Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows 7, Windows Server 2008 R2
There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC Group Policy settings and provide recommendations.
| Group Policy setting | Default |
|---|---|
User Account Control: Admin Approval Mode for the Built-in Administrator account |
Disabled |
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop |
Disabled |
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode |
Prompt for consent for non-Windows binaries |
User Account Control: Behavior of the elevation prompt for standard users |
Prompt for credentials on the secure desktop |
User Account Control: Detect application installations and prompt for elevation |
Enabled (default for home) Disabled (default for enterprise) |
User Account Control: Only elevate executables that are signed and validated |
Disabled |
User Account Control: Only elevate UIAccess applications that are installed in secure locations |
Enabled |
User Account Control: Run all administrators in Admin Approval Mode |
Enabled |
User Account Control: Switch to the secure desktop when prompting for elevation |
Enabled |
User Account Control: Virtualize file and registry write failures to per-user locations |
Enabled |
For more information about each of the UAC Group Policy settings, see "UAC Group Policy Settings" in User Account Control in Windows 7 Technical Reference (https://go.microsoft.com/fwlink/?LinkID=146195).
While UAC Group Policy settings enable IT departments to choose how to configure UAC, there are some considerations that should be weighed when creating a new security policy.
Windows 7 includes a security policy setting that can be used to prevent the elevation prompt from being imitated. This policy setting (User Account Control: Switch to the secure desktop when prompting for elevation) switches the active user desktop to the secure desktop when a process requests elevation. The secure desktop is accessible only to core Windows processes, and malicious software (malware) cannot communicate with the secure desktop. As a result, all elevation prompts on the secure desktop cannot be controlled by applications on the user desktop. This policy setting is disabled by default in Windows 7.
Disabling the User Account Control: Run all administrators in Admin Approval Mode policy setting turns UAC off. When UAC is turned off, files and folders are no longer virtualized to per-user locations for applications that are not UAC compliant, and all local administrators are automatically logged on with a full administrative access token. Disabling this setting causes Windows 7 to revert to the Windows XP user model. While some applications that are not compatible with UAC may recommend turning UAC off, it is not necessary to do so because Windows 7 includes folder and registry virtualization for applications that are not UAC compliant by default. Turning UAC off exposes your computer to system-wide malware installations. If this setting is changed, a system restart is required for this change to take effect.
Virtualization is used to enable applications that are not UAC compatible to work properly in Windows 7. If only UAC-compatible applications are used in your environment, the User Account Control: Virtualize file and registry write failures to per-user locations Group Policy setting is unnecessary and can be disabled.
Because installers typically write to protected areas, such as the Program Files folder, the Win32 model usually requires installers to run in an administrative context. The User Account Control: Detect application installations and prompt for elevation policy setting invokes an elevation prompt when an installer is detected. If all available applications are deployed with Configuration Manager or another technology, elevation on installers is not necessary because the elevation is done automatically by the installer service, which runs as SYSTEM. In this type of environment, this policy setting can be disabled.
Whether an application can start is dependent on the combination of the requested execution level in the application compatibility (shim) database and the user rights available to the user account that starts the application. The following tables identify the run-time behavior for an application based on combinations of the user privileges and shims that are applied.
The following table describes the run-time behavior of an application for an administrator based on the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting when different shims are installed.
Note that the commands in this table represent which shim is applied from the application compatibility database.
| Parent process access token | Policy setting | None or RunAsInvoker | RunAsHighest | RunAsAdmin |
|---|---|---|---|---|
| Protected admin | Elevate without prompting | Application starts as a standard user without prompting | Application starts with a full administrative access token and with no prompt | Application starts with a full administrative access token and with no prompt |
| Protected admin | Prompt for consent on the secure desktop | Application starts with a full administrative access token and prompts for consent on the secure desktop | Application starts with a full administrative access token and prompts for consent on the secure desktop | |
| Protected admin | Prompt for credentials on the secure desktop | Application starts with a full administrative access token and prompts for credentials on the secure desktop | Application starts with a full administrative access token and prompts for credentials on the secure desktop | |
| Protected admin | Prompt for credentials | Application starts with a full administrative access token and prompts for credentials on the user's interactive desktop | Application starts with a full administrative access token and prompts for credentials on the user's interactive desktop | |
| Protected admin | Prompt for consent | Application starts with a full administrative access token and prompts for consent on the user's interactive desktop | Application starts with a full administrative access token and prompts for consent on the user's interactive desktop | |
| Protected admin | Prompt for consent for non-Windows binaries | Non-Windows application starts as a standard user | Non-Windows application starts with a full administrative access token and prompts for consent on the user's interactive desktop | Non-Windows application starts with a full administrative access token and prompts for consent on the user's interactive desktop |
| Administrator (UAC is disabled) | Not applicable | Application starts with a full administrative access token and with no prompt | Application starts with a full administrative access token and with no prompt | Application starts with a full administrative access token and with no prompt |
The following table describes the run-time behavior of an application for a standard user based on the User Account Control: Behavior of the elevation prompt for standard users policy setting when different shims are installed.
Note that the commands in this table represent which shim is applied from the application compatibility database.
| Parent process access token | Consent policy | RunAsInvoker | RunAsHighest | RunAsAdmin |
|---|---|---|---|---|
| Standard user | Automatically deny elevation requests | Application starts as a standard user | Application starts as a standard user | Application does not start |
| Standard user | Prompt for credentials | Application starts as a standard user | Application starts as a standard user | Prompts for administrator credentials on the user's interactive desktop |
| Standard user | Prompt for credentials on the secure desktop | Application starts as a standard user | Application starts as a standard user | Prompts for administrator credentials on the secure desktop |
| Standard user (UAC is disabled) | Not applicable | Application starts as a standard user | Application starts as a standard user | Application does not start |
The following table describes the run-time behavior of an application for a standard user with additional privileges based on the User Account Control: Behavior of the elevation prompt for standard users policy setting when different shims are installed.
Note that the commands in this table represent which shim is applied from the application compatibility database.
| Parent process access token | Consent policy | RunAsInvoker | RunAsHighest | RunAsAdmin |
|---|---|---|---|---|
| Standard user | No prompt | Application starts as a standard user | Application does not start | Application does not start |
| Standard user | Prompt for credentials | Application starts as a standard user | Prompts for credentials, and then runs as a standard user with additional privileges | Prompts for administrator credentials on the user's interactive desktop |
| Standard user | Prompt for credentials on the secure desktop | Application starts as a standard user | Prompts for credentials, and then runs as a standard user with additional privileges | Prompts for administrator credentials on the secure desktop |
| Standard user (UAC is disabled) | Not applicable | Application starts as a standard user | Prompts for credentials, and then runs as a standard user with additional privileges | Application does not start |
Use the following table to record the settings for your organization.
| UAC Group Policy setting | Default | Setting for your organization |
|---|---|---|
User Account Control: Admin Approval Mode for the Built-in Administrator account |
Disabled |
|
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop |
Disabled |
|
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode |
Prompt for consent for non-Windows binaries |
|
User Account Control: Behavior of the elevation prompt for standard users |
Prompt for credentials on the secure desktop |
|
User Account Control: Detect application installations and prompt for elevation |
Enabled (default for home) Disabled (default for enterprise) |
|
User Account Control: Only elevate executables that are signed and validated |
Disabled |
|
User Account Control: Only elevate UIAccess applications that are installed in secure locations |
Enabled |
|
User Account Control: Run all administrators in Admin Approval Mode |
Enabled |
|
User Account Control: Switch to the secure desktop when prompting for elevation |
Enabled |
|
User Account Control: Virtualize file and registry write failures to per-user locations |
Enabled |