Disable UAC with Group Policy and set PIN in Windows Hello

• Author
• Recent Posts

Brandon Lee

Brandon Lee has been in the IT industry 15+ years and focuses on networking and virtualization. He contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Latest posts by Brandon Lee (see all)

• What’s your ENow AppGov Score? Free Microsoft Entra ID app security assessment - Thu, Nov 30 2023
• Docker logs tail: Troubleshoot Docker containers with real-time logging - Wed, Sep 13 2023
• dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices - Thu, Aug 31 2023

Malicious programs often take advantage of high-level permissions to inflict maximum damage to the endpoint and the network in general. Therefore, logging in and performing daily operations as a non-administrator account is a best practice.

UAC allows users to run applications with administrator tokens instead of the default standard user access token. The user context remains the standard user. However, the apps can run with elevated privileges. When an application needs permissions beyond the standard user, UAC will prompt for credentials. In the UAC prompt, the user can enter administrator credentials to grant the permissions required for the application.

User Account Control prompt for administrator permissions

Use PIN and Windows Hello for UAC

In Windows 10, Microsoft has added the ability to elevate permissions using additional authentication methods. Windows Hello offers more modern and robust alternatives to username and password, even for UAC prompts and simply logging into Windows. Once an administrator configures additional authentication options for the account, such as PIN or Windows Hello, they will also be available on the UAC prompts for standard users.

Configuring a PIN for an admin account in Windows 11

From that point, a standard user can select the More choices option and see the additional authentication methods. If Windows Hello is configured, it will also appear here.

Option to use a PIN for the UAC authentication prompt

No settings for configuring default UAC authentication

As you may have noted above, there is no way to set a method as the default. Apparently, there is also no explicit Group Policy setting for this purpose. The lack of explicit control over this behavior seems to be a pain point across many forums. See the Microsoft forum post here: How to make UAC always default to using Windows Hello Face instead of password.

The option to use Windows Hello is only available and configured by default if the user is tied to a Microsoft account. However, the PIN and password options are available for account elevation for local accounts.

Disable UAC with Group Policy

Organizations can use Group Policy to configure UAC settings and behaviors for all users. Microsoft has included 10 settings you can use to disable UAC or configure its behavior in various conditions.

Viewing User Account Control policy settings in the default domain policy

They are located in Computer Configuration > Windows Settings > Security Settings > Security Options.

Policy settings to note

There are a few policy settings that are worth mentioning with regard to their functionality and the behaviors they control:

• Admin Approval Mode for the built-in Administrator account: According to Microsoft's best practices, it is best not to enable the built-in Administrator account on the client computer but to use a standard user account and UAC. If you enable or need the built-in administrator account enabled, setting this option to Enabled is recommended.
• Switch to a Secure Desktop when prompting for elevation: With this setting enabled, the UAC prompt is run in a protected memory section accessible only by trusted system processes. It helps to reduce the risk of input and output spoofing by an attacker or malicious user.
• Behavior of the elevation prompt for standard users setting: Possible settings are:
  • Automatically deny elevation requests—This returns an "access denied" message.
  • Prompt for credentials on the secure desktop—This ensures that the prompt is carried out using the secure desktop environment.
  • Prompt for credentials—This setting does not enforce using the secure desktop configuration.

UAC protection in Security Baseline

Since local accounts are often reused in many environments and are subject to compromise, a recommended policy setting in the security baseline is called Apply UAC restrictions to local accounts on network logons. When the setting is enabled, UAC filters the access tokens when local accounts are used on network logons. It prevents using a local Administrator group account when accessing resources such as C$, etc. This setting is introduced via the registry here:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
• Create a new DWORD value called LocalAccountTokenFilterPolicy
• 0—Token filtering is enabled (default setting)
• 1—Elevated tokens are allowed

Wrapping up

User Account Control is a security mechanism supporting role-based access and eliminating the age-old problem of making all users local administrators on workstations.

In addition, it helps to decrease the damage that can be inflicted by malware and other malicious programs and helps to support compliance and other security initiatives. However, in some environments, admins can use Group Policy to disable UAC.

The new authentication methods using PIN and Windows Hello help to provide additional passwordless authentication options for administrator accounts, and many of the settings can be controlled using Group Policy in a domain environment.