deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-05-26 17:35:08 -04:00
parent 688e074026
commit 6cd7cb01da
5 changed files with 66 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
windows/security/application-security/application-control/user-account-control/how-user-account-control-works.md
View File

@ -40,7 +40,7 @@ When an administrator logs on, two separate access tokens are created for the us
- It's used to start applications that don't perform administrative tasks (standard user apps)
- It's used to display the desktop by executing the process *explorer.exe*. Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token
A user that is a member of the Administrators group can sign in, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows automatically prompts the user for approval. This prompt is called an *elevation prompt*, and its behavior can be configured via policy or registry. For more information, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
A user that is a member of the Administrators group can sign in, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows automatically prompts the user for approval. This prompt is called an *elevation prompt*, and its behavior can be configured via policy or registry.
## The UAC user experience
@ -189,3 +189,7 @@ Before a 32-bit process is created, the following attributes are checked to dete
> [!NOTE]
> The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
## Next steps
Learn more about about the [UAC settings and how to configure them](configure.md).

BIN
windows/security/application-security/application-control/user-account-control/images/settings-catalog-uac.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 192 KiB

5
windows/security/application-security/application-control/user-account-control/index.md
View File

@ -32,8 +32,5 @@ When an app requires to run with more than standard user rights, UAC allows user
## Next steps
Learn more about UAC in the following articles:
- [How User Account Control works](how-user-account-control-works.md)
- [User Account Control policy settings](user-account-control-security-policy-settings.md): you can configure UAC using group policy or MDM
- [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md): list of UAC group policy, CSP, and registry key settings that your organization can use to manage UAC
- [UAC settings and how to configure them](configure.md)

77
windows/security/application-security/application-control/user-account-control/configure.md → windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
View File

@ -1,11 +1,13 @@
---
title: Configure User Account Control
title: User Account Control settings and configuration
description: Learn about the User Account Control settings and how to configure them via Intune, CSP, group policy and registry.
ms.date: 05/26/2023
ms.topic: how-to
---
# Configure User Account Control
# User Account Control settings and configuration
## User Account Control settings list
The following table lists the available settings to configure the UAC behavior, and their default values.
@ -18,7 +20,7 @@ The following table lists the available settings to configure the UAC behavior,
|Behavior of the elevation prompt for standard users|Controls the behavior of the elevation prompt for standard users.<br><br>**Prompt for credentials**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Automatically deny elevation requests**: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.<br>**Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.|Prompt for credentials|
|Detect application installations and prompt for elevation|Controls the behavior of application installation detection for the computer.<br><br>**Enabled**: When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Disabled**: App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Microsoft Intune, should disable this policy setting. In this case, installer detection is unnecessary. |Enabled|
|Only elevate executables that are signed and validated|Enforces signature checks for any interactive applications that request elevation of privilege. IT admins can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local devices.<br><br>**Enabled**: Enforces the certificate certification path validation for a given executable file before it's permitted to run.<br>**Disabled**: Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.|Disabled|
|Only elevate UIAccess applications that are installed in secure locations|Controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following folders:<br>- `Program Files`, including subfolders<br>- `\Windows\\system32\`<br>- `\Program Files (x86)\`, including subfolders<br><br><br>**Enabled**: If an app resides in a secure location in the file system, it runs only with UIAccess integrity.<br>**Disabled**: An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.<br><br>**Note:** Windows enforces a digital signature check on any interactive apps that requests to run with a UIAccess integrity level regardless of the state of this setting.|Enabled|
|Only elevate UIAccess applications that are installed in secure locations|Controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following folders:<br>- `%ProgramFiles%`, including subfolders<br>- `%SystemRoot%\system32\`<br>- `%ProgramFiles(x86)%`, including subfolders<br><br><br>**Enabled**: If an app resides in a secure location in the file system, it runs only with UIAccess integrity.<br>**Disabled**: An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.<br><br>**Note:** Windows enforces a digital signature check on any interactive apps that requests to run with a UIAccess integrity level regardless of the state of this setting.|Enabled|
|Allow UIAccess applications to prompt for elevation without using the secure desktop|Controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.<br><br>**Enabled**: UIA programs, including Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the **Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.<br>**Disabled**: The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **Switch to the secure desktop when prompting for elevation** policy setting.|Disabled|
|Virtualize File And Registry Write Failures To Per User Locations|Controls whether application write failures are redirected to defined registry and file system locations. This setting mitigates applications that run as administrator and write run-time application data to `%ProgramFiles%`, `%Windir%`, `%Windir%\system32`, or `HKLM\Software`.<br><br>**Enabled**: App write failures are redirected at run time to defined user locations for both the file system and registry.<br>**Disabled**: Apps that write data to protected locations fail.|Enabled|
@ -33,22 +35,40 @@ To configure UAC you can use:
Follow the instructions below to configure your devices, selecting the option that best suits your needs.
#### [:::image type="icon" source="../../../images/icons/intune.svg" border="false"::: **Intune**](#tab/intune)
#### [:::image type="icon" source="../../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
### Configure UAC with a Settings catalog policy
To configure devices using a Settings catalog policy follow these steps:
To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-2], and use the settings listed under the category **`Local Policies Security Options`**:
:::image type="content" source="./images/settings-catalog-uac.png" alt-text="Screenshot that shows the UAC policies in the Intune settings catalog." lightbox="./images/settings-catalog-uac.png" border="True":::
Assign the policy to a security group that contains as members the devices or users that you want to configure.
Alternatively, you can configure devices using a [custom policy][MEM-1] with the [LocalPoliciesSecurityOptions Policy CSP][WIN-1].
| CSP path | Setting name |
| - | - |
| `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode` | Run all administrators in Admin Approval Mode |
| `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode` |Admin Approval Mode for the built-in Administrator account |
| `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation` | Switch to the secure desktop when prompting for elevation|
| `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators` | Behavior of the elevation prompt for administrators in Admin Approval Mode|
| `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers` | Behavior of the elevation prompt for standard users |
| `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation` |Detect application installations and prompt for elevation |
| `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated` | Only elevate executables that are signed and validated |
| `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations` | Only elevate UIAccess applications that are installed in secure locations |
| `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation` | Allow UIAccess applications to prompt for elevation without using the secure desktop|
| `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations` | Virtualize file and registry write failures to per-user locations |
Alternatively, configure UAC using the [LocalPoliciesSecurityOptions Policy CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions).
#### [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.
You can use security policies to configure how User Account Control works in your organization. The policies can be configured locally by using the Local Security Policy snap-in (`secpol.msc`) or configured for the domain, OU, or specific groups by group policy.
These policy settings are located in `Security Settings\Local Policies\Security Options` in the Local Security Policy snap-in.
The policy settings are located under: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options`.
| Group Policy setting |Default |
| - | - |
| - | - |
|User Account Control: Run all administrators in Admin Approval Mode| Enabled |
|User Account Control: Admin Approval Mode for the built-in Administrator account| Disabled |
|User Account Control: Switch to the secure desktop when prompting for elevation | Enabled |
@ -62,20 +82,43 @@ These policy settings are located in `Security Settings\Local Policies\Security
#### [:::image type="icon" source="../../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
The registry keys are found in the path: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`.
The registry keys are found under the key: `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`.
| Registry key name | Setting name | Value |
| - | - | - |
| `EnableLUA` | Run all administrators in Admin Approval Mode | 0 = Disabled<br>1 (Default) = Enabled |
| `FilterAdministratorToken` |Admin Approval Mode for the built-in Administrator account | 0 (Default) = Disabled<br>1 = Enabled |
| `PromptOnSecureDesktop` | Switch to the secure desktop when prompting for elevation| 0 = Disabled<br>1 (Default) = Enabled |
| `ConsentPromptBehaviorAdmin` | Behavior of the elevation prompt for administrators in Admin Approval Mode| 0 = Elevate without prompting<br />1 = Prompt for credentials on the secure desktop<br />2 = Prompt for consent on the secure desktop<br />3 = Prompt for credentials<br />4 = Prompt for consent<br />5 (Default) = Prompt for consent for non-Windows binaries<br /> |
| `ConsentPromptBehaviorUser` | Behavior of the elevation prompt for standard users | 0 = Automatically deny elevation requests<br />1 = Prompt for credentials on the secure desktop<br />3 (Default) = Prompt for credentials |
| `EnableInstallerDetection` |Detect application installations and prompt for elevation | 1 = Enabled (default for home only)<br />0 = Disabled (default) |
| `ValidateAdminCodeSignatures` | Only elevate executables that are signed and validated | 0 (Default) = Disabled<br/>1 = Enabled |
| `EnableSecureUIAPaths` | Only elevate UIAccess applications that are installed in secure locations | 0 = Disabled<br />1 (Default) = Enabled |
| `EnableUIADesktopToggle` | Allow UIAccess applications to prompt for elevation without using the secure desktop| 0 (Default) = Disabled<br />1 = Enabled |
| `EnableVirtualization` | Virtualize file and registry write failures to per-user locations | 0 = Disabled<br />1 (Default) = Enabled |
| `ConsentPromptBehaviorAdmin` | Behavior of the elevation prompt for administrators in Admin Approval Mode| 0 = Elevate without prompting<br>1 = Prompt for credentials on the secure desktop<br>2 = Prompt for consent on the secure desktop<br>3 = Prompt for credentials<br>4 = Prompt for consent<br>5 (Default) = Prompt for consent for non-Windows binaries|
| `ConsentPromptBehaviorUser` | Behavior of the elevation prompt for standard users | 0 = Automatically deny elevation requests<br>1 = Prompt for credentials on the secure desktop<br>3 (Default) = Prompt for credentials |
| `EnableInstallerDetection` |Detect application installations and prompt for elevation | 1 = Enabled (default for home only)<br>0 = Disabled (default) |
| `ValidateAdminCodeSignatures` | Only elevate executables that are signed and validated | 0 (Default) = Disabled<br>1 = Enabled |
| `EnableSecureUIAPaths` | Only elevate UIAccess applications that are installed in secure locations | 0 = Disabled<br>1 (Default) = Enabled |
| `EnableUIADesktopToggle` | Allow UIAccess applications to prompt for elevation without using the secure desktop| 0 (Default) = Disabled<br>1 = Enabled |
| `EnableVirtualization` | Virtualize file and registry write failures to per-user locations | 0 = Disabled<br>1 (Default) = Enabled |
---
----
UIA programs must be digitally signed because they must be able to respond to prompts regarding security issues, such as the UAC elevation prompt. By default, UIA programs are run only from the following protected paths:
The **User Account Control: Only elevate UIAccess applications that are installed in secure locations** policy setting disables the requirement to be run from a protected path.
While this policy setting applies to any UIA program, it is primarily used in certain remote assistance scenarios.
If a user requests remote assistance from an administrator and the remote assistance session is established, any elevation prompts appear on the interactive user's secure desktop and the administrator's remote session is paused. To avoid pausing the remote administrator's session during elevation requests, the user may select the **Allow IT Expert to respond to User Account Control prompts** check box when setting up the remote assistance session. However, selecting this check box requires that the interactive user respond to an elevation prompt on the secure desktop. If the interactive user is a standard user, the user does not have the required credentials to allow elevation.
If you enable this policy setting, requests for elevation are automatically sent to the interactive desktop (not the secure desktop) and also appear on the remote administrator's view of the desktop during a remote assistance session. This allows the remote administrator to provide the appropriate credentials for elevation.
This policy setting does not change the behavior of the UAC elevation prompt for administrators.
If you plan to enable this policy setting, you should also review the effect of the **User Account Control: Behavior of the elevation prompt for standard users** policy setting. If it is configured as **Automatically deny elevation requests**, elevation requests are not presented to the user.
[WIN-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[MEM-2]: /mem/intune/configuration/settings-catalog

84
windows/security/application-security/application-control/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
View File

@ -1,84 +0,0 @@
### User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
The **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
The options are:
- **Enabled.** UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
- **Disabled.** (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting.
UIA programs are designed to interact with Windows and application programs on behalf of a user. This policy setting allows UIA programs to bypass the secure desktop to increase usability in certain cases; however, allowing elevation requests to appear on the interactive desktop instead of the secure desktop can increase your security risk.
UIA programs must be digitally signed because they must be able to respond to prompts regarding security issues, such as the UAC elevation prompt. By default, UIA programs are run only from the following protected paths:
- ...\\Program Files, including subfolders
- ...\\Program Files (x86), including subfolders for 64-bit versions of Windows
- ...\\Windows\\System32
The **User Account Control: Only elevate UIAccess applications that are installed in secure locations** policy setting disables the requirement to be run from a protected path.
While this policy setting applies to any UIA program, it is primarily used in certain remote assistance scenarios, including the Windows Remote Assistance program in Windows 7.
If a user requests remote assistance from an administrator and the remote assistance session is established, any elevation prompts appear on the interactive user's secure desktop and the administrator's remote session is paused. To avoid pausing the remote administrator's session during elevation requests, the user may select the **Allow IT Expert to respond to User Account Control prompts** check box when setting up the remote assistance session. However, selecting this check box requires that the interactive user respond to an elevation prompt on the secure desktop. If the interactive user is a standard user, the user does not have the required credentials to allow elevation.
If you enable this policy setting, requests for elevation are automatically sent to the interactive desktop (not the secure desktop) and also appear on the remote administrator's view of the desktop during a remote assistance session. This allows the remote administrator to provide the appropriate credentials for elevation.
This policy setting does not change the behavior of the UAC elevation prompt for administrators.
If you plan to enable this policy setting, you should also review the effect of the **User Account Control: Behavior of the elevation prompt for standard users** policy setting. If it is configured as **Automatically deny elevation requests**, elevation requests are not presented to the user.
### User Account Control: Detect application installations and prompt for elevation
The **User Account Control: Detect application installations and prompt for elevation** policy setting controls the behavior of application installation detection for the computer.
The options are:
- **Enabled.** (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
- **Disabled.** (Default for enterprise) Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
### User Account Control: Only elevate UIAccess applications that are installed in secure locations
The **User Account Control: Only elevate UIAccess applications that are installed in secure locations** policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
- ...\\Program Files, including subfolders
- ...\\Windows\\system32
- ...\\Program Files (x86), including subfolders for 64-bit versions of Windows
**Note** Windows enforces a PKI signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
The options are:
- **Enabled.** (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
- **Disabled.** An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
### User Account Control: Switch to the secure desktop when prompting for elevation
The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
The options are:
- **Enabled.** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
- **Disabled.** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
When this policy setting is enabled, it overrides the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting. The following table describes the behavior of the elevation prompt for each of the administrator policy settings when the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is enabled or disabled.
| Administrator policy setting | Enabled | Disabled |
| - | - | - |
| **Prompt for credentials on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
| **Prompt for consent on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
| **Prompt for credentials** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
| **Prompt for consent** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
| **Prompt for consent for non-Windows binaries** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
When this policy setting is enabled, it overrides the **User Account Control: Behavior of the elevation prompt for standard users** policy setting. The following table describes the behavior of the elevation prompt for each of the standard user policy settings when the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is enabled or disabled.
| Standard policy setting | Enabled | Disabled |
| - | - | - |
| **Automatically deny elevation requests** | No prompt. The request is automatically denied. | No prompt. The request is automatically denied. |
| **Prompt for credentials on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
| **Prompt for credentials** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |