In Windows Vista, Microsoft introduced a new mechanism, providing an additional level of protection against unauthorized modifications called UAC (User Account Control). In Windows 7 (or higher), UAC has got a setting slider (called from the Control Panel or UserAccountControlSettings.exe), which allows to select one of four UAC protection levels.
The following 4 protection levels of User Account Control are available to select using the slider:
- Level 4 — Always notify — the highest UAC protection level
- Level 3 — Notify only when programs try to make changes to mycomputer (default) – standard protection level
- Level 2 — Notify only when programs try to make changes to my computer (do not dim my desktop) – almost the same as the previous level, but without switching to Secure Desktop with the desktop lock
- Level 1 — Never notify – UAC is disabled
By default, UAC protection level 3 is used in Windows.
You can manage UAC settings both using the slider and GPO. But there is no single policy that allows to select one of the four protection levels (corresponding to the position of the UAC slider). It is suggested to manage UAC settings using 10 different policies instead. These policies are located in the following section of GPO editor:
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options. The names of the policies related to UAC start with User Account Control.
The following table shows the list of UAC policies and the correspondent register keys. The parameters of the UAC settings are stored in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System branch of the registry
| Policy Name |
Registry Key Set with the Policy |
| User Account Control: Admin Approval Mode for the Built-in Administrator account |
FilterAdministratorToken |
| User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop |
EnableUIADesktopToggle |
| User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode |
ConsentPromptBehaviorAdmin |
| User Account Control: Behavior of the elevation prompt for standard users |
ConsentPromptBehaviorUser |
| User Account Control: Detect application installations and prompt for elevation |
EnableInstallerDetection |
| User Account Control: Only elevate executables that are signed and validated |
ValidateAdminCodeSignatures |
| User Account Control: Only elevate UIAccess applications that are installed in secure locations |
EnableSecureUIAPaths |
| User Account Control: Run all administrators in Admin Approval Mode |
EnableLUA |
| User Account Control: Switch to the secure desktop when prompting for elevation |
PromptOnSecureDesktop |
| User Account Control: Virtualize file and registry write failures to per-user locations |
EnableVirtualization |
If you have to set UAC parameters using GPO, check the following correspondences between the GPO settings and four UAC levels given below:
UAC Level 1
Admin Approval Mode for the Built-in Administrator account = Disabled
Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled
Behavior of the elevation prompt for administrators in Admin Approval Mode = Elevate without prompting
Behavior of the elevation prompt for standard users = Prompt for credentials
Detect application installations and prompt for elevation = Enabled
Only elevate executables that are signed and validated = Disabled
Only elevate UIAccess applications that are installed in secure locations = Enabled
Run all administrators in Admin Approval Mode = Disabled
Switch to the secure desktop when prompting for elevation = Disabled
Virtualize file and registry write failures to per-user locations = Enabled
UAC Level 2
Admin Approval Mode for the Built-in Administrator account = Disabled
Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled
Behavior of the elevation prompt for administrators in Admin Approval Mode = Prompt for consent for non-Windows binaries
Behavior of the elevation prompt for standard users = Prompt for credentials
Detect application installations and prompt for elevation = Enabled
Only elevate executables that are signed and validated = Disabled
Only elevate UIAccess applications that are installed in secure locations = Enabled
Run all administrators in Admin Approval Mode = Enabled
Switch to the secure desktop when prompting for elevation = Disabled
Virtualize file and registry write failures to per-user locations = Enabled
UAC Level 3 (default)
Standard values for the registry keys correspondent to the policies are given in brackets.
Admin Approval Mode for the Built-in Administrator account = Disabled (the value of the registry key FilterAdministratorToken – 0)
Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled (the value of the registry key EnableUIADesktopToggle – 0)
Behavior of the elevation prompt for administrators in Admin Approval Mode = Prompt for consent for non-Windows binaries (the value of the registry key ConsentPromptBehaviorAdmin – 5)
Behavior of the elevation prompt for standard users = Prompt for credentials (the value of the registry key ConsentPromptBehaviorUser– 3)
Detect application installations and prompt for elevation = Enabled (the value of the registry key EnableInstallerDetection– 0 for domain computers, 1 – for work groups)
Only elevate executables that are signed and validated = Disabled (the value of the registry key ValidateAdminCodeSignatures– 0)
Only elevate UIAccess applications that are installed in secure locations = Enabled (the value of the registry key EnableSecureUIAPaths– 1)
Run all administrators in Admin Approval Mode = Enabled (the value of the registry key EnableLUA– 1)
Switch to the secure desktop when prompting for elevation = Enabled (the value of the registry key PromptOnSecureDesktop– 1)
Virtualize file and registry write failures to per-user locations = Enabled (the value of the registry key EnableVirtualization– 1)
UAC Level 4
Admin Approval Mode for the Built-in Administrator account = Disabled
Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled
Behavior of the elevation prompt for administrators in Admin Approval Mode = Prompt for consent on the secure desktop
Behavior of the elevation prompt for standard users = Prompt for credentials
Detect application installations and prompt for elevation = Enabled
Only elevate executables that are signed and validated = Disabled
Only elevate UIAccess applications that are installed in secure locations = Enabled
Run all administrators in Admin Approval Mode = Enabled
Switch to the secure desktop when prompting for elevation = Enabled
Virtualize file and registry write failures to per-user locations = Enabled
If you want to allow users to further adjust the UAC settings, the default settings on the domain computers can be specified using the GPP to set registry keys applied once (Apply once and do not reapply).
Methinks your values for the behavior on “standard users” is not accurate. Per this Microsoft link (https://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx) the “default” value (level3) is “Prompt for consent on the secure desktop”.
Sorry, default value is “Prompt for credentials on the secure desktop”
You gotta love (hate) Microsoft documentation! In that same link/URL, they give conflicting information about the default value for “standard users”. In the first/top table, it says “User Account Control: Behavior of the elevation prompt for standard users ConsentPromptBehaviorUser Prompt for credentials on the secure desktop”. But in the last/bottom table, it says “ConsentPromptBehaviorUser User Account Control: Behavior of the elevation prompt for standard users 0 = Automatically deny elevation requests
1 = Prompt for credentials on the secure desktop
3 (Default) = Prompt for credentials”
SO WHICH IS IT MICROSOFT?!?
I apologize for questioning your page…