Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege prompts the user to approve the operation.
Disabled (default): The built-in Administrator account runs all applications with full administrative privilege.
Enabled: UIA programs, including Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the Switch to the secure desktop when prompting for elevation policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. This setting allows the remote administrator to provide the appropriate credentials for elevation. This policy setting doesn't change the behavior of the UAC elevation prompt for administrators. If you plan to enable this policy setting, you should also review the effect of the Behavior of the elevation prompt for standard users policy setting: if it's' configured as Automatically deny elevation requests, elevation requests aren't presented to the user.
Disabled (default): The secure desktop can be disabled only by the user of the interactive desktop or by disabling the Switch to the secure desktop when prompting for elevation policy setting.
Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Use this option only in the most constrained environments.
Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
Prompt for consent for non-Windows binaries (default): When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
Prompt for credentials (default): When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
Prompt for credentials on the secure desktop When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
Enabled (default): When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
Disabled: App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Microsoft Intune, should disable this policy setting. In this case, installer detection is unnecessary.
Enabled: Enforces the certificate certification path validation for a given executable file before it's permitted to run.
Disabled (default): Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.
-
%ProgramFiles%
, including subfolders-
%SystemRoot%\system32\
-
%ProgramFiles(x86)%
, including subfoldersEnabled (default): If an app resides in a secure location in the file system, it runs only with UIAccess integrity.
Disabled: An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
Note: Windows enforces a digital signature check on any interactive apps that requests to run with a UIAccess integrity level regardless of the state of this setting.
Enabled (default): Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.
Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, Windows Security notifies you that the overall security of the operating system is reduced.
Enabled (default): All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
%ProgramFiles%
, %Windir%
, %Windir%\system32
, or HKLM\Software
.Enabled (default): App write failures are redirected at run time to defined user locations for both the file system and registry.
Disabled: Apps that write data to protected locations fail.