Configure UAC settings via policy

  • Article 
 After we understand how UAC works and realize the importance of enabling UAC to prevent potential problems that may arise during your Windows Vista deployment in
your environment, we can move on to discussing how to configure UAC to optimize 
security and ease of use. The consent UI behavior as well as some other UAC 
features can be changed by group policy for administrators. 

 This section details the main method for configuring UAC by Administering 
UAC with the local Security Policy Editor and Group Policy. 
For administrators in a domain environment, they can configure UAC 
settings in domain security policy.

1. Click Start, click All Programs, click Accessories, click Run, type secpol.msc in the Open text box, and then click OK.

2. From the Local Security Settings console tree, click Local Policies, and then Security Options.

3. Scroll down and double-click corresponding UAC policy settings to configure

4. Close the Local Security Settings window.

There are in total eight Group Policy Object (GPO) settings that can be configured for UAC. The following list includes the policy settings:

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

User Account Control: Behavior of the elevation prompt for standard users

User Account Control: Detect application installations and prompt for elevation

User Account Control: Only elevate executables that are signed and validated

User Account Control: Run all administrators in Admin Approval Mode

User Account Control: Switch to the secure desktop when prompting for elevation

User Account Control: Virtualize file and registry write failures to per-user locations

User Account Control: Admin Approval Mode for the Built-in Administrator account

User Account Control: Only elevate UIAccess applications that are installed in secure locations

Hereby we outline three common tasks that administrators perform during the set up and configuration of client computers running Windows Vista. The following policies brief the tasks of disabling Admin Approval Mode, disabling UAC from prompting for credentials to install applications, and changing the elevation prompt behavior.

1. Disable Admin Approval Mode

Policy Item: User Account Control: Run all administrators in Admin Approval Mode.

Default Value: EnabledDescription: There are two possible values:

• Enabled - Both administrators and standard users will be prompted when attempting to perform administrative operations. The prompt style is dependent on policy.

• Disabled - UAC is essentially "turned off" and the AIS service is disabled from automatically starting. The Windows Security Center will also notify the logged on user that the overall security of the operating system has been reduced and will give the user the ability to self- enable UAC.

Note: Changing this setting will require a system reboot.

2. Disable User Account Control from prompting for credentials to install applications

Policy Item: User Account Control: Detect application installations and prompt for elevation.

Default Value: Home: Enabled. Enterprise: Disabled
Description: There are two possible values:

• Enabled - The user is prompted for consent or credentials when Windows Vista detects an installer.

• Disabled - Application installations will silently fail or fail in a non-deterministic manner. Enterprises running standard users desktops that leverage delegated installation technologies like GPSI or SMS will disable this feature. In this case, installer detection is unnecessary and therefore not required.

3. Change the elevation prompt behavior

Policy Item: User Account Control: Behavior of the elevation prompt for administrators.

Default Value: Prompt for consent
Description: There are three possible values:

• No prompt – The elevation occurs automatically and silently. This option allows an administrator in Admin Approval Mode to perform an operation that requires elevation without consent or credentials. Note: this scenario should only be used in the most constrained environments and is NOT recommended.

• Prompt for consent – An operation that requires a full administrator access token will prompt the administrator in Admin Approval Mode to select either Continue or Cancel. If the administrator clicks Continue, the operation will continue with their highest available privilege.

• Prompt for credentials – An operation that requires a full administrator access token will prompt an administrator in Admin Approval Mode to enter an administrator user name and password. If the user enters valid credentials, the operation will continue with the applicable privilege.

Policy Item: User Account Control: Behavior of the elevation prompt for standard users

Default Value: Home: Prompt for credentials. Enterprise: No prompt
Description: There are two possible values:

• No prompt – No elevation prompt is presented and the user cannot perform administrative tasks without using Run as administrator or by logging on with an administrator account. Most enterprises running desktops as standard user will configure the “No prompt” policy to reduce help desk calls.

• Prompt for credentials – An operation that requires a full administrator access token will prompt the user to enter an administrative user name and password. If the user enters valid credentials the operation will continue with the applicable privilege.

For more information on how to configure UAC via policy, view the following links:

How to use User Account Control (UAC) in Windows Vista

https://support.microsoft.com/?id=922708

https://technet.microsoft.com/en-us/windowsvista/aa905117.aspx