Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Group Policies / How to Disable or Change User Account Control (UAC) Settings in Windows

February 14, 2025

How to Disable or Change User Account Control (UAC) Settings in Windows

User Account Control (UAC) is a default Windows security feature designed to prevent unwanted changes to the operating system. When a program tries to perform an action that requires administrator privileges, such as installing software or changing system settings, registry, or system files, UAC alerts the administrator and asks for confirmation. This reduces the risk of unauthorized changes and the execution of malicious code with administrator privileges.

In this article, we’ll look at how to manage UAC settings on a single computer, or multiple computers in a domain using Group Policies.

Contents:
  • Configure User Account Control (UAC) Levels in Windows
  • Managing UAC Settings via Group Policy
  • User Account Control Slider Levels and GPO/Registry Settings
  • How to Disable UAC with Group Policy

What does the UAC prompt look like? For example, if you attempt to elevate process privileges in a local administrator session, a UAC confirmation prompt appears:

User Account Control
Do you want to allow this app to make changes to your device?

uac confirmation prompt on a secure desktop on windows 10

Configure User Account Control (UAC) Levels in Windows

To manage UAC settings in Windows, a special applet is available in the Control Panel, which can be launched from the classic Control Panel or with the UserAccountControlSettings.exe command.

Use the slider to change the User Account Control protection level on a computer. There are 4 predefined UAC levels available:

  • Level 4 — Always notify — the highest UAC protection level;
  • Level 3 — Notify only when programs try to make changes to my computer (default) – default protection level (used by default);
  • Level 2 — Notify only when programs try to make changes to my computer (do not dim my desktop) – almost the same as the previous level, but without switching to Secure Desktop with desktop locking;
  • Level 1 — Never notify – UAC is disabled.

UAC Slider in Windows

UAC is enabled by default for built-in Administrator account on Windows 11 and Windows 10 1709 and later.

Note that moving the slider to the bottom Never notify (Level 1) position doesn’t completely disable UAC. This mode only enables automatic confirmation of administrator elevation requests without displaying the UAC prompt. Elevation requests are automatically denied in non-admin user sessions.

To disable UAC completely, you must disable the local group policy option User Account Control: Run all administrators in Admin Approval Mode. See below for details.

Managing UAC Settings via Group Policy

It is possible to manage UAC settings in Windows through Group Policy. The names of the UAC-related Group Policy options begin with User Account Control and can be found in this GPO editor section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options.

User Account Control Policy

The following table contains a list of UAC policies, their possible values (including defaults), and the corresponding registry parameters (located under the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System registry key).

Policy NameRegistry ParameterValues
User Account Control: Admin Approval Mode for the Built-in Administrator accountFilterAdministratorToken0 (Default) = Disabled
1 = Enabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktopEnableUIADesktopToggle0 (Default) = Disabled
1 = Enabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval ModeConsentPromptBehaviorAdmin0 = Elevate without prompting
1 = Prompt for credentials on the secure desktop
2 = Prompt for consent on the secure desktop 3 = Prompt for credentials
4 = Prompt for consent
5 (Default) = Prompt for consent for non-Windows binaries
User Account Control: Behavior of the elevation prompt for standard usersConsentPromptBehaviorUser0 = Automatically deny elevation requests
1 = Prompt for credentials on the secure desktop   3 (Default) = Prompt for credentials
User Account Control: Detect application installations and prompt for elevationEnableInstallerDetection1 = Enabled (default for Workgroup)
0 = Disabled (default for domain-joined Windows device)
User Account Control: Only elevate executables that are signed and validatedValidateAdminCodeSignatures0 (Default) = Disabled
1 = Enabled
User Account Control: Only elevate UIAccess applications that are installed in secure locationsEnableSecureUIAPaths0 = Disabled
1 (Default) = Enabled
User Account Control: Run all administrators in Admin Approval ModeEnableLUA0 = Disabled
1 (Default) = Enabled
User Account Control: Switch to the secure desktop when prompting for elevationPromptOnSecureDesktop0 = Disabled
1 (Default) = Enabled
User Account Control: Virtualize file and registry write failures to per-user locationsEnableVirtualization0 = Disabled
1 (Default) = Enabled
User Account Control: Behavior of the elevation prompt for administrators running with Administrator ProtectionThese options were introduced in Windows 11 in late 2024 to control the new Local Administrator Protection feature.
User Account Control: Configure type of Admin Approval Mode

User Account Control Slider Levels and GPO/Registry Settings

When you change the UAC protection level by using the slider in the Control Panel, Windows changes the values of the following registry entries.

UAC Slider LevelPromptOnSecureDesktopEnableLUAConsentPromptBehaviorAdmin
Level 4 – Always Notify112
Level 3 – Notify only when programs try to make changes to my computer (default)115
Level 2 – Notify only when programs try to make changes to my computer (do not dim my desktop):015
Level 1 – Never Notify010

Therefore, if you want to use the GPO to configure UAC settings that correspond to the specific slider level, you only need to configure 3 policy parameters (described above).

For example, apply the following registry parameters to set UAC level 3:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"PromptOnSecureDesktop"=dword:00000001
"EnableLUA"=dword:00000001
"ConsentPromptBehaviorAdmin"=dword:00000005
"ConsentPromptBehaviorUser"=dword:00000003
"EnableInstallerDetection"=dword:00000001
"EnableVirtualization"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"FilterAdministratorToken"=dword:00000000

uac registry settings

The values of the ConsentPromptBehaviorUser, EnableInstallerDetection, EnableVirtualization, ValidateAdminCodeSignatures, and FilterAdministratorToken parameters are the same for all levels.

There is another registry parameter in this key, LocalAccountTokenFilterPolicy, often referred to as Remote UAC. This parameter restricts remote connections to default admin shares under local user accounts with administrator privileges.

How to Disable UAC with Group Policy

Let’s look at how to completely disable User Account Control (UAC) in Windows through Group Policy.

It is a bad idea to turn off UAC in Windows. It’s not secure. There are simple workarounds for disabling UAC for a specific application if it doesn’t work properly with UAC enabled, or running the app without admin privileges and suppressing the UAC prompt.

On a standalone computer, use the Local Group Policy Editor gpedit.msc. If you need to deploy the Group Policy settings to multiple domain computers, use the Group Policy Management Console – gpmc.msc (let’s consider this option).

  1. In the Group Policy Management snap-in, click the OU containing computers where you want to disable UAC and create a new GPOcreate a gpo to disable uac on windows
  2. Edit the policy and go to the section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options;
  3. To completely disable UAC, set the following parameter values:
    • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode = Elevate without prompting;
    • User Account Control: Detect application installations and prompt for elevation = Disabled;
    • User Account Control: Run all administrators in Admin Approval Mode = Disabled;
    • User Account Control: Only elevate UIAccess applications that are installed in secure locations = Disabled.set policy settings in gpo editor to disable uac
  4. Reboot the target computers to update Group Policy settings and disable UAC. After the reboot, UAC will switch to “Never notify” mode.

You can also disable UAC for some users/computers via the registry and deploy the settings through Group Policy Preferences.

In the GPO editor, go to Computer Configuration -> Preferences -> Windows Settings -> Registry and create a new registry parameter with the following settings

  • Action: Replace
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • Value name: EnableLUA
  • Value type: REG_DWORD
  • Value data: 0

EnableLUA registry parameter to disabe user account control on windows 10

Then go to the Common tab and enable the options:

  • Remove this item when it is no longer applied
  • Item-Level targeting

Click the Targeting button and specify the computers or domain security groups to which you want to apply the UAC disable policy.

You can change the value of any parameter using the Registry Editor GUI or from the command prompt. For example, to disable UAC on a computer (a reboot is required), run the command:

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f.

Or a similar PowerShell command:

New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force

Even with UAC disabled, some apps may be blocked from launching with the error This app has been blocked for your protection.
10 comments
5
Facebook Twitter Google + Pinterest
Group PoliciesWindows 10Windows 11Windows Server 2022
previous post
Windows: Block Remote Network Access for Local User Accounts
next post
How to Run CMD/Program under SYSTEM (LocalSystem) in Windows

Related Reading

How to Refresh (Update) Group Policy Settings on...

August 13, 2024

How to Hide or Show User Accounts from...

July 24, 2024

Updating Group Policy Administrative Templates (ADMX)

January 24, 2025

How to Disable NetBIOS, LLMNR, mDNS Protocols in...

March 20, 2025

Configuring Password Policy in Active Directory Domain

March 12, 2024

Display System Info on Desktop with BGInfo

February 6, 2025

Caching Domain Logon Credentials on Windows

March 12, 2024

Configuring Proxy Settings on Windows Using Group Policy...

February 27, 2023

10 comments

No Spam April 6, 2017 - 5:35 pm

Methinks your values for the behavior on “standard users” is not accurate. Per this Microsoft link (https://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx) the “default” value (level3) is “Prompt for consent on the secure desktop”.

Reply
No Spam April 6, 2017 - 5:44 pm

Sorry, default value is “Prompt for credentials on the secure desktop”

Reply
No Spam April 6, 2017 - 5:53 pm

You gotta love (hate) Microsoft documentation! In that same link/URL, they give conflicting information about the default value for “standard users”. In the first/top table, it says “User Account Control: Behavior of the elevation prompt for standard users ConsentPromptBehaviorUser Prompt for credentials on the secure desktop”. But in the last/bottom table, it says “ConsentPromptBehaviorUser User Account Control: Behavior of the elevation prompt for standard users 0 = Automatically deny elevation requests
1 = Prompt for credentials on the secure desktop
3 (Default) = Prompt for credentials”

SO WHICH IS IT MICROSOFT?!?

I apologize for questioning your page…

Reply
Rick November 29, 2018 - 12:12 pm

Using your level 1 settings does not corresponds to level 1 in Windows 10.
If I set these settings I can’t run Microsoft Edge and everythiing is run as administrator.
Simple way to check this is to rRight click start and run Powershell always runs it as admin even tho’ I don’t select the (admin) choice.

So how I make it behave like Windows 10 UAC level 1?

Reply
Chris January 13, 2021 - 12:23 am

How does one go about locking out UAC access to users and administrators? I want to gray out the button so people cannot make changes to UAC. Forcing it to level 3 is great, but if a local admin (all my users) can just change it, it doesn’t do me much good. I want to disable access to UAC. Any help would be greatly appreciated!

Reply
Gabe October 9, 2023 - 1:41 pm

Thanks for the info, this was very helpful!
In your first blue comment box, you have two links for two different pages, but they link to the same page. I believe the 2nd link was supposed to be for this page:
https://woshub.com/run-program-without-admin-password-and-bypass-uac-prompt/
HTH

Reply
admin October 19, 2023 - 6:33 am

👍

Reply
Carolyn Morris October 12, 2024 - 4:25 pm

I am 79 yrs & not very pc savvy I purchased new motherboard 10/03/2022 windows 10 22H2 OS version on my Lenovo I took pc to a repair store having trouble with my videos&photos sharing pc working fine before this I do not know what they did but Windows Security Firewall showed up & Workgroup & School 2019 took my pc back to original purchase in 2017 but I never installed any Organizations & their built-in admins even back then I had Malwarebytes installed also 2022 they have me listed as new motherboard name so why did this security allow my old computer to take over & put my Lenovo to sleep these Admins block everything Updates file sharing all domains except their private domain, my att internet & modem is blocked I have tried every suggestion Microsoft said but to no avail I no longer have my Adminstrator & UAC rights Microsoft techs screwed it up even more I don’t want to do a clean or pay somone four or five hundred So i’m am asking when I bring up my computer & it shows last update 2017 then ask if no longer used DELETE it will my New Motherboard come back as installed on 10/03/2022??

Reply
admin October 13, 2024 - 2:11 pm

Unfortunately, I have no idea what they did to your computer in the repair shop. A clean reinstallation of Windows from scratch might be the best solution for you.

Reply
erick October 31, 2024 - 6:10 am

reg add HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 00000000 /f

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • How to Hide or Show User Accounts from Login Screen on Windows
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Using WMI Filters to Target Group Policies in Active Directory
  • How to Disable NetBIOS, LLMNR, mDNS Protocols in Windows
  • Set Desktop Wallpaper and Logon Screen Background via Group Policy
  • How to Disable/Remove Thumbs.db File on Network Folders in Windows
  • Windows: Block Remote Network Access for Local User Accounts
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top