Around the same time Microsoft released Windows 11 24H2 to the general public, the company also began testing a new security feature called Administrator protection in the Canary channel. Bypassing elevated privileges can lead to big security problems, so the idea behind this was to improve security with just-in-time admin rights.
If you are wondering how this works, Windows follows the principle of least privilege, giving users minimal access by default via a deprivileged user token. When admin rights are needed, Windows asks for approval and creates a temporary, privileged but isolated admin token. This token exists only for that specific task and is destroyed afterward, ensuring admin privileges don’t persist and hence the need for just-in-time admin rights. The process repeats whenever admin access is required, thus enhancing security.
Administrator protection requires user verification via Windows Hello before granting admin rights. Windows Hello recognizes a user's face using the camera and authenticates biometrics using a fingerprint scanner.
However, with the latest update to Administrator rights, Microsoft says that input devices like the Camera and Microphone, as well as Location data, will be disabled by default when apps try to access them. Enabling these would require "explicit user consent."
Microsoft writes, "Access to sensitive resources such as camera, microphone and location (C/M/L) will soon require explicit user consent. The journey begins with Windows changing the desktop access switch for these resources from default ON to OFF, ensuring users have more control over which apps can access this data."
Microsoft adds that developers of apps that require a camera or a microphone must ensure that such applications can work with the default OFF setting before the Administrator protection feature exits preview.
2 Comments - Add comment