mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 21:37:22 +00:00
Merge branch 'master' into nimishasatapathy-5324320-5policieswin11
This commit is contained in:
Diana Hanson
GitHub
commit
8416bb1012
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Smart Card and Remote Desktop Services (Windows 10)
|
||||
title: Smart Card and Remote Desktop Services (Windows)
|
||||
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -12,13 +12,13 @@ manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/24/2021
|
||||
ms.reviewer:
|
||||
---
|
||||
|
||||
# Smart Card and Remote Desktop Services
|
||||
|
||||
Applies To: Windows 10, Windows Server 2016
|
||||
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
|
||||
|
||||
This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Smart Card Architecture (Windows 10)
|
||||
title: Smart Card Architecture (Windows)
|
||||
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -12,13 +12,13 @@ manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/24/2021
|
||||
ms.reviewer:
|
||||
---
|
||||
|
||||
# Smart Card Architecture
|
||||
|
||||
Applies To: Windows 10, Windows Server 2016
|
||||
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
|
||||
|
||||
This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system, including credential provider architecture and the smart card subsystem architecture.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Certificate Propagation Service (Windows 10)
|
||||
title: Certificate Propagation Service (Windows)
|
||||
description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -12,13 +12,13 @@ manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 08/24/2021
|
||||
ms.reviewer:
|
||||
---
|
||||
|
||||
# Certificate Propagation Service
|
||||
|
||||
Applies To: Windows 10, Windows Server 2016
|
||||
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
|
||||
|
||||
This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Certificate Requirements and Enumeration (Windows 10)
|
||||
title: Certificate Requirements and Enumeration (Windows)
|
||||
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -12,13 +12,13 @@ manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/24/2021
|
||||
ms.reviewer:
|
||||
---
|
||||
|
||||
# Certificate Requirements and Enumeration
|
||||
|
||||
Applies To: Windows 10, Windows Server 2016
|
||||
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
|
||||
|
||||
This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
|
||||
|
||||
@ -185,7 +185,7 @@ Certificate requirements are listed by versions of the Windows operating system.
|
||||
The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider.
|
||||
|
||||
|
||||
| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows 10** | **Requirements for Windows XP** |
|
||||
| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows 10, and Windows 11** | **Requirements for Windows XP** |
|
||||
|--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| CRL distribution point location | Not required | The location must be specified, online, and available, for example:<br>\[1\]CRL Distribution Point<br>Distribution Point Name:<br>Full Name:<br>URL=<http://server1.contoso.com/CertEnroll/caname.crl> |
|
||||
| Key usage | Digital signature | Digital signature |
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Smart Card Troubleshooting (Windows 10)
|
||||
title: Smart Card Troubleshooting (Windows)
|
||||
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -12,13 +12,13 @@ manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/24/2021
|
||||
ms.reviewer:
|
||||
---
|
||||
|
||||
# Smart Card Troubleshooting
|
||||
|
||||
Applies To: Windows 10, Windows Server 2016
|
||||
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
|
||||
|
||||
This article explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Smart Card Events (Windows 10)
|
||||
title: Smart Card Events (Windows)
|
||||
description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -12,13 +12,13 @@ manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/24/2021
|
||||
ms.reviewer:
|
||||
---
|
||||
|
||||
# Smart Card Events
|
||||
|
||||
Applies To: Windows 10, Windows Server 2016
|
||||
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
|
||||
|
||||
This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Smart Card Group Policy and Registry Settings (Windows 10)
|
||||
title: Smart Card Group Policy and Registry Settings (Windows)
|
||||
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -12,13 +12,13 @@ manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/23/2021
|
||||
ms.reviewer:
|
||||
---
|
||||
|
||||
# Smart Card Group Policy and Registry Settings
|
||||
|
||||
Applies to: Windows 10, Windows Server 2016
|
||||
Applies to: Windows 10, Windows 11, Windows Server 2016 and above
|
||||
|
||||
This article for IT professionals and smart card developers describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: How Smart Card Sign-in Works in Windows (Windows 10)
|
||||
title: How Smart Card Sign-in Works in Windows
|
||||
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -12,13 +12,13 @@ manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/24/2021
|
||||
ms.reviewer:
|
||||
---
|
||||
|
||||
# How Smart Card Sign-in Works in Windows
|
||||
|
||||
Applies To: Windows 10, Windows Server 2016
|
||||
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
|
||||
|
||||
This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. It includes the following resources about the architecture, certificate management, and services that are related to smart card use:
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Smart Card Removal Policy Service (Windows 10)
|
||||
title: Smart Card Removal Policy Service (Windows)
|
||||
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -12,17 +12,17 @@ manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/24/2021
|
||||
ms.reviewer:
|
||||
---
|
||||
|
||||
# Smart Card Removal Policy Service
|
||||
|
||||
Applies To: Windows 10, Windows Server 2016
|
||||
Applies To: Windows 10, Windows 11, Windows Server 2016
|
||||
|
||||
This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
|
||||
|
||||
The smart card removal policy service is applicable when a user has signed in with a smart card and subsequently removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
|
||||
The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
|
||||
|
||||
**Smart card removal policy service**
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Smart Cards for Windows Service (Windows 10)
|
||||
title: Smart Cards for Windows Service (Windows)
|
||||
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -12,13 +12,13 @@ manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/24/2021
|
||||
ms.reviewer:
|
||||
---
|
||||
|
||||
# Smart Cards for Windows Service
|
||||
|
||||
Applies To: Windows 10, Windows Server 2016
|
||||
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
|
||||
|
||||
This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service (formerly called Smart Card Resource Manager) manages readers and application interactions.
|
||||
|
||||
@ -26,7 +26,7 @@ The Smart Cards for Windows service provides the basic infrastructure for all ot
|
||||
|
||||
The Smart Cards for Windows service runs in the context of a local service, and it is implemented as a shared service of the services host (svchost) process. The Smart Cards for Windows service, Scardsvr, has the following service description:
|
||||
|
||||
```
|
||||
```PowerShell
|
||||
<serviceData
|
||||
dependOnService="PlugPlay"
|
||||
description="@%SystemRoot%\System32\SCardSvr.dll,-5"
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Smart Card Tools and Settings (Windows 10)
|
||||
title: Smart Card Tools and Settings (Windows)
|
||||
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -12,13 +12,13 @@ manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/24/2021
|
||||
ms.reviewer:
|
||||
---
|
||||
|
||||
# Smart Card Tools and Settings
|
||||
|
||||
Applies To: Windows 10, Windows Server 2016
|
||||
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
|
||||
|
||||
This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Smart Card Technical Reference (Windows 10)
|
||||
title: Smart Card Technical Reference (Windows)
|
||||
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -12,13 +12,13 @@ manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/24/2021
|
||||
ms.reviewer:
|
||||
---
|
||||
|
||||
# Smart Card Technical Reference
|
||||
|
||||
Applies To: Windows 10, Windows Server 2016
|
||||
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
|
||||
|
||||
The Smart Card Technical Reference describes the Windows smart card infrastructure for physical smart cards and how smart card-related components work in Windows. This document also contains information about tools that information technology (IT) developers and administrators can use to troubleshoot, debug, and deploy smart card-based strong authentication in the enterprise.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: How User Account Control works (Windows 10)
|
||||
title: How User Account Control works (Windows)
|
||||
description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
|
||||
ms.assetid: 9f921779-0fd3-4206-b0e4-05a19883ee59
|
||||
ms.reviewer:
|
||||
@ -14,21 +14,23 @@ manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 11/16/2018
|
||||
ms.date: 09/23/2021
|
||||
---
|
||||
|
||||
# How User Account Control works
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
|
||||
|
||||
## UAC process and interactions
|
||||
|
||||
Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows 10 protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
|
||||
Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
|
||||
|
||||
In order to better understand how this process happens, let's look at the Windows logon process.
|
||||
To better understand how this process happens, let's look at the Windows logon process.
|
||||
|
||||
### Logon process
|
||||
|
||||
@ -40,17 +42,17 @@ By default, standard users and administrators access resources and run apps in t
|
||||
|
||||
When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token is used to start apps that do not perform administrative tasks (standard user apps). The standard user access token is then used to display the desktop (explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token.
|
||||
|
||||
A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
|
||||
A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 or Windows 11 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
|
||||
|
||||
### The UAC User Experience
|
||||
|
||||
When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 10 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.
|
||||
When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 10 or Windows 11 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.
|
||||
|
||||
The alternative to running as a standard user is to run as an administrator in Admin Approval Mode. With the built-in UAC elevation component, members of the local Administrators group can easily perform an administrative task by providing approval. The default, built-in UAC elevation component for an administrator account in Admin Approval Mode is called the consent prompt.
|
||||
|
||||
**The consent and credential prompts**
|
||||
|
||||
With UAC enabled, Windows 10 prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed.
|
||||
With UAC enabled, Windows 10 or Windows 11 prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed.
|
||||
|
||||
**The consent prompt**
|
||||
|
||||
@ -68,12 +70,12 @@ The following is an example of the UAC credential prompt.
|
||||
|
||||
**UAC elevation prompts**
|
||||
|
||||
The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows 10 first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows 10 determines which color elevation prompt to present to the user.
|
||||
The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows 10 or Windows 11 first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10 or Windows 11, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows determines which color elevation prompt to present to the user.
|
||||
|
||||
The elevation prompt color-coding is as follows:
|
||||
|
||||
- Red background with a red shield icon: The app is blocked by Group Policy or is from a publisher that is blocked.
|
||||
- Blue background with a blue and gold shield icon: The application is a Windows 10 administrative app, such as a Control Panel item.
|
||||
- Blue background with a blue and gold shield icon: The application is a Windows 10 and Windows 11 administrative app, such as a Control Panel item.
|
||||
- Blue background with a blue shield icon: The application is signed by using Authenticode and is trusted by the local computer.
|
||||
- Yellow background with a yellow shield icon: The application is unsigned or signed but is not yet trusted by the local computer.
|
||||
|
||||
@ -87,7 +89,7 @@ The shield icon on the **Change date and time** button indicates that the proces
|
||||
|
||||
**Securing the elevation prompt**
|
||||
|
||||
The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled.
|
||||
The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10 and Windows 11. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled.
|
||||
|
||||
When an executable file requests elevation, the interactive desktop, also called the user desktop, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user clicks **Yes** or **No**, the desktop switches back to the user desktop.
|
||||
|
||||
@ -281,7 +283,7 @@ The slider will never turn UAC completely off. If you set it to <b>Never notify<
|
||||
|
||||
Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace the majority of apps when UAC is turned on.
|
||||
|
||||
Windows 10 includes file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app.
|
||||
Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app.
|
||||
|
||||
Most app tasks operate properly by using virtualization features. Although virtualization allows a majority of applications to run, it is a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization.
|
||||
|
||||
@ -301,7 +303,7 @@ All UAC-compliant apps should have a requested execution level added to the appl
|
||||
|
||||
### Installer detection technology
|
||||
|
||||
Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 also heuristically detects updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
|
||||
Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 and Windows 11 heuristically detect installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 and Windows 11 also heuristically detect updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
|
||||
|
||||
Installer detection only applies to:
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: User Account Control Group Policy and registry key settings (Windows 10)
|
||||
title: User Account Control Group Policy and registry key settings (Windows)
|
||||
description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -21,7 +21,8 @@ ms.reviewer:
|
||||
**Applies to**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
## Group Policy settings
|
||||
There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings).
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: User Account Control (Windows 10)
|
||||
title: User Account Control (Windows)
|
||||
description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
|
||||
ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38
|
||||
ms.reviewer:
|
||||
@ -14,14 +14,15 @@ ms.author: dansimp
|
||||
manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
ms.date: 07/27/2017
|
||||
ms.date: 09/24/2011
|
||||
---
|
||||
|
||||
# User Account Control
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: User Account Control security policy settings (Windows 10)
|
||||
title: User Account Control security policy settings (Windows)
|
||||
description: You can use security policies to configure how User Account Control works in your organization.
|
||||
ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98
|
||||
ms.reviewer:
|
||||
@ -14,13 +14,16 @@ manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/24/2021
|
||||
---
|
||||
|
||||
# User Account Control security policy settings
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
|
||||
You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user