Posted on September 14, 2016 · Posted in Group Policies, Windows 10, Windows 7, Windows 8

User Account Control Slider and Group Policy Settings

In Windows Vista, Microsoft introduced a new mechanism, providing an additional level of protection against unauthorized modifications called UAC (User Account Control). In Windows 7 (or higher), UAC has got a setting slider (called from the Control Panel or UserAccountControlSettings.exe), which allows to select one of four UAC protection levels.

The following 4 protection levels of User Account Control are available to select using the slider:

  • Level 4 — Always notify — the highest UAC protection level
  • Level 3 — Notify only when programs try to make changes to mycomputer (default) – standard protection level
  • Level 2 — Notify only when programs try to make changes to my computer (do not dim my desktop) – almost the same as the previous level, but without switching to Secure Desktop with the desktop lock
  • Level 1 — Never notify – UAC is disabled

UAC Slider in Windows

By default, UAC protection level 3 is used in Windows.

You can manage UAC settings both using the slider and GPO. But there is no single policy that allows to select one of the four protection levels (corresponding to the position of the UAC slider). It is suggested to manage UAC settings using 10 different policies instead. These policies are located in the following section of GPO editor:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options. The names of the policies related to UAC start with User Account Control.

User Account Control Policy

The following table shows the list of UAC policies and the correspondent register keys. The parameters of the UAC settings are stored in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System branch of the registry

Policy Name Registry Key Set with the Policy
User Account Control: Admin Approval Mode for the Built-in Administrator account FilterAdministratorToken
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop EnableUIADesktopToggle
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode ConsentPromptBehaviorAdmin
User Account Control: Behavior of the elevation prompt for standard users ConsentPromptBehaviorUser
User Account Control: Detect application installations and prompt for elevation EnableInstallerDetection
User Account Control: Only elevate executables that are signed and validated ValidateAdminCodeSignatures
User Account Control: Only elevate UIAccess applications that are installed in secure locations EnableSecureUIAPaths
User Account Control: Run all administrators in Admin Approval Mode EnableLUA
User Account Control: Switch to the secure desktop when prompting for elevation PromptOnSecureDesktop
User Account Control: Virtualize file and registry write failures to per-user locations EnableVirtualization

UAC settings in registry

If you have to set UAC parameters using GPO, check the following correspondences between the GPO settings and four UAC levels given below:

UAC Level 1

Admin Approval Mode for the Built-in Administrator account = Disabled
Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled
Behavior of the elevation prompt for administrators in Admin Approval Mode = Elevate without prompting
Behavior of the elevation prompt for standard users = Prompt for credentials
Detect application installations and prompt for elevation = Enabled
Only elevate executables that are signed and validated = Disabled
Only elevate UIAccess applications that are installed in secure locations = Enabled
Run all administrators in Admin Approval Mode = Disabled
Switch to the secure desktop when prompting for elevation = Disabled
Virtualize file and registry write failures to per-user locations = Enabled

UAC Level 2

Admin Approval Mode for the Built-in Administrator account = Disabled
Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled
Behavior of the elevation prompt for administrators in Admin Approval Mode = Prompt for consent for non-Windows binaries
Behavior of the elevation prompt for standard users = Prompt for credentials
Detect application installations and prompt for elevation = Enabled
Only elevate executables that are signed and validated = Disabled
Only elevate UIAccess applications that are installed in secure locations = Enabled
Run all administrators in Admin Approval Mode = Enabled
Switch to the secure desktop when prompting for elevation = Disabled
Virtualize file and registry write failures to per-user locations = Enabled

UAC Level 3 (default)

Standard values for the registry keys correspondent to the policies are given in brackets.

Admin Approval Mode for the Built-in Administrator account = Disabled (the value of the registry key FilterAdministratorToken – 0)
Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled (the value of the registry key EnableUIADesktopToggle – 0)
Behavior of the elevation prompt for administrators in Admin Approval Mode = Prompt for consent for non-Windows binaries (the value of the registry key ConsentPromptBehaviorAdmin – 5)
Behavior of the elevation prompt for standard users = Prompt for credentials (the value of the registry key ConsentPromptBehaviorUser– 3)
Detect application installations and prompt for elevation = Enabled (the value of the registry key EnableInstallerDetection– 0 for domain computers, 1 – for work groups)
Only elevate executables that are signed and validated = Disabled (the value of the registry key ValidateAdminCodeSignatures– 0)
Only elevate UIAccess applications that are installed in secure locations = Enabled (the value of the registry key EnableSecureUIAPaths– 1)
Run all administrators in Admin Approval Mode = Enabled (the value of the registry key EnableLUA– 1)
Switch to the secure desktop when prompting for elevation = Enabled (the value of the registry key PromptOnSecureDesktop– 1)
Virtualize file and registry write failures to per-user locations = Enabled (the value of the registry key EnableVirtualization– 1)

UAC Level 4

Admin Approval Mode for the Built-in Administrator account = Disabled
Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled
Behavior of the elevation prompt for administrators in Admin Approval Mode = Prompt for consent on the secure desktop
Behavior of the elevation prompt for standard users = Prompt for credentials
Detect application installations and prompt for elevation = Enabled
Only elevate executables that are signed and validated = Disabled
Only elevate UIAccess applications that are installed in secure locations = Enabled
Run all administrators in Admin Approval Mode = Enabled
Switch to the secure desktop when prompting for elevation = Enabled
Virtualize file and registry write failures to per-user locations = Enabled

If you want to allow users to further adjust the UAC settings, the default  settings on the domain computers can be specified using the GPP to set registry keys applied once (Apply once and do not reapply).

Previous:
Next:
Related Articles