I’m a Windows user — not just professionally but personally. I’ve enjoyed playing around with Linux, but in business environments, productivity apps have always been lacking for the Linux platform, so I have never been able to fully switch to it beyond VMs and a laptop or two for my own edification. I have never owned a Mac, but I had fun breaking Apple IIcs back in middle-school computer labs. DOS and its successor of Windows has been my OS of choice for over four decades, for the same reason they’ve been for billions of users and hundreds of thousands of businesses: application availability, hardware flexibility, general ease of use (though each new major Windows release makes you relearn processes), and, to some extent, availability of security controls.

I am not surprised to hear howls of derision when mentioning “security” and “Windows” together. A fair bit of this is likely coming from people who run as a local admin on Windows desktops; have turned off functions such as User Account Control, Defender, Windows Firewall, or Credential Guard; and ignore updates until they get tired of being notified of them even months after they were released. In business environments, many of the same people who question the security of Windows will still allow users to be full local admins and install any applications they desire, relying on additional endpoint security tools (such as endpoint protection platforms, endpoint detection and response, or extended detection and response) to handle the security problems that will inevitably appear. If you’re turning off built-in protections in the OS, are following poor security practices, and are expecting additional security tools to protect you, you are putting your organization at risk.

Many of the security problems that affect Windows endpoints are the result of poor security practices, especially around the usage of local admin rights. If you don’t operate as “root” on a Linux (or Linux-derived) system, why are you doing it on Windows? Yes, if you look back on the history of Windows OSes, this was just the way they were built. Anyone could edit the boot and config files of the early Windows-on-DOS platforms, and even though the split between admin/user accounts eventually appeared, tasks like application installation required administrative permissions, so having local admin rights became the norm for many enterprises, regardless of the security consequences. We’ll save the discussion of how insecure it is to allow employees to install any application they want for another time.

In November 2024, Microsoft announced a new function for Windows 11 called Administrator Protection, which brings a sudolike approach to the Windows desktop. While it has some similarities to User Account Control, administrator protection goes further by having the user regularly run in a non-admin state, and when it needs elevated privileges to perform a task, it alerts the user to authenticate again. It also creates separate admin and non-admin profiles, making it harder for attackers to cross the boundary from user to admin.

This function is being introduced into Windows 11 deployments in an upcoming security release, giving organizations access to an important Windows security enhancement. With Windows 10 scheduled for end of support on October 14, 2025, enterprises should already be planning to replace this desktop OS with Windows 11, where Microsoft has been adding more security functionality. If you are looking for more details on how to plan and manage a Windows 11 migration, my latest report provides guidance as well as what to do if you need to maintain Windows 10 instances for certain use cases.

There are multiple approaches to securing the desktop endpoint, and security leaders should start with utilizing the tools that are available within their standardized OS. Forrester clients should schedule an inquiry or guidance session with me to discuss what options are available to them and understand how to manage their Windows 11 migration successfully.