge with related resources

How to Enable JavaScript and Cookies in Chrome, Firefox, Safari & Edge
tutorial
Web Development

How to Enable JavaScript and Cookies in Chrome, Firefox, Safari & Edge

Deep Dive
How to Install Proxmox VE 9.1 Hypervisor on Physical Server Hardware
tutorial
Virtualization

How to Install Proxmox VE 9.1 Hypervisor on Physical Server Hardware

Deep Dive
How to Restore Windows 10-Style Start Menu in Windows 11 25H2
tutorial
Windows

How to Restore Windows 10-Style Start Menu in Windows 11 25H2

Deep Dive

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...