none
Windows 10 UAC Prompt question RRS feed

  • Question

  • When I installed Windows 10 on my laptop, the default local user account is added in the Admin Group.

    I prefer to use this account as no one else is using my laptop only myself.

    I set UAC prompt level to the maximum which is Prompt For Consent on the Secure Desktop. I also checked under Local Security Policy that there is also an option to select Prompt for Credentials on the Secure Desktop.

    Which one would be more secure below? Prompt For Consent on the Secure Desktop or Prompt for Credentials on the Secure Desktop? 



    • Edited by A.Slayton Wednesday, August 7, 2019 2:53 PM
    Wednesday, August 7, 2019 2:52 PM

Answers

  • Yes, for your scenario, it is unnecessary.

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by A.Slayton Saturday, August 31, 2019 3:47 PM
    Friday, August 30, 2019 8:11 AM
    Moderator

All replies

  • Prompt for credentials on the secure desktop:

    When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.

    Prompt for consent on the secure desktop:

    When an operation requires elevation of privilege, the user is prompted on the secure desktop to select Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.

    The first option means you need to enter your credential all the time, the second one means you just need to click permit, the first one is more secure.

    Detailed explanation here, please note the best practices:

    User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

    https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 8, 2019 2:09 AM
    Moderator
  • All I need to know which UAC elevation option is more secure.

    Since I am the only local Admin account using my laptop, is it required to disable the following Group Policy setting as shown from the below webpage?

    The below Group Policy, is this only used to prevent malware from knowing the user account name? Because since I know my user name and the only one using my laptop, would this Group Policy setting be unnecessary? 

    https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.CredentialsUI::EnumerateAdministrators



    • Edited by A.Slayton Thursday, August 8, 2019 4:15 AM
    Thursday, August 8, 2019 4:06 AM
  • Yes, for your scenario, it is unnecessary.

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by A.Slayton Saturday, August 31, 2019 3:47 PM
    Friday, August 30, 2019 8:11 AM
    Moderator