diff --git a/education/windows/edu-take-a-test-kiosk-mode.md b/education/windows/edu-take-a-test-kiosk-mode.md deleted file mode 100644 index 10c843fc0b..0000000000 --- a/education/windows/edu-take-a-test-kiosk-mode.md +++ /dev/null @@ -1,222 +0,0 @@ ---- -title: Configure Take a Test in kiosk mode -description: Learn how to configure Windows to execute the Take a Test app in kiosk mode, using Intune and provisioning packages. -ms.date: 09/30/2022 -ms.topic: how-to ---- - -# Configure Take a Test in kiosk mode - -Executing Take a Test in kiosk mode is the recommended option for high stakes assessments, such as mid-term exams. In this mode, Windows will execute Take a Test in a lock-down mode, preventing the execution of any applications other than Take a Test. Students must sign in using a test-taking account. - -The configuration of Take a Test in kiosk mode can be done using: - -- Microsoft Intune/MDM -- a provisioning package (PPKG) -- PowerShell -- the Settings app - -When using the Settings app, you can configure Take a Test in kiosk mode using a local account only. This option is recommended for devices that aren't managed. -The other options allow you to configure Take a Test in kiosk mode using a local account, an account defined in the directory, or a guest account. - -> [!TIP] -> While you could create a single account in the directory to be the dedicated test-taking account, it is recommended to use a guest account. This way, you don't get into a scenario where the testing account is locked out due to bad password attempts or other factors. -> -> An additional benefit of using a guest account, is that your students don't have to type a password to access the test. - -Follow the instructions below to configure your devices, selecting the option that best suits your needs. - -#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) - -You can use Intune for Education or a custom profile in Microsoft Intune: - -- Intune for Education provides a simpler experience -- A custom profile provides more flexibility and controls over the configuration - -> [!IMPORTANT] -> Currently, the policy created in Intune for Education is applicable to Windows 10 and Windows 11 only. **It will not apply to Windows 11 SE devices.** -> -> If you want to configure Take a Test for Windows 11 SE devices, you must use a custom policy. - -### Configure Take a Test from Intune for Education - -To configure devices using Intune for Education, follow these steps: - -1. Sign in to the Intune for Education portal -1. Select **Groups** > Pick a group to configure Take a Test for -1. Select **Windows device settings** -1. Expand the **Take a Test profiles** category and select **+ Assign new Take a Test profile** -1. Specify a **Profile Name**, **Account Name**, **Assessment URL** and, optionally, **Description** and options allowed during the test -1. Select **Create and assign profile** - -:::image type="content" source="./images/takeatest/intune-education-take-a-test-profile.png" alt-text="Intune for Education - creation of a Take a Test profile." lightbox="./images/takeatest/intune-education-take-a-test-profile.png" border="true"::: - -### Configure Take a Test with a custom policy - -[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)] - -| Setting | -|--------| -|
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn`**
  • Data type: **Integer**
  • Value: **1**
    • | -|
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/WindowsLogon/HideFastUserSwitching`**
  • Data type: **Integer**
  • Value: **1**
    • | -|
  • OMA-URI: **`./Vendor/MSFT/SharedPC/AccountModel`**
  • Data type: **Integer**
  • Value: **1**
    • | -|
  • OMA-URI: **`./Vendor/MSFT/SharedPC/EnableAccountManager`**
  • Data type: **Boolean**
  • Value: **True**
    • | -|
  • OMA-URI: **`./Vendor/MSFT/SharedPC/KioskModeAUMID`**
  • Data type: **String**
  • Value: **Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App**
    • | -|
  • OMA-URI: **`./Vendor/MSFT/SharedPC/KioskModeUserTileDisplayText`**
  • Data type: **String**
  • Value: **Take a Test** (or a string of your choice to display in the sing-in screen)
    • | -|
  • OMA-URI: **`./Vendor/MSFT/SecureAssessment/LaunchURI`**
  • Data type: **String**
  • Value: **\**
    • | - -:::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true"::: - -[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)] - -#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) - -To create a provisioning package, you can either use Set up School PCs or Windows Configuration Designer: - -- Set up School PCs provides a simpler, guided experience -- Windows Configuration Designer provides more flexibility and controls over the configuration - -### Create a provisioning package using Set up School PCs - -Create a provisioning package using the Set up School PCs app, configuring the settings in the **Set up the Take a Test app** page. - -:::image type="content" source="./images/takeatest/suspcs-take-a-test.png" alt-text="Set up School PCs app - Take a test page" lightbox="./images/takeatest/suspcs-take-a-test.png" border="true"::: - -### Create a provisioning package using Windows Configuration Designer - -[Create a provisioning package][WIN-1] using Windows Configuration Designer with the following settings: - -| Setting | -|--------| -|
  • Path: **`Policies/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn`**
  • Value: **Enabled**
    • | -|
  • Path: **`Policies/WindowsLogon/HideFastUserSwitching`**
  • Value: **True**
    • | -|
  • Path: **`SharedPC/AccountManagement/AccountModel`**
  • Value: **Domain-joined only**
    • | -|
  • Path: **`SharedPC/AccountManagement/EnableAccountManager`**
  • Value: **True**
    • | -|
  • Path: **`SharedPC/AccountManagement/KioskModeAUMID`**
  • Value: **Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App**
    • | -|
  • Path: **`SharedPC/AccountManagement/KioskModeUserTileDisplayText`**
  • Value: **Take a Test** (or a string of your choice to display in the sing-in screen)
    • | -|
  • Path: **`TakeATest/LaunchURI/`**
  • Value: **\**
    • | - -:::image type="content" source="./images/takeatest/wcd-take-a-test.png" alt-text="Windows Configuration Designer - configuration of policies to enable Take a Test to run in kiosk mode" lightbox="./images/takeatest/wcd-take-a-test.png" border="true"::: - -Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created. - -#### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell) - -Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). For more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). - -> [!TIP] -> PowerShell scripts can be executed as scheduled tasks via Group Policy. - -> [!IMPORTANT] -> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account. -> -> To test a PowerShell script, you can: -> 1. [Download the psexec tool](/sysinternals/downloads/psexec) -> 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe` -> 1. Run the script in the PowerShell session - -Edit the following sample PowerShell script to: - -- Customize the assessment URL with **$testURL** -- Change the kiosk user tile name displayed in the sign-in screen with **$userTileName** - -```powershell -$testURL = "https://contoso.com/algebra-exam" -$userTileName = "Take a Test" -$namespaceName = "root\cimv2\mdm\dmmap" -$ParentID="./Vendor/MSFT/Policy/Config" - -#Configure SharedPC -$className = "MDM_SharedPC" -$instance = "SharedPC" -$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className -if (-not ($cimObject)) { - $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance} -} -$cimObject.AccountModel = 1 -$cimObject.EnableAccountManager = $true -$cimObject.KioskModeAUMID = "Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App" -$cimObject.KioskModeUserTileDisplayText = $userTileName -Set-CimInstance -CimInstance $cimObject - -#Configure SecureAssessment -$className = "MDM_SecureAssessment" -$instance = "SecureAssessment" -$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className -if (-not ($cimObject)) { - $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance} -} -$cimObject.LaunchURI= $testURL -Set-CimInstance -CimInstance $cimObject - -#Configure interactive logon -$className = "MDM_Policy_Config01_LocalPoliciesSecurityOptions02" -$instance = "LocalPoliciesSecurityOptions" -$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className -if (-not ($cimObject)) { - $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance} -} -$cimObject.InteractiveLogon_DoNotDisplayLastSignedIn = 1 -Set-CimInstance -CimInstance $cimObject - -#Configure Windows logon -$className = "MDM_Policy_Config01_WindowsLogon02" -$instance = "WindowsLogon" -$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className -if (-not ($cimObject)) { - $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance} -} -$cimObject.HideFastUserSwitching = 1 -Set-CimInstance -CimInstance $cimObject -``` - -#### [:::image type="icon" source="images/icons/windows-os.svg"::: **Settings app**](#tab/win) - -To create a local account, and configure Take a Test in kiosk mode using the Settings app: - -1. Sign into the Windows device with an administrator account -1. Open the **Settings** app and select **Accounts** > **Other Users** -1. Under **Other users**, select **Add account** > **I don't have this person's sign-in information** > **Add a user without a Microsoft account** -1. Provide a user name and password for the account that will be used for testing - :::image type="content" source="./images/takeatest/settings-accounts-create-take-a-test-account.png" alt-text="Use the Settings app to create a test-taking account." border="true"::: -1. Select **Accounts > Access work or school** -1. Select **Create a test-taking account** - :::image type="content" source="./images/takeatest/settings-accounts-set-up-take-a-test-account.png" alt-text="Use the Settings app to set up a test-taking account." border="true"::: -1. Under **Add an account for taking tests**, select **Add account** > Select the account created in step 4 - :::image type="content" source="./images/takeatest/settings-accounts-choose-take-a-test-account.png" alt-text="Use the Settings app to choose the test-taking account." border="true"::: -1. Under **Enter the tests's web address**, enter the assessment URL -1. Under **Test taking settings** select the options you want to enable during the test - - To enable printing, select **Require printing** - - > [!NOTE] - > Make sure a printer is pre-configured on the Take a Test account if you're enabling this option. - - - To enable teachers to monitor screens, select **Allow screen monitoring** - - To allow text suggestions, select **Allow text suggestions** - -1. To take the test, a student must sign in using the test-taking account selected in step 4 - :::image type="content" source="./images/takeatest/login-screen-take-a-test-single-pc.png" alt-text="Windows 11 SE login screen with the take a test account." border="true"::: - - > [!NOTE] - > To sign-in with a local account on a device that is joined to Azure AD or Active Directory, you must prefix the username with either `\` or `.\`. - ---- - -## How to use Take a Test in kiosk mode - -Once the devices are configured, a new user tile will be available in the sign-in screen. If selected, Take a Test will be executed in kiosk mode using the guest account, opening the assessment URL. - -## How to exit Take a Test - -To exit the Take a Test app at any time, press Ctrl+Alt+Delete. You'll be prompted to sign out of the test-taking account, or return to the test. Once signed out, the device will be unlocked from kiosk mode and can be used as normal. - -The following animation shows the process of signing in to the test-taking account, taking a test, and exiting the test: - -:::image type="content" source="./images/takeatest/sign-in-sign-out.gif" alt-text="Signing in and signing out with a test account" border="true"::: - -[MEM-1]: /mem/intune/configuration/custom-settings-windows-10 -[MEM-2]: /mem/intune/configuration/settings-catalog - -[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package -[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package \ No newline at end of file diff --git a/windows/security/application-security/application-control/toc.yml b/windows/security/application-security/application-control/toc.yml index 6432f3ec06..d714053a9e 100644 --- a/windows/security/application-security/application-control/toc.yml +++ b/windows/security/application-security/application-control/toc.yml @@ -3,12 +3,10 @@ items: items: - name: Overview href: user-account-control/index.md - - name: How User Account Control works + - name: How UAC works href: user-account-control/how-user-account-control-works.md - - name: User Account Control security policy settings - href: user-account-control/user-account-control-security-policy-settings.md - - name: User Account Control Group Policy and registry key settings - href: user-account-control/user-account-control-group-policy-and-registry-key-settings.md + - name: Configure UAC + href: user-account-control/configure.md - name: Windows Defender Application Control and virtualization-based protection of code integrity href: ../../threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md - name: Windows Defender Application Control diff --git a/windows/security/application-security/application-control/user-account-control/configure.md b/windows/security/application-security/application-control/user-account-control/configure.md new file mode 100644 index 0000000000..6d493f3275 --- /dev/null +++ b/windows/security/application-security/application-control/user-account-control/configure.md @@ -0,0 +1,81 @@ +--- +title: Configure User Account Control +description: Learn about the User Account Control settings and how to configure them via Intune, CSP, group policy and registry. +ms.date: 05/26/2023 +ms.topic: how-to +--- + +# Configure User Account Control + +The following table lists the available settings to configure the UAC behavior, and their default values. + +|Setting name| Description|Default value| +|-|-|-| +|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings.

    **Enabled**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.
    **Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Windows Security app notifies you that the overall security of the operating system has been reduced.|Enabled| +|Admin Approval Mode for the Built-in Administrator account|Controls the behavior of Admin Approval Mode for the built-in Administrator account.

    **Enabled**: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
    **Disabled** : The built-in Administrator account runs all applications with full administrative privilege.|Disabled| +|Switch to the secure desktop when prompting for elevation|This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.

    **Enabled**: All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
    **Disabled**: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.|Enabled| +|Behavior of the elevation prompt for administrators in Admin Approval Mode|Controls the behavior of the elevation prompt for administrators.

    **Elevate without prompting**: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. **Use this option only in the most constrained environments**.
    **Prompt for credentials on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
    **Prompt for consent on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
    **Prompt for credentials**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
    **Prompt for consent**: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
    **Prompt for consent for non-Windows binaries**: When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.|Prompt for consent for non-Windows binaries| +|Behavior of the elevation prompt for standard users|Controls the behavior of the elevation prompt for standard users.

    **Prompt for credentials**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
    **Automatically deny elevation requests**: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
    **Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.|Prompt for credentials| +|Detect application installations and prompt for elevation|Controls the behavior of application installation detection for the computer.

    **Enabled**: When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
    **Disabled**: App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Microsoft Intune, should disable this policy setting. In this case, installer detection is unnecessary. |Enabled| +|Only elevate executables that are signed and validated|Enforces signature checks for any interactive applications that request elevation of privilege. IT admins can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local devices.

    **Enabled**: Enforces the certificate certification path validation for a given executable file before it's permitted to run.
    **Disabled**: Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.|Disabled| +|Only elevate UIAccess applications that are installed in secure locations|Controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following folders:
    - `Program Files`, including subfolders
    - `\Windows\\system32\`
    - `\Program Files (x86)\`, including subfolders


    **Enabled**: If an app resides in a secure location in the file system, it runs only with UIAccess integrity.
    **Disabled**: An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.

    **Note:** Windows enforces a digital signature check on any interactive apps that requests to run with a UIAccess integrity level regardless of the state of this setting.|Enabled| +|Allow UIAccess applications to prompt for elevation without using the secure desktop|Controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.

    **Enabled**: UIA programs, including Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the **Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
    **Disabled**: The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **Switch to the secure desktop when prompting for elevation** policy setting.|Disabled| +|Virtualize File And Registry Write Failures To Per User Locations|Controls whether application write failures are redirected to defined registry and file system locations. This setting mitigates applications that run as administrator and write run-time application data to `%ProgramFiles%`, `%Windir%`, `%Windir%\system32`, or `HKLM\Software`.

    **Enabled**: App write failures are redirected at run time to defined user locations for both the file system and registry.
    **Disabled**: Apps that write data to protected locations fail.|Enabled| + +## User Account Control configuration + +To configure UAC you can use: + +- Microsoft Intune/MDM +- Group policy +- Registry + +Follow the instructions below to configure your devices, selecting the option that best suits your needs. + + +#### [:::image type="icon" source="../../../images/icons/intune.svg" border="false"::: **Intune**](#tab/intune) + +### Configure UAC with a Settings catalog policy + +To configure devices using a Settings catalog policy follow these steps: + +Alternatively, configure UAC using the [LocalPoliciesSecurityOptions Policy CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions). + +#### [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo) + +You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. + +These policy settings are located in ``Security Settings\Local Policies\Security Options` in the Local Security Policy snap-in. + +| Group Policy setting |Default | +| - | - | +|User Account Control: Run all administrators in Admin Approval Mode| Enabled | +|User Account Control: Admin Approval Mode for the built-in Administrator account| Disabled | +|User Account Control: Switch to the secure desktop when prompting for elevation | Enabled | +|User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode| Prompt for consent for non-Windows binaries | +|User Account Control: Behavior of the elevation prompt for standard users | Prompt for credentials | +|User Account Control: Detect application installations and prompt for elevation| Enabled (default for home only)
    Disabled (default) | +|User Account Control: Only elevate executables that are signed and validated| Disabled | +|User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled | +|User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop| Disabled | +|User Account Control: Virtualize file and registry write failures to per-user locations | Enabled | + +#### [:::image type="icon" source="../../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg) + +The registry keys are found in the path: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`. + +| Registry key name | Setting name | Value | +| - | - | - | +| `EnableLUA` | Run all administrators in Admin Approval Mode | 0 = Disabled
    1 (Default) = Enabled | +| `FilterAdministratorToken` |Admin Approval Mode for the built-in Administrator account | 0 (Default) = Disabled
    1 = Enabled | +| `PromptOnSecureDesktop` | Switch to the secure desktop when prompting for elevation| 0 = Disabled
    1 (Default) = Enabled | +| `ConsentPromptBehaviorAdmin` | Behavior of the elevation prompt for administrators in Admin Approval Mode| 0 = Elevate without prompting
    1 = Prompt for credentials on the secure desktop
    2 = Prompt for consent on the secure desktop
    3 = Prompt for credentials
    4 = Prompt for consent
    5 (Default) = Prompt for consent for non-Windows binaries
    | +| `ConsentPromptBehaviorUser` | Behavior of the elevation prompt for standard users | 0 = Automatically deny elevation requests
    1 = Prompt for credentials on the secure desktop
    3 (Default) = Prompt for credentials | +| `EnableInstallerDetection` |Detect application installations and prompt for elevation | 1 = Enabled (default for home only)
    0 = Disabled (default) | +| `ValidateAdminCodeSignatures` | Only elevate executables that are signed and validated | 0 (Default) = Disabled
    1 = Enabled | +| `EnableSecureUIAPaths` | Only elevate UIAccess applications that are installed in secure locations | 0 = Disabled
    1 (Default) = Enabled | +| `EnableUIADesktopToggle` | Allow UIAccess applications to prompt for elevation without using the secure desktop| 0 (Default) = Disabled
    1 = Enabled | +| `EnableVirtualization` | Virtualize file and registry write failures to per-user locations | 0 = Disabled
    1 (Default) = Enabled | + +--- + diff --git a/windows/security/application-security/application-control/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/application-security/application-control/user-account-control/user-account-control-group-policy-and-registry-key-settings.md index afd5ac653f..f97b04c210 100644 --- a/windows/security/application-security/application-control/user-account-control/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/security/application-security/application-control/user-account-control/user-account-control-group-policy-and-registry-key-settings.md @@ -1,39 +1,4 @@ ---- -title: User Account Control Group Policy and registry key settings -description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC. -ms.collection: - - highpri - - tier2 -ms.topic: article -ms.date: 05/25/2023 ---- -# User Account Control Group Policy and registry key settings -## Group Policy settings -There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings). - - -| Group Policy setting | Registry key | Default | -| - | - | - | - | -| [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | FilterAdministratorToken | Disabled | -| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle | Disabled | -| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | ConsentPromptBehaviorAdmin | Prompt for consent for non-Windows binaries | -| [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | ConsentPromptBehaviorUser | Prompt for credentials | -| [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | EnableInstallerDetection | Enabled (default for home)
    Disabled (default for enterprise) | -| [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | ValidateAdminCodeSignatures | Disabled | -| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | EnableSecureUIAPaths | Enabled | -| [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | EnableLUA | Enabled | -| [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | PromptOnSecureDesktop | Enabled | -| [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | EnableVirtualization | Enabled | - -### User Account Control: Admin Approval Mode for the built-in Administrator account - -The **User Account Control: Admin Approval Mode for the built-in Administrator account** policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. - -The options are: - -- **Enabled.** The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. -- **Disabled.** (Default) The built-in Administrator account runs all applications with full administrative privilege. ### User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop @@ -66,33 +31,6 @@ This policy setting does not change the behavior of the UAC elevation prompt for If you plan to enable this policy setting, you should also review the effect of the **User Account Control: Behavior of the elevation prompt for standard users** policy setting. If it is configured as **Automatically deny elevation requests**, elevation requests are not presented to the user. -### User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - -The **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting controls the behavior of the elevation prompt for administrators. - -The options are: - -- **Elevate without prompting.** Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. - - **Note** Use this option only in the most constrained environments. - -- **Prompt for credentials on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. -- **Prompt for consent on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege. -- **Prompt for credentials.** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -- **Prompt for consent.** When an operation requires elevation of privilege, the user is prompted to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege. -- **Prompt for consent for non-Windows binaries.** (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege. - - -### User Account Control: Behavior of the elevation prompt for standard users - -The **User Account Control: Behavior of the elevation prompt for standard users** policy setting controls the behavior of the elevation prompt for standard users. - -The options are: - -- **Automatically deny elevation requests.** When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. -- **Prompt for credentials on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -- **Prompt for credentials.** (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - ### User Account Control: Detect application installations and prompt for elevation The **User Account Control: Detect application installations and prompt for elevation** policy setting controls the behavior of application installation detection for the computer. @@ -102,14 +40,6 @@ The options are: - **Enabled.** (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - **Disabled.** (Default for enterprise) Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. -### User Account Control: Only elevate executables that are signed and validated - -The **User Account Control: Only elevate executables that are signed and validated** policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. - -The options are: - -- **Enabled.** Enforces the PKI certification path validation for a given executable file before it is permitted to run. -- **Disabled.** (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. ### User Account Control: Only elevate UIAccess applications that are installed in secure locations @@ -126,17 +56,6 @@ The options are: - **Enabled.** (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - **Disabled.** An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. -### User Account Control: Run all administrators in Admin Approval Mode - -The **User Account Control: Run all administrators Admin Approval Mode** policy setting controls the behavior of all UAC policy settings for the computer. If you change this policy setting, you must restart your computer. - -The options are: - -- **Enabled.** (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the **Administrators** group to run in Admin Approval Mode. -- **Disabled.** Admin Approval Mode and all related UAC policy settings are disabled. - -**Note** If this policy setting is disabled, the Windows Security app notifies you that the overall security of the operating system has been reduced. - ### User Account Control: Switch to the secure desktop when prompting for elevation The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. @@ -163,62 +82,3 @@ When this policy setting is enabled, it overrides the **User Account Control: Be | **Automatically deny elevation requests** | No prompt. The request is automatically denied. | No prompt. The request is automatically denied. | | **Prompt for credentials on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. | | **Prompt for credentials** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. | - -### User Account Control: Virtualize file and registry write failures to per-user locations - -The **User Account Control: Virtualize file and registry write failures to per-user locations** policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software. - -The options are: - -- **Enabled.** (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. -- **Disabled.** Applications that write data to protected locations fail. - -## Registry key settings - -The registry keys are found in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**. For information about each of the registry keys, see the associated Group Policy description. - -| Registry key | Group Policy setting | Registry setting | -| - | - | - | -| FilterAdministratorToken | [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | 0 (Default) = Disabled
    1 = Enabled | -| EnableUIADesktopToggle | [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | 0 (Default) = Disabled
    1 = Enabled | -| ConsentPromptBehaviorAdmin | [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | 0 = Elevate without prompting
    1 = Prompt for credentials on the secure desktop
    2 = Prompt for consent on the secure desktop
    3 = Prompt for credentials
    4 = Prompt for consent
    5 (Default) = Prompt for consent for non-Windows binaries
    | -| ConsentPromptBehaviorUser | [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | 0 = Automatically deny elevation requests
    1 = Prompt for credentials on the secure desktop
    3 (Default) = Prompt for credentials | -| EnableInstallerDetection | [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | 1 = Enabled (default for home)
    0 = Disabled (default for enterprise) | -| ValidateAdminCodeSignatures | [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | 0 (Default) = Disabled
    1 = Enabled | -| EnableSecureUIAPaths | [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | 0 = Disabled
    1 (Default) = Enabled | -| EnableLUA | [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | 0 = Disabled
    1 (Default) = Enabled | -| PromptOnSecureDesktop | [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | 0 = Disabled
    1 (Default) = Enabled | -| EnableVirtualization | [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | 0 = Disabled
    1 (Default) = Enabled | - - - - - -## Configure Shared PC - -Shared PC can be configured using the following methods: - -- Microsoft Intune/MDM -- Provisioning package (PPKG) -- PowerShell script - -Follow the instructions below to configure your devices, selecting the option that best suits your needs. - -#### [:::image type="icon" source="../../../images/group-policy.svg"::: **Intune**](#tab/intune) - -To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-2], and use the settings listed under the category **`User Account Control`**: - -:::image type="content" source="../../../images/group-policy.svg" alt-text="Screenshot that shows the Shared PC policies in the Intune settings catalog." lightbox="../../../../../images/group-policy.svg" border="True"::: - -Assign the policy to a security group that contains as members the devices or users that you want to configure. - -Alternatively, you can configure devices using a [custom policy][MEM-1] with the [SharedPC CSP][WIN-3]. - -#### [:::image type="icon" source="../../../images/group-policy.svg"::: **PPKG**](#tab/ppkg) - - -#### [:::image type="icon" source="../../../images/group-policy.svg"::: **PowerShell**](#tab/powershell) - -To configure devices using the registry - ---- diff --git a/windows/security/application-security/application-control/user-account-control/user-account-control-security-policy-settings.md b/windows/security/application-security/application-control/user-account-control/user-account-control-security-policy-settings.md deleted file mode 100644 index c2f4f1019a..0000000000 --- a/windows/security/application-security/application-control/user-account-control/user-account-control-security-policy-settings.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: User Account Control security policy settings -description: You can use security policies to configure how User Account Control works in your organization. -ms.topic: article -ms.date: 09/24/2021 ---- - -# User Account Control security policy settings - -You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. - -## User Account Control: Admin Approval Mode for the Built-in Administrator account - -This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. - -- **Enabled** The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. -- **Disabled** (Default) The built-in Administrator account runs all applications with full administrative privilege. - -## User Account Control: Allow UIAccess application to prompt for elevation without using the secure desktop - -This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - -- **Enabled** UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. -- **Disabled** (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. - -## User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - -This policy setting controls the behavior of the elevation prompt for administrators. - -- **Elevate without prompting** Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. - - >**Note:**  Use this option only in the most constrained environments. -   -- **Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. -- **Prompt for consent on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. -- **Prompt for credentials** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -- **Prompt for consent** When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. -- **Prompt for consent for non-Windows binaries** (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - -## User Account Control: Behavior of the elevation prompt for standard users - -This policy setting controls the behavior of the elevation prompt for standard users. - -- **Prompt for credentials** (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -- **Automatically deny elevation requests** When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. -- **Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -## User Account Control: Detect application installations and prompt for elevation - -This policy setting controls the behavior of application installation detection for the computer. - -- **Enabled** (Default) When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -- **Disabled** App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or Microsoft Intune should disable this policy setting. In this case, installer detection is unnecessary. - -## User Account Control: Only elevate executable files that are signed and validated - -This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. - -- **Enabled** Enforces the certificate certification path validation for a given executable file before it's permitted to run. -- **Disabled** (Default) Doesn't enforce the certificate certification path validation before a given executable file is permitted to run. - -## User Account Control: Only elevate UIAccess applications that are installed in secure locations - -This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following folders: - -- …\\Program Files\\, including subfolders -- …\\Windows\\system32\\ -- …\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows - ->**Note:**  Windows enforces a digital signature check on any interactive app that requests to run with a UIAccess integrity level regardless of the state of this security setting. -  -- **Enabled** (Default) If an app resides in a secure location in the file system, it runs only with UIAccess integrity. -- **Disabled** An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system. - -## User Account Control: Turn on Admin Approval Mode - -This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. - -- **Enabled** (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately. They'll allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. -- **Disabled** Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Windows Security app notifies you that the overall security of the operating system has been reduced. - -## User Account Control: Switch to the secure desktop when prompting for elevation - -This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. - -- **Enabled** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. -- **Disabled** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. - -## User Account Control: Virtualize file and registry write failures to per-user locations - -This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software. - -- **Enabled** (Default) App write failures are redirected at run time to defined user locations for both the file system and registry. -- **Disabled** Apps that write data to protected locations fail.