Define the UAC Group Policy Settings

Applies To: Windows 7, Windows Server 2008 R2

There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC Group Policy settings and provide recommendations.

Group Policy setting Default

User Account Control: Admin Approval Mode for the Built-in Administrator account

Disabled

User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop

Disabled

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

Prompt for consent for non-Windows binaries

User Account Control: Behavior of the elevation prompt for standard users

Prompt for credentials on the secure desktop

User Account Control: Detect application installations and prompt for elevation

Enabled (default for home)

Disabled (default for enterprise)

User Account Control: Only elevate executables that are signed and validated

Disabled

User Account Control: Only elevate UIAccess applications that are installed in secure locations

Enabled

User Account Control: Run all administrators in Admin Approval Mode

Enabled

User Account Control: Switch to the secure desktop when prompting for elevation

Enabled

User Account Control: Virtualize file and registry write failures to per-user locations

Enabled

For more information about each of the UAC Group Policy settings, see "UAC Group Policy Settings" in User Account Control in Windows 7 Technical Reference (https://go.microsoft.com/fwlink/?LinkID=146195).

While UAC Group Policy settings enable IT departments to choose how to configure UAC, there are some considerations that should be weighed when creating a new security policy.

The elevation prompt

Windows 7 includes a security policy setting that can be used to prevent the elevation prompt from being imitated. This policy setting (User Account Control: Switch to the secure desktop when prompting for elevation) switches the active user desktop to the secure desktop when a process requests elevation. The secure desktop is accessible only to core Windows processes, and malicious software (malware) cannot communicate with the secure desktop. As a result, all elevation prompts on the secure desktop cannot be controlled by applications on the user desktop. This policy setting is disabled by default in Windows 7.

Applications that are not UAC compliant

Disabling the User Account Control: Run all administrators in Admin Approval Mode policy setting turns UAC off. When UAC is turned off, files and folders are no longer virtualized to per-user locations for applications that are not UAC compliant, and all local administrators are automatically logged on with a full administrative access token. Disabling this setting causes Windows 7 to revert to the Windows XP user model. While some applications that are not compatible with UAC may recommend turning UAC off, it is not necessary to do so because Windows 7 includes folder and registry virtualization for applications that are not UAC compliant by default. Turning UAC off exposes your computer to system-wide malware installations. If this setting is changed, a system restart is required for this change to take effect.

Unused UAC Group Policy settings

Virtualization is used to enable applications that are not UAC compatible to work properly in Windows 7. If only UAC-compatible applications are used in your environment, the User Account Control: Virtualize file and registry write failures to per-user locations Group Policy setting is unnecessary and can be disabled.

Because installers typically write to protected areas, such as the Program Files folder, the Win32 model usually requires installers to run in an administrative context. The User Account Control: Detect application installations and prompt for elevation policy setting invokes an elevation prompt when an installer is detected. If all available applications are deployed with Configuration Manager or another technology, elevation on installers is not necessary because the elevation is done automatically by the installer service, which runs as SYSTEM. In this type of environment, this policy setting can be disabled.

Application run-time behavior

Whether an application can start is dependent on the combination of the requested execution level in the application compatibility (shim) database and the user rights available to the user account that starts the application. The following tables identify the run-time behavior for an application based on combinations of the user privileges and shims that are applied.

An administrator in Admin Approval Mode

The following table describes the run-time behavior of an application for an administrator based on the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting when different shims are installed.

Note that the commands in this table represent which shim is applied from the application compatibility database.

Parent process access token Policy setting None or RunAsInvoker RunAsHighest RunAsAdmin
Protected admin Elevate without prompting Application starts as a standard user without prompting Application starts with a full administrative access token and with no prompt Application starts with a full administrative access token and with no prompt
Protected admin Prompt for consent on the secure desktop Application starts with a full administrative access token and prompts for consent on the secure desktop Application starts with a full administrative access token and prompts for consent on the secure desktop
Protected admin Prompt for credentials on the secure desktop Application starts with a full administrative access token and prompts for credentials on the secure desktop Application starts with a full administrative access token and prompts for credentials on the secure desktop
Protected admin Prompt for credentials Application starts with a full administrative access token and prompts for credentials on the user's interactive desktop Application starts with a full administrative access token and prompts for credentials on the user's interactive desktop
Protected admin Prompt for consent Application starts with a full administrative access token and prompts for consent on the user's interactive desktop Application starts with a full administrative access token and prompts for consent on the user's interactive desktop
Protected admin Prompt for consent for non-Windows binaries Non-Windows application starts as a standard user Non-Windows application starts with a full administrative access token and prompts for consent on the user's interactive desktop Non-Windows application starts with a full administrative access token and prompts for consent on the user's interactive desktop
Administrator (UAC is disabled) Not applicable Application starts with a full administrative access token and with no prompt Application starts with a full administrative access token and with no prompt Application starts with a full administrative access token and with no prompt

A standard user account

The following table describes the run-time behavior of an application for a standard user based on the User Account Control: Behavior of the elevation prompt for standard users policy setting when different shims are installed.

Note that the commands in this table represent which shim is applied from the application compatibility database.

Parent process access token Consent policy RunAsInvoker RunAsHighest RunAsAdmin
Standard user Automatically deny elevation requests Application starts as a standard user Application starts as a standard user Application does not start
Standard user Prompt for credentials Application starts as a standard user Application starts as a standard user Prompts for administrator credentials on the user's interactive desktop
Standard user Prompt for credentials on the secure desktop Application starts as a standard user Application starts as a standard user Prompts for administrator credentials on the secure desktop
Standard user (UAC is disabled) Not applicable Application starts as a standard user Application starts as a standard user Application does not start

A standard user with additional privileges (such as backup operator)

The following table describes the run-time behavior of an application for a standard user with additional privileges based on the User Account Control: Behavior of the elevation prompt for standard users policy setting when different shims are installed.

Note that the commands in this table represent which shim is applied from the application compatibility database.

Parent process access token Consent policy RunAsInvoker RunAsHighest RunAsAdmin
Standard user No prompt Application starts as a standard user Application does not start Application does not start
Standard user Prompt for credentials Application starts as a standard user Prompts for credentials, and then runs as a standard user with additional privileges Prompts for administrator credentials on the user's interactive desktop
Standard user Prompt for credentials on the secure desktop Application starts as a standard user Prompts for credentials, and then runs as a standard user with additional privileges Prompts for administrator credentials on the secure desktop
Standard user (UAC is disabled) Not applicable Application starts as a standard user Prompts for credentials, and then runs as a standard user with additional privileges Application does not start

Record settings

Use the following table to record the settings for your organization.

UAC Group Policy setting Default Setting for your organization

User Account Control: Admin Approval Mode for the Built-in Administrator account

Disabled

User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop

Disabled

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

Prompt for consent for non-Windows binaries

User Account Control: Behavior of the elevation prompt for standard users

Prompt for credentials on the secure desktop

User Account Control: Detect application installations and prompt for elevation

Enabled (default for home)

Disabled (default for enterprise)

User Account Control: Only elevate executables that are signed and validated

Disabled

User Account Control: Only elevate UIAccess applications that are installed in secure locations

Enabled

User Account Control: Run all administrators in Admin Approval Mode

Enabled

User Account Control: Switch to the secure desktop when prompting for elevation

Enabled

User Account Control: Virtualize file and registry write failures to per-user locations

Enabled