What's New in Beta 2? - Group Policy Updates

Since Beta 1, the UAC policies have adapted to address customer recommendations, enhance security, and to enhance usability. Beta 1 included 5 security policies (or Group Policy Objects (GPOs)) and Beta 2 includes 7. The rest of this post will detail each policy and provide background information about why we decided to change or add the policy in Beta 2.

1. User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

This setting was formerly called “UAP: Behavior of the elevation prompt for administrators” in Beta 1. There have been no core changes to the implementation of this setting.

Configuration Options:

No prompt: This option allows an administrator in Admin Approval Mode to perform an operation that requires elevation without consent or credentials.  Note: this scenario should only be used in the most constrained environments and is NOT recommended.

Prompt for credentials: An operation that requires a full administrator access token will prompt an administrator in Admin Approval Mode to enter an administrator user name and password.  If the user enters valid credentials the operation will continue with the applicable privilege.

Prompt for consent: Default for home and enterprise. An operation that requires a full administrator access token will prompt the administrator in Admin Approval Mode to select either “Continue” or “Cancel”.   If the administrator in Admin Approval Mode selects Continue, the operation will continue with their highest available privilege. “Prompt for consent” removes the inconvenience of requiring that users enter their name and password to perform an administrative task.

2. User Account Control: Behavior of the elevation prompt for standard users

This setting was formerly called “UAP: Behavior of the elevation prompt for standard users” in Beta 1. There have been no core changes to the implementation of this setting.

Configuration Options:

No prompt: Default for enterprise.This option results in an “access denied” error message being returned to the standard user when they try to perform an operation that requires a full administrator access token.  Most enterprises running desktops as standard user will configure the “No prompt” policy to reduce help desk calls.

Prompt for credentials: Default for home. An operation that requires a full administrator access token will prompt the user to enter an administrative user name and password.  If the user enters valid credentials the operation will continue with the applicable privilege.

3. User Account Control: Detect application installations and prompt for elevation

This settings was formerly called “UAP: Elevate on application installs” in Beta 1. There have been no core changes to the implementation of this setting.

Configuration Options:

Enabled: Default for home – computers in a workgroup. Application installation packages that require a full administrator access token to install will be heuristically detected and trigger the elevation prompt.

Disabled: Default for enterprise – domain joined computers. Enterprises running standard users desktops that leverage delegated installation technologies like Group Policy Software Install (GPSI) or SMS will disable this feature. In this case, installer detection is unnecessary and thus not required.

4. User Account Control: Only elevate executables that are signed and validated

This is a new setting in Beta 2.

Configuration Options:

Enabled: This policy will enforce PKI signature checks on any interactive application that requests elevation of privilege.  Enterprise administrators can control the administrative application allowed list through the population of certificates in the local computers Trusted Publisher Store.

Disabled: Default for home and enterprise. This policy is disabled by default.

5. User Account Control: Run all administrators in Admin Approval Mode

This setting was formerly called “UAP: Run all users, including administrators, as standard users” in Beta 1. One core change has occurred to this setting since Beta 1 – the built-in Administrator account is now subject to the UAC functionality. By default, this account is disabled in the enterprise and for home computers where it is the only active local administrator.

Configuration Options:

Enabled:   Default in home and enterprise. This policy enables the “administrator in Admin Approval Mode” user type while also enabling all other UAC policies.   Changing this setting requires a system reboot.

Disabled: Disabling this policy disables the “administrator in Admin Approval Mode” user type.  Note: The Windows Security Center will also notify that the overall security of the operating system has been reduced and gives the user the ability to self enable.

6. User Account Control: Switch to the secure desktop when prompting for elevation

This is a new setting for Beta 2.

Configuration Options:

Enabled: Default for home and enterprise. UAC elevation prompts appear on the secure desktop, which is only accessible to Windows processes.

Disabled: UAC elevation prompts appear on the interactive (user) desktop.

For more detail about the secure desktop UX, see Jim Hong’s secure desktop post.

7. User Account Control: Virtualize file and registry write failures to per-user locations

This setting was formerly called “UAP: Virtualize file and registry write failures to per-user locations” in Beta 1. There have been no core changes to the implementation of this setting.

Configuration Options:

Enabled: Default for home and enterprise. This policy enables the redirection of legacy application write failures to defined locations in both the registry and file system.  This feature mitigates those applications that historically ran as administrator and wrote runtime application data back to either %ProgramFiles%, %Windir%; %Windir%\system32 or HKLM\Software\....

Disabled: Virtualization facilitates the running of pre-Vista (legacy) applications that historically failed to run as Standard User. An administrator running only Windows Vista compliant applications may choose to disable this feature as it is unnecessary.