- What’s your ENow AppGov Score? Free Microsoft Entra ID app security assessment - Thu, Nov 30 2023
- Docker logs tail: Troubleshoot Docker containers with real-time logging - Wed, Sep 13 2023
- dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices - Thu, Aug 31 2023
Malicious programs often take advantage of high-level permissions to inflict maximum damage to the endpoint and the network in general. Therefore, logging in and performing daily operations as a non-administrator account is a best practice.
UAC allows users to run applications with administrator tokens instead of the default standard user access token. The user context remains the standard user. However, the apps can run with elevated privileges. When an application needs permissions beyond the standard user, UAC will prompt for credentials. In the UAC prompt, the user can enter administrator credentials to grant the permissions required for the application.
Use PIN and Windows Hello for UAC
In Windows 10, Microsoft has added the ability to elevate permissions using additional authentication methods. Windows Hello offers more modern and robust alternatives to username and password, even for UAC prompts and simply logging into Windows. Once an administrator configures additional authentication options for the account, such as PIN or Windows Hello, they will also be available on the UAC prompts for standard users.
From that point, a standard user can select the More choices option and see the additional authentication methods. If Windows Hello is configured, it will also appear here.
No settings for configuring default UAC authentication
As you may have noted above, there is no way to set a method as the default. Apparently, there is also no explicit Group Policy setting for this purpose. The lack of explicit control over this behavior seems to be a pain point across many forums. See the Microsoft forum post here: How to make UAC always default to using Windows Hello Face instead of password.
The option to use Windows Hello is only available and configured by default if the user is tied to a Microsoft account. However, the PIN and password options are available for account elevation for local accounts.
Disable UAC with Group Policy
Organizations can use Group Policy to configure UAC settings and behaviors for all users. Microsoft has included 10 settings you can use to disable UAC or configure its behavior in various conditions.
They are located in Computer Configuration > Windows Settings > Security Settings > Security Options.
|Group Policy setting||Registry key||Default|
|User Account Control: Admin Approval Mode for the built-in Administrator account||FilterAdministratorToken||Disabled|
|User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop||EnableUIADesktopToggle||Disabled|
|User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode||ConsentPromptBehaviorAdmin||Prompt for consent for non-Windows binaries|
|User Account Control: Behavior of the elevation prompt for standard users||ConsentPromptBehaviorUser||Prompt for credentials|
|User Account Control: Detect application installations and prompt for elevation||EnableInstallerDetection||Enabled (default for home)|
Disabled (default for enterprise)
|User Account Control: Only elevate executables that are signed and validated||ValidateAdminCodeSignatures||Disabled|
|User Account Control: Only elevate UIAccess applications that are installed in secure locations||EnableSecureUIAPaths||Enabled|
|User Account Control: Run all administrators in Admin Approval Mode||EnableLUA||Enabled|
|User Account Control: Switch to the secure desktop when prompting for elevation||PromptOnSecureDesktop||Enabled|
|User Account Control: Virtualize file and registry write failures to per-user locations||EnableVirtualization||Enabled|
Policy settings to note
There are a few policy settings that are worth mentioning with regard to their functionality and the behaviors they control:
- Admin Approval Mode for the built-in Administrator account: According to Microsoft's best practices, it is best not to enable the built-in Administrator account on the client computer but to use a standard user account and UAC. If you enable or need the built-in administrator account enabled, setting this option to Enabled is recommended.
- Switch to a Secure Desktop when prompting for elevation: With this setting enabled, the UAC prompt is run in a protected memory section accessible only by trusted system processes. It helps to reduce the risk of input and output spoofing by an attacker or malicious user.
- Behavior of the elevation prompt for standard users setting: Possible settings are:
- Automatically deny elevation requests—This returns an "access denied" message.
- Prompt for credentials on the secure desktop—This ensures that the prompt is carried out using the secure desktop environment.
- Prompt for credentials—This setting does not enforce using the secure desktop configuration.
UAC protection in Security Baseline
Since local accounts are often reused in many environments and are subject to compromise, a recommended policy setting in the security baseline is called Apply UAC restrictions to local accounts on network logons. When the setting is enabled, UAC filters the access tokens when local accounts are used on network logons. It prevents using a local Administrator group account when accessing resources such as C$, etc. This setting is introduced via the registry here:
- Create a new DWORD value called LocalAccountTokenFilterPolicy
- 0—Token filtering is enabled (default setting)
- 1—Elevated tokens are allowed
User Account Control is a security mechanism supporting role-based access and eliminating the age-old problem of making all users local administrators on workstations.
In addition, it helps to decrease the damage that can be inflicted by malware and other malicious programs and helps to support compliance and other security initiatives. However, in some environments, admins can use Group Policy to disable UAC.
The new authentication methods using PIN and Windows Hello help to provide additional passwordless authentication options for administrator accounts, and many of the settings can be controlled using Group Policy in a domain environment.