User Account Control helps to implement proper permission levels for users accessing systems. Instead of needing administrator privileges, UAC allows admins to set up standard user permissions for users and escalate privileges in a granular way. In corporate networks, admins can use Group Policy to configure various UAC settings, including disabling UAC. Thanks to Windows Hello, you can now use a PIN for UAC.

Malicious programs often take advantage of high-level permissions to inflict maximum damage to the endpoint and the network in general. Therefore, logging in and performing daily operations as a non-administrator account is a best practice.

UAC allows users to run applications with administrator tokens instead of the default standard user access token. The user context remains the standard user. However, the apps can run with elevated privileges. When an application needs permissions beyond the standard user, UAC will prompt for credentials. In the UAC prompt, the user can enter administrator credentials to grant the permissions required for the application.

User Account Control prompt for administrator permissions

User Account Control prompt for administrator permissions

Use PIN and Windows Hello for UAC ^

In Windows 10, Microsoft has added the ability to elevate permissions using additional authentication methods. Windows Hello offers more modern and robust alternatives to username and password, even for UAC prompts and simply logging into Windows. Once an administrator configures additional authentication options for the account, such as PIN or Windows Hello, they will also be available on the UAC prompts for standard users.

Configuring a PIN for an admin account in Windows 11

Configuring a PIN for an admin account in Windows 11

From that point, a standard user can select the More choices option and see the additional authentication methods. If Windows Hello is configured, it will also appear here.

Option to use a PIN for the UAC authentication prompt

Option to use a PIN for the UAC authentication prompt

No settings for configuring default UAC authentication

As you may have noted above, there is no way to set a method as the default. Apparently, there is also no explicit Group Policy setting for this purpose. The lack of explicit control over this behavior seems to be a pain point across many forums. See the Microsoft forum post here: How to make UAC always default to using Windows Hello Face instead of password.

The option to use Windows Hello is only available and configured by default if the user is tied to a Microsoft account. However, the PIN and password options are available for account elevation for local accounts.

Disable UAC with Group Policy ^

Organizations can use Group Policy to configure UAC settings and behaviors for all users. Microsoft has included 10 settings you can use to disable UAC or configure its behavior in various conditions.

Viewing User Account Control policy settings in the default domain policy

Viewing User Account Control policy settings in the default domain policy

They are located in Computer Configuration > Windows Settings > Security Settings > Security Options.

Group Policy settingRegistry keyDefault
User Account Control: Admin Approval Mode for the built-in Administrator accountFilterAdministratorTokenDisabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktopEnableUIADesktopToggleDisabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval ModeConsentPromptBehaviorAdminPrompt for consent for non-Windows binaries
User Account Control: Behavior of the elevation prompt for standard usersConsentPromptBehaviorUserPrompt for credentials
User Account Control: Detect application installations and prompt for elevationEnableInstallerDetectionEnabled (default for home)
Disabled (default for enterprise)
User Account Control: Only elevate executables that are signed and validatedValidateAdminCodeSignaturesDisabled
User Account Control: Only elevate UIAccess applications that are installed in secure locationsEnableSecureUIAPathsEnabled
User Account Control: Run all administrators in Admin Approval ModeEnableLUAEnabled
User Account Control: Switch to the secure desktop when prompting for elevationPromptOnSecureDesktopEnabled
User Account Control: Virtualize file and registry write failures to per-user locationsEnableVirtualizationEnabled

Policy settings to note ^

There are a few policy settings that are worth mentioning with regard to their functionality and the behaviors they control:

  • Admin Approval Mode for the built-in Administrator account: According to Microsoft's best practices, it is best not to enable the built-in Administrator account on the client computer but to use a standard user account and UAC. If you enable or need the built-in administrator account enabled, setting this option to Enabled is recommended.
  • Switch to a Secure Desktop when prompting for elevation: With this setting enabled, the UAC prompt is run in a protected memory section accessible only by trusted system processes. It helps to reduce the risk of input and output spoofing by an attacker or malicious user.
  • Behavior of the elevation prompt for standard users setting: Possible settings are:
    • Automatically deny elevation requests—This returns an "access denied" message.
    • Prompt for credentials on the secure desktop—This ensures that the prompt is carried out using the secure desktop environment.
    • Prompt for credentials—This setting does not enforce using the secure desktop configuration.

UAC protection in Security Baseline

Since local accounts are often reused in many environments and are subject to compromise, a recommended policy setting in the security baseline is called Apply UAC restrictions to local accounts on network logons. When the setting is enabled, UAC filters the access tokens when local accounts are used on network logons. It prevents using a local Administrator group account when accessing resources such as C$, etc. This setting is introduced via the registry here:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • Create a new DWORD value called LocalAccountTokenFilterPolicy
  • 0—Token filtering is enabled (default setting)
  • 1—Elevated tokens are allowed

Wrapping up ^

User Account Control is a security mechanism supporting role-based access and eliminating the age-old problem of making all users local administrators on workstations.

In addition, it helps to decrease the damage that can be inflicted by malware and other malicious programs and helps to support compliance and other security initiatives. However, in some environments, admins can use Group Policy to disable UAC.

The new authentication methods using PIN and Windows Hello help to provide additional passwordless authentication options for administrator accounts, and many of the settings can be controlled using Group Policy in a domain environment.

avataravatar
0 Comments

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account