locked
User Account Control Behaviour RRS feed

  • Question

  • I've Set Up User Account Control Group Policy with the following

    Admin Approval Mode for the Built-in Administrator account = Disabled

    Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled

    Behavior of the elevation prompt for administrators in Admin Approval Mode = Prompt for consent on the secure desktop

    Behaviour of the elevation prompt for standard users = Prompt for credentials

    Detect application installations and prompt for elevation = Enabled

    Only elevate executables that are signed and validated = Disabled

    Only elevate UIAccess applications that are installed in secure locations = Enabled

    Run all administrators in Admin Approval Mode = Enabled

    Switch to the secure desktop when prompting for elevation = Enabled

    Virtualize file and registry write failures to per-user locations = Enabled

    And attached the GPO to a OU with Computer Objects

    Now it is my understanding that UAC should prompt for admin credentials when the following occurs:

    User Tries to Install Any Application from ANY Source : The credentials prompt pops up but user can click on Cancel for the install to continue. Some Programs don't prompt UAC and install anyway

    User modifies any Windows Setting: Aren't such settings supposed to have the "UAC Sheild" next to them. Some do like Change Date Time. Others don't

    I'm trying not to have to go around and intentionally hide Windows Settings  rather than having to log the user off their session to preform any troubleshooting or installs we may have to do

    Am i asking too much of UAC

    Thursday, February 21, 2019 9:46 AM

Answers

  • You are welcome

    You can try this UAC policy configuration


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 26, 2019 7:58 AM

All replies

  • >>User Tries to Install Any Application from ANY Source : The credentials prompt pops up but user can click on Cancel for the install to continue. Some Programs don't prompt UAC and install anyway

    No, when user click Cancel, installation will not be executed. Please note, only admin accounts can install desktop programs. Standard user need to enter admin credential.

    >>User modifies any Windows Setting: Aren't such settings supposed to have the "UAC Sheild" next to them. Some do like Change Date Time. Others don't

    Yes, User can modify those settings that don’t have shield sign, the setting with shield needs admin credential.

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 22, 2019 2:56 AM
  • >>User Tries to Install Any Application from ANY Source : The credentials prompt pops up but user can click on Cancel for the install to continue. Some Programs don't prompt UAC and install anyway

    >>>No, when user click Cancel, installation will not be executed. Please note, only admin accounts can install desktop programs. Standard user need to enter admin credential.

    Then i am experiencing abnormal behaviour as i can click on Cancel when UAC pops up and the install will continue. It seems this is application dependant i.e. ITunes wont install Firefox will Also

    Also when Managing Optional Features UAC pops up. Clicking Cancel opens the Optional Features Window. I would expect it to do nothing

    >>User modifies any Windows Setting: Aren't such settings supposed to have the "UAC Sheild" next to them. Some do like Change Date Time. Others don't

    >>>Yes, User can modify those settings that don’t have shield sign, the setting with shield needs admin credential. This makes sense Thank You

    • Edited by Volts Friday, February 22, 2019 12:19 PM
    Friday, February 22, 2019 12:02 PM
  • You are welcome

    You can try this UAC policy configuration


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 26, 2019 7:58 AM