What’s New in Beta 2? – Group Policy Updates


Since Beta 1, the UAC policies have adapted to address customer recommendations, enhance security, and to enhance usability. Beta 1 included 5 security policies (or Group Policy Objects (GPOs)) and Beta 2 includes 7. The rest of this post will detail each policy and provide background information about why we decided to change or add the policy in Beta 2.


1. User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode


This setting was formerly called “UAP: Behavior of the elevation prompt for administrators” in Beta 1. There have been no core changes to the implementation of this setting.


Configuration Options:


No prompt: This option allows an administrator in Admin Approval Mode to perform an operation that requires elevation without consent or credentials.  Note: this scenario should only be used in the most constrained environments and is NOT recommended.

Prompt for credentials: An operation that requires a full administrator access token will prompt an administrator in Admin Approval Mode to enter an administrator user name and password.  If the user enters valid credentials the operation will continue with the applicable privilege.

Prompt for consent:
Default for home and enterprise. An operation that requires a full administrator access token will prompt the administrator in Admin Approval Mode to select either “Continue” or “Cancel”.   If the administrator in Admin Approval Mode selects Continue, the operation will continue with their highest available privilege. “Prompt for consent” removes the inconvenience of requiring that users enter their name and password to perform an administrative task.


2. User Account Control: Behavior of the elevation prompt for standard users


This setting was formerly called “UAP: Behavior of the elevation prompt for standard users” in Beta 1. There have been no core changes to the implementation of this setting.


Configuration Options:


No prompt: Default for enterprise.This option results in an “access denied” error message being returned to the standard user when they try to perform an operation that requires a full administrator access token.  Most enterprises running desktops as standard user will configure the “No prompt” policy to reduce help desk calls.


Prompt for credentials: Default for home. An operation that requires a full administrator access token will prompt the user to enter an administrative user name and password.  If the user enters valid credentials the operation will continue with the applicable privilege.


3. User Account Control: Detect application installations and prompt for elevation


This settings was formerly called “UAP: Elevate on application installs” in Beta 1. There have been no core changes to the implementation of this setting.


Configuration Options:


Enabled: Default for home – computers in a workgroup. Application installation packages that require a full administrator access token to install will be heuristically detected and trigger the elevation prompt.


Disabled: Default for enterprise – domain joined computers. Enterprises running standard users desktops that leverage delegated installation technologies like Group Policy Software Install (GPSI) or SMS will disable this feature. In this case, installer detection is unnecessary and thus not required.


4. User Account Control: Only elevate executables that are signed and validated


This is a new setting in Beta 2.


Configuration Options:


Enabled: This policy will enforce PKI signature checks on any interactive application that requests elevation of privilege.  Enterprise administrators can control the administrative application allowed list through the population of certificates in the local computers Trusted Publisher Store.


Disabled: Default for home and enterprise. This policy is disabled by default.


5. User Account Control: Run all administrators in Admin Approval Mode


This setting was formerly called “UAP: Run all users, including administrators, as standard users” in Beta 1. One core change has occurred to this setting since Beta 1 – the built-in Administrator account is now subject to the UAC functionality. By default, this account is disabled in the enterprise and for home computers where it is the only active local administrator.


Configuration Options:


Enabled:  Default in home and enterprise. This policy enables the “administrator in Admin Approval Mode” user type while also enabling all other UAC policies.   Changing this setting requires a system reboot.


Disabled: Disabling this policy disables the “administrator in Admin Approval Mode” user type.  Note: The Windows Security Center will also notify that the overall security of the operating system has been reduced and gives the user the ability to self enable.


6. User Account Control: Switch to the secure desktop when prompting for elevation


This is a new setting for Beta 2.


Configuration Options:


Enabled: Default for home and enterprise. UAC elevation prompts appear on the secure desktop, which is only accessible to Windows processes.


Disabled: UAC elevation prompts appear on the interactive (user) desktop.


For more detail about the secure desktop UX, see Jim Hong’s secure desktop post.


7. User Account Control: Virtualize file and registry write failures to per-user locations


This setting was formerly called “UAP: Virtualize file and registry write failures to per-user locations” in Beta 1. There have been no core changes to the implementation of this setting.


Configuration Options:


Enabled: Default for home and enterprise. This policy enables the redirection of legacy application write failures to defined locations in both the registry and file system.  This feature mitigates those applications that historically ran as administrator and wrote runtime application data back to either %ProgramFiles%, %Windir%; %Windir%\system32 or HKLM\Software\….


Disabled: Virtualization facilitates the running of pre-Vista (legacy) applications that historically failed to run as Standard User. An administrator running only Windows Vista compliant applications may choose to disable this feature as it is unnecessary.


Comments (9)

  1. pnp0a03 says:

    In this article, you’ve mentioned about the default settings of ‘Enterprise’ and ‘home’ … Does it mean Vista Home and Enterprise SKU? or, it mean only the type of network – Workgrop and domain? I’m confused…

    And, I have a concern about the 3) Installer detection is turned off by default in ‘Enterprise’ – I don’t know the  exactly mean – .In Microsoft Technet docs about UAC, it says as ‘Installer detection is default on’. And, many of legacy apps doesn’t declare the requestedExecutionlevel in its manifest.

  2. Gordon Fecyk says:

    I’ve seen the virtualization process on Windows Server 2003 before, enabled through the Application Compatibility Wizard. But I haven’t had much success with it.  Notably, I tried Three Rings Design’s Puzzle Pirates on it and attempted to play, but the user data it downloads on demand failed to load and wouldn’t appear on the game display.

    Puzzle Pirates is a Java game and I ran the app compatibility wizard on its shortcut, which pointed to an instance of javaw.exe.  Maybe I should have pointed it elsewhere?

    And in another blog posting here (look for "The simplest Vista virus 2.0" and "2.1") I worried that it would be possible to feed input into a security dialog.  Aaron assured me that because these dialogs are separated by integrity levels and that they run on the Winlogon desktop (and not the user desktop) it was not possible to programatically feed Admin credentials and automate an elevation process.

    Why, then, do you have a Policy option to switch these security prompts to the user’s desktop and reenable that nightmare scenario that was jabbed off?  It seems rather pointless.

  3. Roopesh says:

    As I see, there are eight UAC settings. You are missing "Admin Approval mode for Built-in Administrator Account". Could you explain that as well?

  4. Seph says:

    I can not find policy #7 in Vista Beta 2 "User Account Control: Virtualize file and registry write failures to per-user locations". Why?

    #1 and #2 are also not visible instead "Admin Approval mode for Built-in Administrator Account" is availavle.

  5. Martin wang says:

    In my test, I install beta2, build 5456 in a thinkpad notebook. But I CAN NOT install .net framework1.1 into this computer. When I double click the dotnet.exe, there is a dialog box named "program compatibility assistant" prompted and the installation failed. I used two notebooks and got same result. But surprisely, I successfully install it in a thinkpad t43 and failed in thinkpad r52 and x40. Can you tell me what I should do?

  6. Yuhong Bao says:

    Vista already has .NET Framework 2.0.

  7. Microsoft Windows Vista comes with a complete new way of implementing Group Policy settings, a new lay-out

  8. Michael says:

    How do I disable "Program Compatibility Assistant"??

  9. dr A Relex says:

    how do I disable the program compatibility assistant?