This has been an issue for years - and post Covid, even more of an issue.
There are good reasons for restricting a user to Standard account privileges for normal day-to-day operation - not just to protect the system from the user, but also from malicious activity (malware, hacking, viruses, trojans etc). As an Admin I still prefer to run in a Standard account and only access the Admin User account when required.
The issue is that if IT Admin no longer being immediately accessible (for various reasons) then the user runs into an issue with needing Admin privileges on occassion, usually in the middle of class, at a client site, at home the day before a critical meeting, etc. It can occur updating drivers for a printer, an application needing network permissions, and of course installing software.
Ignoring the responses "Why do they need it" and accepting the premise that they do, why has Microsoft not built in a simple solution for this, particularly with the existing implementation of managed accounts, family parental control, and Azure integration?
Potential Solutions
Microsoft already have most of the pieces of the puzzle to implement a simple solution to this, and these are likely already part of the existing support / software framework in place, but just not 'hooked in' to provide a working solution. Here are some of my thoughts on potential mechanisms to do this.
- Add a 'request remote approval' option to the 'Elevated Privileges required' popups so the user can request remote Admin help.
- The user could then select from a list of accounts on the local machine, a Microsoft Family parent, or a prearranged (or Registry key specified) account.
- A notification is then sent to the selected account (SMS, Microsoft Authenticator, Email or some other method) which includes information about the requesting user account, machine ID, and details of why the elevation is required (application details, permission requirements, etc - and maybe allow the user to add a comment to the request.
- The approval mechanism would ideally be done through a secure channel already in place - Microsoft Authenticator is a great candidate for this.
- To provide some protection from unauthorised action intercepting / creating fake requests / approvals there are already lots of options, but making it require that this facility be pre-configured on both ends (certificates?, PSK?) will add another layer of protection.
Unacceptable solutions available already:
- give them an admin account,
- wait until they can see an administrator
- (not ideal) - get a remote session established with an administrator
***moved from Windows / Windows 11 / Security and privacy***
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
