A windows sysadmin does not need to be granted the authority to alter or disable the binary blob that performs the age verification. Microsoft can restrict that access and maintain control over that aspect of the OS. As they will be held liable for allowing it to be disabled, they are not likely to do so.
Canonical cannot compel a similar restriction in its users and sysadmins, due to the FOSS-ness of the software. They cannot be held responsible for what that sysadmin does with their software. The sysadmin, then, becomes the OS Provider.
A windows sysadmin does not need to be granted the authority to alter or disable the binary blob that performs the age verification. Microsoft can restrict that access and maintain control over that aspect of the OS. As they will be held liable for allowing it to be disabled, they are not likely to do so.
Canonical cannot compel a similar restriction in its users and sysadmins, due to the FOSS-ness of the software. They cannot be held responsible for what that sysadmin does with their software. The sysadmin, then, becomes the OS Provider.