Share via

User Account Control GPO

Glenn Maxwell 11,216 Reputation points
2024-09-21T20:07:55.9533333+00:00

Hi All

can anyone please provide me the difference of these GPO settings as i have a requirement to apply this GPO

Computer Configuration-Policies-Windows Settings-Security Settings-Local Policies-Security Options-User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode  

What is the difference between Prompt for consent on the secure desktop & Prompt for consent for non-Windows Binaries

Computer Configuration-Policies-Windows Settings-Security Settings-Local Policies-Security Options-User Account Control: Behavior of the elevation prompt for standard users

What is the difference between Automatically deny elevation requests & prompt for credentials
Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,728 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,497 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,004 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,490 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,824 questions
0 comments
Accepted answer
  1. Marcin Policht 23,155 Reputation points MVP
    2024-09-21T20:39:47.8333333+00:00
    1. User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

    This setting determines how the User Account Control (UAC) elevation prompt is presented to administrators when an application requests elevated privileges.

    Prompt for consent on the secure desktop:

    • Description: When an application requests elevated privileges, the system switches to the secure desktop (which is a special mode where other applications are paused) to display the UAC prompt. The administrator must click "Yes" to allow the operation.
      • Security: This is a more secure option because it prevents other applications from interfering with or simulating the UAC prompt.
        • User Experience: It interrupts the user by switching to the secure desktop, which can feel more intrusive but provides better security.
        Prompt for consent for non-Windows binaries: 
        - **Description**: The UAC prompt only appears on the secure desktop if a non-Windows (third-party) application requests elevated privileges. For Windows binaries, the elevation occurs without prompting (assuming the administrator is in Admin Approval Mode).

   - **Security**: Slightly less secure because Windows binaries can elevate without prompt, but still provides a safeguard for non-Windows binaries.

      - **User Experience**: This reduces the number of prompts, which can be less disruptive, but with a slight trade-off in security.
    1. User Account Control: Behavior of the elevation prompt for standard users

    This setting controls how UAC handles elevation requests for standard (non-administrator) users.

    Automatically deny elevation requests:

    • Description: When a standard user tries to perform an action that requires elevated privileges, the system automatically denies the request without displaying a UAC prompt.
      • Security: This is the most secure option as it outright blocks any elevation attempts by standard users.
        • User Experience: Standard users won't see any prompts; their actions will simply be denied, which can reduce confusion but may frustrate users who don’t understand why their action was blocked.
        Prompt for credentials: 
        - **Description**: When a standard user attempts an action that requires elevated privileges, a UAC prompt appears asking the user to enter the credentials of an administrator.

   - **Security**: This is less secure than automatically denying the request but allows for the possibility of performing the action if the correct credentials are provided.

      - **User Experience**: This allows standard users to perform elevated actions if they have access to an administrator’s credentials, which can be more flexible but also potentially more risky if credentials are shared or entered on compromised systems.

    Summary of Differences:

    Prompt for consent on the secure desktop vs. Prompt for consent for non-Windows binaries: The former always prompts on the secure desktop for added security, while the latter only does so for non-Windows binaries, reducing prompts but slightly lowering security for Windows binaries.

    • Automatically deny elevation requests vs. Prompt for credentials: The former blocks all elevation requests for standard users without a prompt, maximizing security but reducing flexibility, while the latter allows elevation if valid administrator credentials are provided, offering more flexibility but with increased risk.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.