User Account Control
Secure Desktop
A feature of User Account Control (UAC) that dims the desktop and prevents any other activity until the user responds to a dialog box. This prevents malicious software from bypassing UAC prompts.
UAC (User Account Control)
A tool that generates an alert when a task or operation needs administrative privileges
Administrator account
An account that grants to the administrator(s) rights and permissions to all hardware and software resources, such as the right to add, delete, and change accounts and to change hardware configurations.
Privilege Elevation
This increases the privilege level of an application from that of a standard user to that of an administrator.
Admin Approval Mode
The default action mode of Windows 8.1 and above, in which all user accounts—even administrative ones—run without administrative privileges until such privileges are required. When this happens, the user is presented with a UAC prompt. - Prompting for Credential requires the user to enter an administrator username and password. - Prompting for Consent requires a continue or cancel response.
User Account Control: Admin Approval Mode for the built-in Administrator account.
This policy setting configures how Admin Approval Mode functions for the built-in Administrator account. You can configure the following options: - When set to Enabled, the built-in Administrator account uses Admin Approval Mode. In this mode, the user will be prompted to approve any operation that requires privilege elevation. - When set to Disabled, the built-in Administrator user runs applications with full administrative privileges.
User Account Control: Detect application installations and prompt for elevation
This policy setting configures the system to detect new application installations. You can configure the following options: - When set to Enabled, the user is prompted to enter an administrative user name and password when an application installation is detected that requires privilege elevation. - When set to Disabled, application installations are not detected and prompted for elevation.
User Account Control: Run all administrators in Admin Approval Mode
This policy setting controls the behavior of all UAC policy settings. You can configure the following options: - When set to Enabled, Admin Approval Mode is enabled. In this configuration, all related UAC policy settings must also be configured to allow the built-in Administrator account and all other administrative users (who are members of the Administrators group) to run in Admin Approval Mode. - When set to Disabled, Admin Approval Mode is disabled, along with all other UAC policy settings. - If you change this policy you will have to restart your computer.
User Account Control: Elevation prompt behavior for administrators in Admin Approval Mode.
This policy setting controls the behavior of the elevation prompt for administrators. You can configure the following options: - Elevate without prompting allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. - Prompt for credentials on the secure desktop causes the user to be prompted to enter an administrative user name and password on the secure desktop when an operation requires privilege elevation. - Prompt for consent on the secure desktop causes the user to be prompted on the secure desktop to select either Permit or Deny when an operation requires elevation of privilege. - Prompt for credentials causes the user to be prompted to enter an administrative user name and password when an operation requires privilege elevation. - Prompt for consent causes the user to be prompted to select either Permit or Deny when an operation requires privilege elevation. - Prompt for consent for non-Windows binaries causes the user to be prompted to select either - Permit or Deny on the secure desktop when an operation for a non-Microsoft application requires privilege elevation.
User Account Control: Elevation prompt behavior for standard users.
This policy setting controls the behavior of the elevation prompt for standard users. You can configure the following options: - Automatically deny elevation requests causes an Access Denied error message to be displayed when an operation requests privilege elevation. - Prompt for credentials on the secure desktop causes the user to be prompted to enter an administrative user name and password on the secure desktop when an operation requires privilege elevation. - Prompt for credentials causes the user to be prompted to enter an administrative user name and password when an operation requires privilege elevation.
User Account Control: Allow UIA applications to prompt for elevation without using the secure desktop
This policy setting controls whether User Interface Accessibility (UIA) applications (e.g., Remote Assistance) can automatically disable Secure Desktop. You can configure the following options: - When set to Enabled, UIA applications are allowed to automatically disable Secure Desktop when prompting for privilege elevation. - When set to Disabled, Secure Desktop can only be disabled by the end user.
User Account Control: Switch to the secure desktop when prompting for elevation
This policy setting controls whether the elevation request prompt is displayed on the user's standard desktop or the Secure Desktop. You can configure the following options: - When set to Enabled, all elevation requests are displayed on the Secure Desktop regardless of other policy settings that may have been configured for administrative and standard users. - When set to Disabled, all elevation requests are displayed on the user's standard desktop. In this configuration, the policy settings configured for UAC prompt behavior for both administrative and standard users are used. - When this policy setting is enabled, it overrides the User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting
User Account Control: Only elevate executables that are signed and validated
This policy setting enforces PKI signature checks for applications that request elevation of privilege. You can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. You can configure the following options: - When set to Enabled, PKI validation must occur for a given executable file before it is permitted to run. - When set to Disabled, PKI validation is not required for a given executable file before it is permitted to run.
Standard user account
User account in Windows that has limited access to a system. Accounts of this type cannot alter system files, cannot install new programs, and cannot edit some settings by using the Control Panel without supplying an administrator passwords.
Always Notify
When Selecting this UAC configuration: - A UAC prompt and the Secure Desktop are displayed for 150 seconds. - The user cannot perform any other actions until they respond to the prompt, which will automatically deny the request after 150 seconds. - This is the most secure and recomended configuration.
Never notify
When Selecting this UAC configuration: - If logged on as an administrator, all actions are executed without UAC prompts or the Secure Desktop. - If logged on as a standard user, all actions requiring privilege elevation are automatically denied. - Turning off this requires a system reboot.
Notify me only when apps try to make changes to my computer (do not dim the desktop).
When Selecting this UAC configuration: - The user is prompted only when a program is trying to make changes to the computer or a program that is not included with Windows attempts to modify Windows settings. - The Secure Desktop is not displayed.
Notify me only when apps try to make changes to my computer.
When Selecting this UAC configuration: - The user is prompted only when programs try to make changes to the computer or Windows settings. - A UAC prompt and the Secure Desktop is displayed for 150 seconds. - The user cannot perform any other actions until they respond to the prompt, which will automatically deny the request after 150 seconds.