deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Security Freshness

Browse Source
This commit is contained in:
Vinay Pamnani (from Dev Box)
2025-04-15 13:06:00 -06:00
parent de87def255
commit 2b0720b8ff
6 changed files with 220 additions and 135 deletions
Download Patch File Download Diff File Expand all files Collapse all files

129
windows/security/application-security/application-control/user-account-control/architecture.md Normal file
View File

@ -0,0 +1,129 @@
---
title: User Account Control architecture
description: Learn about the User Account Control (UAC) architecture.
ms.topic: concept-article
ms.date: 04/15/2025
---
# UAC Architecture
The following diagram details the UAC architecture.
:::image type="content" source="images/uac-architecture.gif" alt-text="Diagram that describes the UAC architecture.":::
## User
- **User performs operation requiring privilege**: If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.
- **ShellExecute**: ShellExecute calls CreateProcess. ShellExecute looks for the `ERROR_ELEVATION_REQUIRED` error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.
- **CreateProcess**: If the application requires elevation, CreateProcess rejects the call with `ERROR_ELEVATION_REQUIRED`.
## System
- **Application Information service**:
- A system service that helps start apps that require one or more elevated privileges or user rights to run.
- The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required.
- Depending on the configured policies, the user might give consent.
- **Elevating an ActiveX install**:
- If ActiveX isn't installed, the system checks the UAC slider level.
- If ActiveX is installed, the **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked.
- **Check UAC slider level**: UAC has a slider to select from four levels of notification:
- **Always notify** will:
- Notify you when programs try to install software or make changes to your computer.
- Notify you when you make changes to Windows settings.
- Freeze other tasks until you respond.
- Recommended if you often install new software or visit unfamiliar websites.
- **Notify me only when programs try to make changes to my computer** will:
- Notify you when programs try to install software or make changes to your computer.
- Not notify you when you make changes to Windows settings.
- Freeze other tasks until you respond.
- Recommended if you don't often install apps or visit unfamiliar websites.
- **Notify me only when programs try to make changes to my computer (do not dim my desktop)** will:
- Notify you when programs try to install software or make changes to your computer.
- Not notify you when you make changes to Windows settings.
- Not freeze other tasks until you respond.
- Not recommended. Choose this option only if it takes a long time to dim the desktop on your computer.
- **Never notify (Disable UAC prompts)** will:
- Not notify you when programs try to install software or make changes to your computer.
- Not notify you when you make changes to Windows settings.
- Not freeze other tasks until you respond.
- Not recommended due to security concerns.
- **Secure desktop enabled**: The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is checked:
- If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
- If the secure desktop isn't enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.
- **CreateProcess**:
- CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation.
- The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file.
- CreateProcess fails if the requested execution level specified in the manifest doesn't match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.
- **AppCompat**:
- The AppCompat database stores information in the application compatibility fix entries for an application.
- **Fusion**:
- The Fusion database stores information from application manifests that describe the applications.
- The manifest schema is updated to add a new requested execution level field.
- **Installer detection**:
- Installer detection detects setup files and helps prevent installations from being run without the user's knowledge and consent.
## Kernel
- **Virtualization**: Virtualization technology ensures that noncompliant apps don't silently fail to run or fail in a way that the cause can't be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.
- **File system and registry**: The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.
The slider never turns off UAC completely. If you set it to **Never notify**, it will:
- Keep the UAC service running
- Cause all elevation request initiated by administrators to be autoapproved without showing a UAC prompt
- Automatically deny all elevation requests for standard users
> [!IMPORTANT]
> In order to fully disable UAC, you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**. Some Universal Windows Platform apps might not work when UAC is disabled.
## Virtualization
Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you don't need to replace most apps when UAC is turned on.
Windows includes file and registry virtualization technology for apps that aren't UAC-compliant and that requires an administrator's access token to run correctly. When an administrative app that isn't UAC-compliant attempts to write to a protected folder, such as *Program Files*, UAC gives the app its own virtualized view of the resource it's attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the noncompliant app.
Most app tasks operate properly by using virtualization features. Although virtualization allows most applications to run, it's a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization.
Virtualization isn't an option in the following scenarios:
- Virtualization doesn't apply to apps that are elevated and run with a full administrative access token
- Virtualization supports only 32-bit apps. Nonelevated 64-bit apps receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations
- Virtualization is disabled if the app includes an app manifest with a requested execution level attribute
## Request execution levels
An app manifest is an XML file that describes and identifies the shared and private side-by-side assemblies that an app should bind to at run time. The app manifest includes entries for UAC app compatibility purposes. Administrative apps that include an entry in the app manifest prompt the user for permission to access the user's access token. Although they lack an entry in the app manifest, most administrative app can run without modification by using app compatibility fixes. App compatibility fixes are database entries that enable applications that aren't UAC-compliant to work properly.
All UAC-compliant apps should have a requested execution level added to the application manifest. If the application requires administrative access to the system, marking the app with a requested execution level of *require administrator* ensures that the system identifies this program as an administrative app, and performs the necessary elevation steps. Requested execution levels specify the privileges required for an app.
## Installer detection technology
Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users don't have sufficient access to install programs. Windows heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows also heuristically detects updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
Installer detection only applies to:
- 32-bit executable files
- Applications without a requested execution level attribute
- Interactive processes running as a standard user with UAC enabled
Before a 32-bit process is created, the following attributes are checked to determine whether it's an installer:
- File name includes keywords such as "install," "setup," or "update."
- Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
- Keywords in the side-by-side manifest are embedded in the executable file.
- Keywords in specific StringTable entries are linked in the executable file.
- Key attributes in the resource script data are linked in the executable file.
- Executable file contains targeted sequences of bytes.
> [!NOTE]
> The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
> [!NOTE]
> The *User Account Control: Detect application installations and prompt for elevation* policy must be enabled for installer detection to detect installation programs. For more information, see [User Account Control settings list](settings-and-configuration.md#user-account-control-settings-list).

105
windows/security/application-security/application-control/user-account-control/how-it-works.md
View File

@ -2,7 +2,7 @@
title: How User Account Control works
description: Learn about User Account Control (UAC) components and how it interacts with the end users.
ms.topic: concept-article
ms.date: 03/26/2024
ms.date: 04/15/2025
---
# How User Account Control works
@ -34,8 +34,8 @@ When a user signs in, the system creates an access token for that user. The acce
When an administrator logs on, two separate access tokens are created for the user: a *standard user access token* and an *administrator access token*. The standard user access token:
- Contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed
- It's used to start applications that don't perform administrative tasks (standard user apps)
- It's used to display the desktop by executing the process *explorer.exe*. Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token
- Is used to start applications that don't perform administrative tasks (standard user apps)
- Is used to display the desktop by executing the process *explorer.exe*. Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token
A user that is a member of the Administrators group can sign in, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows automatically prompts the user for approval. This prompt is called an *elevation prompt*, and its behavior can be configured via policy or registry.
@ -91,105 +91,8 @@ The elevation process is further secured by directing the prompt to the *secure
When an executable file requests elevation, the *interactive desktop*, also called the *user desktop*, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user selects **Yes** or **No**, the desktop switches back to the user desktop.
> [!NOTE]
> Starting in **Windows Server 2019**, it's not possible to paste the content of the clipboard on the secure desktop. This is the same behavior of the currently supported Windows client OS versions.
> Starting in **Windows Server 2019**, it's not possible to paste the content of the clipboard on the secure desktop. This behavior is the same as the currently supported Windows client OS versions.
Malware can present an imitation of the secure desktop, but when the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting is set to **Prompt for consent**, the malware doesn't gain elevation if the user selects **Yes** on the imitation. If the policy setting is set to **Prompt for credentials**, malware imitating the credential prompt might be able to gather the credentials from the user. However, the malware doesn't gain elevated privilege and the system has other protections that mitigate malware from taking control of the user interface even with a harvested password.
While malware could present an imitation of the secure desktop, this issue can't occur unless a user previously installed the malware on the PC. Because processes requiring an administrator access token can't silently install when UAC is enabled, the user must explicitly provide consent by selecting **Yes** or by providing administrator credentials. The specific behavior of the UAC elevation prompt is dependent upon security policies.
## UAC Architecture
The following diagram details the UAC architecture.
:::image type="content" source="images/uac-architecture.gif" alt-text="Diagram that describes the UAC architecture.":::
To better understand each component, review the following tables:
### User
|Component|Description|
|--- |--- |
|User performs operation requiring privilege|If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.|
|ShellExecute|ShellExecute calls CreateProcess. ShellExecute looks for the ERROR_ELEVATION_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.|
|CreateProcess|If the application requires elevation, CreateProcess rejects the call with ERROR_ELEVATION_REQUIRED.|
### System
|Component|Description|
|--- |--- |
|Application Information service|A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required. Depending on the configured policies, the user might give consent.|
|Elevating an ActiveX install|If ActiveX isn't installed, the system checks the UAC slider level. If ActiveX is installed, the **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked.|
|Check UAC slider level|UAC has a slider to select from four levels of notification.<ul><li>**Always notify** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Notify you when you make changes to Windows settings.</li><li>Freeze other tasks until you respond.</li></ul>Recommended if you often install new software or visit unfamiliar websites.<br></li><li>**Notify me only when programs try to make changes to my computer** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Freeze other tasks until you respond.</li></ul>Recommended if you don't often install apps or visit unfamiliar websites.<br></li><li>**Notify me only when programs try to make changes to my computer (do not dim my desktop)** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Not freeze other tasks until you respond.</li></ul>Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.<br></li><li>**Never notify (Disable UAC prompts)** will:<ul><li>Not notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Not freeze other tasks until you respond.</li></ul>Not recommended due to security concerns.|
|Secure desktop enabled|The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is checked: <ul><li>If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.</li><li>If the secure desktop isn't enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.|
|CreateProcess|CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest doesn't match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.|
|AppCompat|The AppCompat database stores information in the application compatibility fix entries for an application.|
|Fusion|The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field.|
|Installer detection|Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent.|
### Kernel
|Component|Description|
|--- |--- |
|Virtualization|Virtualization technology ensures that noncompliant apps don't silently fail to run or fail in a way that the cause can't be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.|
|File system and registry|The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.|
The slider never turns off UAC completely. If you set it to **Never notify**, it will:
- Keep the UAC service running
- Cause all elevation request initiated by administrators to be autoapproved without showing a UAC prompt
- Automatically deny all elevation requests for standard users
> [!IMPORTANT]
> In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
> [!WARNING]
> Some Universal Windows Platform apps may not work when UAC is disabled.
### Virtualization
Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you don't need to replace most apps when UAC is turned on.
Windows includes file and registry virtualization technology for apps that aren't UAC-compliant and that requires an administrator's access token to run correctly. When an administrative app that isn't UAC-compliant attempts to write to a protected folder, such as *Program Files*, UAC gives the app its own virtualized view of the resource it's attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the noncompliant app.
Most app tasks operate properly by using virtualization features. Although virtualization allows most applications to run, it's a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization.
Virtualization isn't an option in the following scenarios:
- Virtualization doesn't apply to apps that are elevated and run with a full administrative access token
- Virtualization supports only 32-bit apps. Nonelevated 64-bit apps receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations
- Virtualization is disabled if the app includes an app manifest with a requested execution level attribute
### Request execution levels
An app manifest is an XML file that describes and identifies the shared and private side-by-side assemblies that an app should bind to at run time. The app manifest includes entries for UAC app compatibility purposes. Administrative apps that include an entry in the app manifest prompt the user for permission to access the user's access token. Although they lack an entry in the app manifest, most administrative app can run without modification by using app compatibility fixes. App compatibility fixes are database entries that enable applications that aren't UAC-compliant to work properly.
All UAC-compliant apps should have a requested execution level added to the application manifest. If the application requires administrative access to the system, marking the app with a requested execution level of *require administrator* ensures that the system identifies this program as an administrative app, and performs the necessary elevation steps. Requested execution levels specify the privileges required for an app.
### Installer detection technology
Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users don't have sufficient access to install programs. Windows heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows also heuristically detects updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
Installer detection only applies to:
- 32-bit executable files
- Applications without a requested execution level attribute
- Interactive processes running as a standard user with UAC enabled
Before a 32-bit process is created, the following attributes are checked to determine whether it's an installer:
- The file name includes keywords such as "install," "setup," or "update."
- Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
- Keywords in the side-by-side manifest are embedded in the executable file.
- Keywords in specific StringTable entries are linked in the executable file.
- Key attributes in the resource script data are linked in the executable file.
- There are targeted sequences of bytes within the executable file.
> [!NOTE]
> The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
> [!NOTE]
> The *User Account Control: Detect application installations and prompt for elevation* policy must be enabled for installer detection to detect installation programs. For more information, see [User Account Control settings list](settings-and-configuration.md#user-account-control-settings-list).
## Next steps
Learn more about [User Account Control settings and configuration](settings-and-configuration.md).

2
windows/security/application-security/application-control/user-account-control/index.md
View File

@ -2,7 +2,7 @@
title: User Account Control
description: Learn how User Account Control (UAC) helps to prevent unauthorized changes to Windows devices.
ms.topic: overview
ms.date: 03/26/2024
ms.date: 04/15/2025
---
# User Account Control overview

107
windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
View File

@ -1,7 +1,7 @@
---
title: User Account Control settings and configuration
description: Learn about the User Account Control settings and how to configure them via Intune, CSP, group policy, and registry.
ms.date: 03/26/2024
ms.date: 04/15/2025
ms.topic: how-to
---
@ -9,35 +9,74 @@ ms.topic: how-to
## User Account Control settings list
The following table lists the available settings to configure the UAC behavior, and their default values.
The following list shows the available settings to configure the UAC behavior, and their default values.
|Setting name| Description|
|-|-|
|Admin Approval Mode for the Built-in Administrator account|Controls the behavior of Admin Approval Mode for the built-in Administrator account.<br><br>**Enabled**: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege prompts the user to approve the operation.<br>**Disabled (default)**: The built-in Administrator account runs all applications with full administrative privilege.|
|Allow UIAccess applications to prompt for elevation without using the secure desktop|Controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.<br><br>**Enabled**: UIA programs, including Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the **Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. This setting allows the remote administrator to provide the appropriate credentials for elevation. This policy setting doesn't change the behavior of the UAC elevation prompt for administrators. If you plan to enable this policy setting, you should also review the effect of the **Behavior of the elevation prompt for standard users** policy setting: if it's' configured as **Automatically deny elevation requests**, elevation requests aren't presented to the user.<br>**Disabled (default)**: The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **Switch to the secure desktop when prompting for elevation** policy setting.|
|Behavior of the elevation prompt for administrators in Admin Approval Mode|Controls the behavior of the elevation prompt for administrators.<br><br>**Elevate without prompting**: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. **Use this option only in the most constrained environments**.<br>**Prompt for credentials on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.<br>**Prompt for consent on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.<br>**Prompt for credentials**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Prompt for consent**: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.<br>**Prompt for consent for non-Windows binaries (default)**: When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.|
|Behavior of the elevation prompt for standard users|Controls the behavior of the elevation prompt for standard users.<br><br>**Prompt for credentials (default)**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Automatically deny elevation requests**: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.<br>**Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.|
|Detect application installations and prompt for elevation|Controls the behavior of application installation detection for the computer.<br><br>**Enabled (default)**: When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Disabled**: App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Microsoft Intune, should disable this policy setting. In this case, installer detection is unnecessary. |
|Only elevate executables that are signed and validated|Enforces signature checks for any interactive applications that request elevation of privilege. IT admins can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local devices.<br><br>**Enabled**: Enforces the certificate certification path validation for a given executable file before it's permitted to run.<br>**Disabled (default)**: Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.|
|Only elevate UIAccess applications that are installed in secure locations|Controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following folders:<br>- `%ProgramFiles%`, including subfolders<br>- `%SystemRoot%\system32\`<br>- `%ProgramFiles(x86)%`, including subfolders<br><br><br>**Enabled (default)**: If an app resides in a secure location in the file system, it runs only with UIAccess integrity.<br>**Disabled**: An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.<br><br>**Note:** Windows enforces a digital signature check on any interactive apps that requests to run with a UIAccess integrity level regardless of the state of this setting.|
|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings.<br><br>**Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.<br>**Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, **Windows Security** notifies you that the overall security of the operating system is reduced.|
|Switch to the secure desktop when prompting for elevation|This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.<br><br>**Enabled (default)**: All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.<br>**Disabled**: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.|
|Virtualize File And Registry Write Failures To Per User Locations|Controls whether application write failures are redirected to defined registry and file system locations. This setting mitigates applications that run as administrator and write run-time application data to `%ProgramFiles%`, `%Windir%`, `%Windir%\system32`, or `HKLM\Software`.<br><br>**Enabled (default)**: App write failures are redirected at run time to defined user locations for both the file system and registry.<br>**Disabled**: Apps that write data to protected locations fail.|
- **Admin Approval Mode for the built-in Administrator account**: Controls the behavior of Admin Approval Mode for the built-in Administrator account.
- **Enabled**: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege prompts the user to prove the operation.
- **Disabled (default)**: The built-in Administrator account runs all applications with full administrative privilege.
- **Allow UIAccess applications to prompt for elevation without using the secure desktop**: Controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
- **Enabled**: UIA programs, including Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the **Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. This setting allows the remote administrator to provide the appropriate credentials for elevation. This policy setting doesn't change the behavior of the UAC elevation prompt for administrators. If you plan to enable this policy setting, you should also review the effect of the **Behavior of the elevation prompt for standard users** policy setting; if configured as **Automatically deny elevation requests**, elevation requests aren't presented to the user.
- **Disabled (default)**: The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **Switch to the secure desktop when prompting for elevation** policy setting.
- **Behavior of the elevation prompt for administrators in Admin Approval Mode**: Controls the behavior of the elevation prompt for administrators.
- **Elevate without prompting**: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. **Use this option only in the most constrained environments**.
- **Prompt for credentials on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
- **Prompt for consent on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
- **Prompt for credentials**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
- **Prompt for consent**: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
- **Prompt for consent for non-Windows binaries (default)**: When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
- **Behavior of the elevation prompt for standard users**: Controls the behavior of the elevation prompt for standard users.
- **Prompt for credentials (default)**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
- **Automatically deny elevation requests**: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user might choose this setting to reduce help desk calls.
- **Prompt for credentials on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
- **Detect application installations and prompt for elevation**: Controls the behavior of application installation detection for the computer.
- **Enabled (default)**: When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
- **Disabled**: App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Microsoft Intune, should disable this policy setting. In this case, installer detection is unnecessary.
- **Only elevate executables that are signed and validated**: Enforces signature checks for any interactive applications that request elevation of privilege. IT admins can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local devices.
- **Enabled**: Enforces the certificate certification path validation for a given executable file before it's permitted to run.
- **Disabled (default)**: Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.
- **Only elevate UIAccess applications that are installed in secure locations**: Controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system.
- **Enabled (default)**: If an app resides in a secure location in the file system, it runs only with UIAccess integrity.
- **Disabled**: An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
Secure locations are limited to the following folders:
- `%ProgramFiles%`, including subfolders
- `%SystemRoot%\system32\`
- `%ProgramFiles(x86)%`, including subfolders
> [!NOTE]
> Windows enforces a digital signature check on any interactive apps that request to run with a UIAccess integrity level regardless of the state of this setting.
- **Run all administrators in Admin Approval Mode**: Controls the behavior of all UAC policy settings.
- **Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.
- **Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. **Note:** If this policy setting is disabled, **Windows Security** notifies you that the overall security of the operating system is reduced.
- **Switch to the secure desktop when prompting for elevation**: This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
- **Enabled (default)**: All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
- **Disabled**: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
- **Virtualize File And Registry Write Failures To Per User Locations**: Controls whether application write failures are redirected to defined registry and file system locations. This setting mitigates applications that run as administrator and write run-time application data to `%ProgramFiles%`, `%Windir%`, `%Windir%\system32`, or `HKLM\Software`.
- **Enabled (default)**: App write failures are redirected at run time to defined user locations for both the file system and registry.
- **Disabled**: Apps that write data to protected locations fail.
## User Account Control configuration
To configure UAC, you can use:
- Microsoft Intune/MDM
- Microsoft Intune
- CSP
- Group policy
- Registry
The following instructions provide details how to configure your devices. Select the option that best suits your needs.
#### [:::image type="icon" source="../../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
### Configure UAC with a Settings catalog policy
#### [:::image type="icon" source="../../../images/icons/intune.svg"::: **Intune**](#tab/intune)
To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-2], and use the settings listed under the category **`Local Policies Security Options`**:
@ -45,21 +84,23 @@ To configure devices using Microsoft Intune, [create a **Settings catalog** poli
Assign the policy to a security group that contains as members the devices or users that you want to configure.
Alternatively, you can configure devices using a [custom policy][MEM-1] with the [LocalPoliciesSecurityOptions Policy CSP][WIN-1].\
The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions`.
#### [:::image type="icon" source="../../../images/icons/csp.svg"::: **CSP**](#tab/csp)
You can configure devices using the [LocalPoliciesSecurityOptions Policy CSP][WIN-1].
|Setting|CSP Name|
|--|--|
| Admin Approval Mode for the built-in Administrator account | `UserAccountControl_UseAdminApprovalMode`|
| Allow UIAccess applications to prompt for elevation without using the secure desktop | `UserAccountControl_AllowUIAccessApplicationsToPromptForElevation` |
| Behavior of the elevation prompt for administrators in Admin Approval Mode | `UserAccountControl_BehaviorOfTheElevationPromptForAdministrators`|
| Behavior of the elevation prompt for standard users | `UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers`|
| Detect application installations and prompt for elevation | `UserAccountControl_DetectApplicationInstallationsAndPromptForElevation`|
| Only elevate executables that are signed and validated | `UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated`|
| Only elevate UIAccess applications that are installed in secure locations | `UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations`|
| Run all administrators in Admin Approval Mode | `UserAccountControl_RunAllAdministratorsInAdminApprovalMode`|
| Switch to the secure desktop when prompting for elevation | `UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation`|
| Virtualize file and registry write failures to per-user locations | `UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations`|
|Setting|
| - |
| **Setting name**: Admin Approval Mode for the built-in Administrator account<br>**Policy CSP name**: `UserAccountControl_UseAdminApprovalMode`|
| **Setting name**: Allow UIAccess applications to prompt for elevation without using the secure desktop<br>**Policy CSP name**: `UserAccountControl_AllowUIAccessApplicationsToPromptForElevation`|
| **Setting name**: Behavior of the elevation prompt for administrators in Admin Approval Mode<br>**Policy CSP name**: `UserAccountControl_BehaviorOfTheElevationPromptForAdministrators`|
| **Setting name**: Behavior of the elevation prompt for standard users<br>**Policy CSP name**: `UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers`|
| **Setting name**: Detect application installations and prompt for elevation<br>**Policy CSP name**: `UserAccountControl_DetectApplicationInstallationsAndPromptForElevation`|
| **Setting name**: Only elevate executables that are signed and validated<br>**Policy CSP name**: `UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated`|
| **Setting name**: Only elevate UIAccess applications that are installed in secure locations<br>**Policy CSP name**: `UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations`|
| **Setting name**: Run all administrators in Admin Approval Mode<br>**Policy CSP name**: `UserAccountControl_RunAllAdministratorsInAdminApprovalMode`|
| **Setting name**: Switch to the secure desktop when prompting for elevation<br>**Policy CSP name**: `UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation`|
| **Setting name**: Virtualize file and registry write failures to per-user locations<br>**Policy CSP name**: `UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations`|
#### [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)