A new security feature designed to protect local administrator accounts has been discovered in Windows 11 Insider Preview builds. The feature, identified in Canary build 25330 and Beta build 22631.1465, is an extension of the Windows Local Administrator Password Solution (LAPS).

When this protection is active, any attempt to change the password of a local administrator account through the standard Windows settings is blocked. Instead of allowing the change, the system displays a notification banner.

How the Administrator Protection Works

The observed behavior presents users with a specific message when they try to alter the password for a local administrator account. The notification states: “This setting is managed by your administrator. For security reasons, you cannot change the password of the local administrator account on this device. Contact your administrator to change the password.”

This mechanism is directly tied to Windows LAPS, a system used to manage and rotate passwords for local administrator accounts across devices in an enterprise environment. The feature prevents direct, manual password changes on accounts that are intended to be managed centrally by LAPS.

Configuration and Management via Group Policy

The administrator protection feature is enabled by default in the builds where it was found. System administrators can manage this setting using the Group Policy Editor. A new policy setting has been added to control this functionality.

The policy, named “Configure Administrator account protection,” is located at the following path: Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Windows LAPS. The policy’s description confirms that it is designed to protect the local administrator account from modification or deletion when that account is being managed by Windows LAPS.