Step 6. Click OK to close the shortcut Properties dialog box.
Caution
If you are logged on using the default Administrator account created when you installed Windows 10, you do not receive any UAC prompts. Do not use this account except under emergency conditions. Best practices recommend that this account remain disabled; it is disabled by default in Windows 10.
Configuring User Account Control
In Windows 10, as already mentioned, you can configure several levels of UAC that determine whether prompts are displayed and how they appear on the screen. Open Control Panel, select System and Security, and then select Change User Account Control Settings under Security and Maintenance.
Alternatively, you can type User Account Control into the taskbar Search field and then select this option from the Search list. Select from the
following options, click OK, and then accept the UAC prompt that appears:
• Always Notify Me When: Windows displays a UAC prompt whenever you make changes to Windows settings or programs try to install software or make changes to your computer. This behavior is similar to that of Vista.
• Notify Me Only When Apps Try to Make Changes to My Computer (Default): The default setting in Windows 8.1, this setting does not prompt you when you make changes to Windows settings. You are prompted on the secure desktop (that is, the desktop dims) when you perform higher-level actions, such as installing programs or accessing the Registry Editor.
• Notify Me Only When Programs Try to Make Changes to My
Computer (Do Not Dim My Desktop): Similar to the default setting, except that the desktop does not dim when a UAC prompt appears. With this setting, you can ignore the UAC prompt and continue performing tasks other than the task that is requesting approval.
• Never Notify Me When: Disables UAC completely. You are not notified if apps try to install software or make changes to your computer, or when you make changes to Windows settings. This setting is not recommended; you should use it only when absolutely necessary to run a program that displays the red shield icon mentioned earlier in this section.
Caution
If you select the Never Notify Me When option, Windows 10 will not let you run any Windows Store apps.
User Account Control Policies
Microsoft has provided a series of policies in Windows 10 Group Policy that govern the behavior of UAC. These policies are available from the Group Policy Management Editor snap-in (gpedit.msc) or from the Local Security
Policy snap-in.
You can use this procedure to configure the following UAC policies:
• Admin Approval Mode for the Built-in Administrator: Governs the behavior of the built-in Administrator account. When enabled, this account displays the UAC prompt for all actions requiring elevated privileges. When disabled, this account runs all actions with full administrative privileges. This policy is disabled by default.
• Allow UIAccess Applications to Prompt for Elevation Without Using the Secure Desktop: Determines whether User Interface Accessibility (UIAccess) programs can automatically disable the secure desktop with a standard user. When enabled, these programs (such as Remote Assistance) automatically disable the secure desktop for elevation prompts. When disabled, the application runs with UIAccess integrity regardless of its location in the file system. Note that UI (User Interface) Access-application programs and accessibility tools are used by developers to push input to
higher desktop windows that require the uiAccess flag to be equal to true (i.e.
uiAccess=true). Also, the application program that wishes to receive the uiAccess privilege must reside on the hard drive in a trusted location and be digitally signed. This policy is disabled by default.
• Behavior of the Elevation Prompt for Administrators in Admin Approval Mode: Determines the behavior of the UAC prompt for administrative users. This policy has the following options:
• Prompt for Consent for Non-Windows Binaries: Prompts a user on the secure desktop to select either Permit or Deny when a non-Microsoft program needs elevated privileges. Select Permit to run the action with the highest possible privileges. This option is the default setting.
• Prompt for Consent: Prompts a user to select either Permit or Deny when an action runs that requires elevated privileges. Select Permit to run the action with the highest possible privileges.
• Prompt for Credentials: Prompts for an administrative username and password when an action requires administrative privileges, but does not
display the secure desktop. When selected, administrative users receive the prompt a prompt similar to Figure 7-32, requiring administrator credentials.
• Prompt for Consent on the Secure Desktop: Prompts a user to select either Permit or Deny on the secure desktop when an action runs that requires elevated privileges. Select Permit to run the action with the highest possible privileges.
• Prompt for Credentials on the Secure Desktop: Prompts for an
administrative username and password on the secure desktop when an action requires administrative privileges. When selected, administrative users will receive a UAC prompt requiring username and password for the
administrator account.
• Elevate Without Prompting: Enables the administrator to perform the action without consent or credentials. In other words, the administrator receives Admin Approval mode automatically. This setting is not recommended for normal environments.
• Behavior of the Elevation Prompt for Standard Users: Determines the behavior of the UAC prompt for nonadministrative users. This policy has the following options:
• Prompt for Credentials: Displays a prompt to enter an administrative username and password when a standard user attempts to run an action that requires elevated privileges. This option is the default setting.
• Prompt for Credentials on the Secure Desktop: Displays a prompt on the secure desktop to enter an administrative username and password when a standard user attempts to run an action that requires elevated privileges.
• Automatically Deny Elevation Requests: Displays an Access is Denied message when a standard user attempts to run an action that requires elevated privileges.
• Detect Application Installations and Prompt for Elevation: When
enabled, displays a UAC prompt when a user installs an application package that requires elevated privileges. When disabled, domain-based Group Policy
or other enterprise-level technologies govern application installation behavior. This option is enabled by default in an enterprise setting and disabled by default in a home setting.
• Only Elevate Executables That Are Signed and Validated: When enabled, performs public key infrastructure (PKI) signature checks on executable programs that require elevated privileges before they are
permitted to run. When disabled, no PKI checks are performed. This option is disabled by default.
• Only Elevate UIAccess Applications That Are Installed in Secure Locations: When enabled, runs applications only with UIAccess integrity if situated in a secure location within the file system, such as %ProgramFiles%
or %Windir%. When disabled, the application runs with UIAccess integrity regardless of its location in the file system. This option is disabled by default.
• Run All Administrators in Admin Approval Mode: When enabled, enforces Admin Approval Mode and other UAC policies. When disabled, all UAC policies are disabled and no UAC prompts are displayed. In addition, the Windows Security Center notifies the user when disabled and offers the option to enable UAC. This option is enabled by default.
• Switch to the Secure Desktop When Prompting for Elevation: When enabled, displays the secure desktop when a UAC prompt appears. When disabled, the UAC prompt remains on the interactive user’s desktop. This option is enabled by default.
• Virtualize File and Registry Write Failures to Per User Locations:
When enabled, redirects application write failures for pre-Windows 10 applications to defined locations in the Registry and the file system, such as
%ProgramFiles%, %Windir%, or %Systemroot%. When disabled,
applications that write to protected locations fail, as was the case in previous Windows versions. This option is enabled by default.
Caution
If you disable the Run All Administrators in Admin Approval Mode policy
setting, you disable UAC completely and no prompts will appear for actions requiring elevated privileges. This leaves your computer wide open for attack by malicious software. Do not disable this setting at any time!
Note
For more details on Group Policy Object settings for UAC, see “User Account Control Group Policy and Registry Key Settings” at
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/user-account- control-group-policy-and-registry-key-settings.
Supporting Authentication and Authorization
For the 70-697 exam, you will need to understand Windows authentication methods and authorization technologies and be able to support them and resolve issues for users.