Hands-On Windows 157 transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Paul Thurrott [00:00:00]:
Coming up next on Hands on Windows, we're going to take a look at a new security feature in Windows 1125H2 called Administrator Protection. It's more exciting than it sounds. Podcasts you love from people you trust. This is twit. Hello everybody and welcome back to Hands on Windows. I'm Paul Throt and this week we're, we are going to take a look at a new security feature coming to Windows 11, 25H2, but also to 24H2 because they backport everything these days. And this is a really good solution to a problem that we've had in Windows for, I'm going to say 30 years. So I'm actually really excited about this.
Paul Thurrott [00:00:49]:
It doesn't sound like it's exciting, but this is actually pretty great. So if you're familiar with how accounts work in Windows 11. Good, because I don't have time to describe the whole thing, but we've talked about this a lot on the show. We've talked about this notion of signing in with a Microsoft account, signing in with a work or school account, signing in with a local account, which is deprecated in the sense that Microsoft really doesn't want you to do that anymore. But all of the things that we see in accounts in Windows 11 kind of date back to 30, it's actually 30 plus years ago now. And the work that Microsoft did originally in Windows nt and among the many changes that NT brought was this sense of user accounts, right? That everyone would have their own account when they signed into the PC. And these things evolved over time. There were starts and stops and Windows 9X sort of supported it, but not really.
Paul Thurrott [00:01:41]:
But in NT based operating systems, which is what we have now, and then starting with XP, especially in 2001, this kind of became mainstream and then improved over time, right? And so from the beginning, you know, for the beginning of NT, which was 1993 all the way through gonna say Windows 8, we would sign in with a local account, as you do today, say on a Mac, which is just an account you create just for that computer you're assigned or you give yourself, if you're the only user, some form of privileges, typically administrator or standard user privileges. And those that account type determines what you're able to do without getting the approval from an administrator if you are a standard user, right? And so that was the system for a long time. So Windows 8 introduced the concept of online accounts, Microsoft accounts, as we call them today, and then work in school accounts. And so rather than creating an account that was only on that computer, you just sign into account you already have, that's up in the cloud, as we would call it today, Microsoft account, and that's fine. And there's some mini controversies around that. But one of the nice things there is just the ability to recover your account protections built in for your data up in the cloud, et cetera, et cetera. So there's reasons for this, but we've also added this notion of different ways to sign in, right? And these can be very, very secure. So on this particular computer, I have facial recognition, but not fingerprint recognition, does not have a fingerprint reader.
Paul Thurrott [00:03:11]:
And then everyone has a pin. So anytime you sign in with an online account, whatever kind of account it is, as long as it's an online account, you have to create a P. And these three things collectively are referred to as Windows hello, right? So Windows hello, facial recognition, fingerprint recognition or pin. And on this particular computer, which is a copilot plus PC, it's Windows hello enhanced security or enhanced sign in security, which is an even more secure form of Windows hello. So this is a really nice authentication system and it's the way that you authenticate yourself. And so when you sign into your computer, however, you do kind of passes through that authentication to different services. And that's the reason why if I were to go, say to the Microsoft Store, it will automatically sign me into this account, which is that account that I signed into the computer with. Now I can change that, but that's one of those niceties that it just kind of passes through.
Paul Thurrott [00:04:03]:
So tied to this notion of online accounts or just accounts in general, I guess in Windows is of course, security. And one of the big problems with security in Windows is that every user by default, every first user on any computer certainly is an administrator account and they have elevated privileges. And that means as you do things, you're basically allowed to do anything you want to do on the computer. But if your account is compromised, that means that a hacker could also run malicious code at this escalated level. And so the advice over the years was what you should do was sign in the first time because you have to with whatever account and it becomes an administrator account. So in my case here, it's a Microsoft account. And then in Windows 11, what you would do is go down to other users. I've actually created a second account, but you'd add an account.
Paul Thurrott [00:04:50]:
And so you could create or sign into a Microsoft account or whatever kind of account, and that account would be a standard user account. Right? And so I think this one is probably an admin, but let me bring this little guy up. Actually, we're seeing the feature I want to show you. You're not seeing it because it's hiding, but by default this thing would be a standard user account. And so if you're signed in, then you would sign in as that user. Most of the tasks that are running as you use the computer running at a lower privilege level and so the system is more secure. But it's also annoying because you have to ask the admin on the computer, which is you, right, but with a different sign in for approval, to do certain things. No one does this.
Paul Thurrott [00:05:31]:
So this is the problem. No one does this. And even the people that are, well meaning that want to do this, or the companies that are well meaning that want to do this find that it's just too annoying to do because there are just too many times where you need the approval of someone else, maybe or just yourself, where you have to just provide a second sign in interrupts what you're trying to do. It takes too long. Nobody does it. So the solution to this problem is something called administrator protection. This is rolling out like I said in Windows 1125 H2. And let me find the.
Paul Thurrott [00:06:02]:
I had to take screenshots of this because I've already set this up. But if you look at this shot here, this is the Windows Security app, which I will go to later, there you'll see a new administrator protection section under Account Protection. So that's new to 25H2. And when you click on the Administrative protection settings, you'll see that there's one setting and it is off. And if you enable it, you have to restart. And then once you restart, the system is running with administrative protection on. There's nothing else to do. So if I go in there right now and find Windows Security, this is in dark mode, so it's a little easier on the eyes.
Paul Thurrott [00:06:40]:
If it ever loads and go to Account protection, you can see this here again, same thing, just one setting. This is it. It's on or it's off. So it is on. Now, I can't show you the prompt, but what I can tell you is that you use Windows. So you've seen a user account control prompt, you know what that is, but you may not actually know what it is if you think about. I mean, you've seen it, but you may not really understand it. There's no sense of authentication there, right? You're already signed in as an admin, usually most people are.
Paul Thurrott [00:07:10]:
So when you see that it's sort of like the third brake light on a car. It's just like a little extra like, hey, just think about this for a second. Are you sure you want to do this? And you say yes and you move on and most people don't think about it that much. So with administrative protection on, most of the tasks that you're running are actually just running, always at a lower escalation level, a lower level of privilege. When you run a task that needs an escalated privilege level, it will throw up not a user account control, but rather a Windows hello authentication dialog. So I had to take a screenshot. This is a Microsoft screenshot. So I have to show you this because when it comes up on the screen, my screen recording software will not record it because you know it's actually a secure process, right? And so in this case what it's doing is a Windows hello facial recognition.
Paul Thurrott [00:07:58]:
You can see here there are options for fingerprint and pin and you'll but you see there will depend on your system. My laptop is to my left here, so I have to turn to it. So when this thing comes on I have to actually look at it. It looks at me and says okay, you're you and then you're allowing the change. So from a kind of a process perspective, this works exactly like uac, but under the covers. This is in fact way more secure than UAC because normally you're just doing everything at a standard user level of protection, even though you have an admin account. It's just that when this happens that they create a. It's basically a temporary in time admin level processes that runs, does the thing you need to do and then disappears.
Paul Thurrott [00:08:39]:
So it's just a slice in time thing and normally you're not running at that escalated level. So what are the types of things that would set this thing off? Installing software. So if I go and try to, I just like tried to do this earlier, like this focusrite driver. When I click on this again, you're not going to really see the system. I have to look right at the camera here. It sees that it's me. It says it's okay. Welcome back, Paul.
Paul Thurrott [00:09:05]:
Allow changes. Your screen just went blank, I'm sure. And then the thing runs. But I'm going to close it down because I don't need that. If you try to edit the registry, right. There are certain settings if you try to change the time, which I know sounds like a weird thing to have protected, but you know there are reasons for that and you just have to say yeah, No, I really want to do this. And so it runs elevated, goes away and then you're done. So there's a third category and this one I haven't been able to find an example of when you are accessing sensitive data, whatever that means.
Paul Thurrott [00:09:38]:
So I suspect that that one might be more oriented toward. Toward like a work or school account where you maybe you're going into like a company owned data repository, whatever. But I haven't seen one of those for individuals yet. So installing software certainly setting certain features, you know, changing the time or editing the registry, that kind of thing. We'll set this off. So I guess the important thing here is just that a this thing is not on by default. So Once you get 25H2 you should enable it or if you want to test it now join the insider program dev or beta channel will get this for you. It's in the Windows security app.
Paul Thurrott [00:10:15]:
Like I said, turn it on, reboot. As far as day to day you'll probably see more prompts than usual but it's not going to be off the charts. It's a slightly different experience because it's Windows low, so it's not uac but the interruption level is just about the same. And so day to day your life is not going to change very much but the security of your system is going to change dramatically. So whether or not you think that's exciting, I guess it's a matter of opinion but I think this is exciting. This is like I said, I've been following Windows since ND was just started and this has always been a problem. It's always been a problem and it's always been a problem and they, you know, done little you always see was one attempt and okay, it was a good step in the right direction. But I think administrative protection is the.
Paul Thurrott [00:11:03]:
Is it now that we have Windows. Hello. I think they finally cracked the nut on this. So this is something everyone's going to want to turn on. I strongly, strongly recommend enabling this when you can. So I hope you found this to be useful. We record new episodes of Hands on Windows or we release new episodes of Hands on Windows every Thursday. You can find out more at TWiT TV.
Paul Thurrott [00:11:24]:
HRW. Thank you for watching. Thank you especially to our Club TWIT members. We love you. If you're not a member, please Twit tv Club Twit give it a look. Think about supporting everybody who's working hard to bring you this content. Really appreciate it and I will see you next week.
