Skip to main content
Group PoliciesWindows 10Windows Server

How to Disable/Change User Account Control with Group Policy

By July 5, 2021March 24th, 2022No Comments

(User Account Control) is an important component of the Windows security. When you run any application or process that requires administrator privileges, trying to change system settings, protected registry keys or system files, the UAC component switches the desktop to protected mode (Secure Desktop) and asks the administrator for confirmation of these actions. In this way, UAC helps prevent the launch of processes and malware that could potentially harm your computer.

The screenshot below shows that when you trying to run Registry Editor (regedit.exe) on Windows 10, a UAC confirmation window appears:

User Account Control
Do you want to allow this app to make changes to your device?
uac confirmation prompt on a secure desktop on windows 10

UAC is not enabled for the built-in administrator account, which is disabled by default in Windows 10.

In this post, we’ll look at how to manage UAC settings on a single computer, or multiple computers in a domain using Group Policies.

User Account Control Slider Levels on Windows 10

In Windows 7 (and newer), the UAC settings on the computer are managed using a special slider (called through the control panel or the UserAccountControlSettings.exe file). Using the slider, you can select one of four predefined User Account Control protection levels.

  • Level 4 — Always notify — the highest UAC protection level;
  • Level 3 — Notify only when programs try to make changes to mycomputer (default) – default protection level;
  • Level 2 — Notify only when programs try to make changes to my computer (do not dim my desktop) – almost the same as the previous level, but without switching to Secure Desktop with desktop locking;
  • Level 1 — Never notify – UAC is disabled.
UAC Slider in Windows

By default in Windows 10, the UAC protection Level 3 is used, which displays a notification only when you try to change system files or settings.

How to Disable User Account Control in Windows Using GPO?

In most cases, it is not recommended to disable UAC completely. User Account Control is a simple but effective Windows security tool. In my practice, I never disable UAC on users’ computers without making sure that UAC blocks certain functions. Even in these cases, there are simple workarounds to disable UAC for a specific application, or run apps without admin rights and suppress the UAC prompt.

You can disable UAC using Group Policy. On a standalone computer, you can use the Local Group Policy Editor gpedit.msc. If you need to deploy the policy to domain computers, you need to use the Group Policy Management Console – gpmc.msc.

  1. In the domain GPO Management Console, click on the OU with computers on which you want to disable UAC and create a new policy object;
  2. Edit the policy and go to the section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options;
  3. This section has several options that control the UAC settings. The names of these parameters start with User Account Control;
  4. To completely disable UAC, set the following parameter values:
    • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode = Elevate without prompting;
    • User Account Control: Detect application installations and prompt for elevation = Disabled;
    • User Account Control: Run all administrators in Admin Approval Mode = Disabled;
    • User Account Control: Only elevate UIAccess applications that are installed in secure locations = Disabled.
  5. You need to restart client computer in order to update the Group Policy settings and disable UAC. After reboot, UAC will switch to “Never notify” mode.

You can also disable UAC only for some users/computers via the registry, and deploy the settings through Group Policy Preferences.

Create a new registry parameter under GPO section Computer Configuration -> Preferences -> Windows Settings -> Registry with the following settings:

  • Action: Replace
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • Value name: EnableLUA
  • Value type: REG_DWORD
  • Value data: 0
EnableLUA registry parameter to disabe user account control on windows 10

Then go to the Common tab and enable the options:

  • Remove this item when it is no longer applied
  • Item-Level targeting

Click the Targeting button and specify the computers or domain security groups to which you want to apply the UAC disable policy.

UAC Registry Key Settings

You can manage UAC settings through the registry. The parameters responsible for the behavior of User Account Control are located under the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System .

When you change the value of the UAC slider in the Control Panel, Windows changes the value of the registry settings from this reg key as follows (below are ready REG files for different levels of the User Account Control slider):

UAC level 4 (Always notify):

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000002
"ConsentPromptBehaviorUser"=dword:00000003
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"FilterAdministratorToken"=dword:00000000

UAC level 3 (Notify only when programs try to make changes to my computer):

"ConsentPromptBehaviorAdmin"=dword:00000005
"ConsentPromptBehaviorUser"=dword:00000003
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"FilterAdministratorToken"=dword:00000000

UAC level 2:

"ConsentPromptBehaviorAdmin"=dword:00000005
"ConsentPromptBehaviorUser"=dword:00000003
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000000
"ValidateAdminCodeSignatures"=dword:00000000
"FilterAdministratorToken"=dword:00000000

UAC level 1 (Never notify — completely disable UAC):

"ConsentPromptBehaviorAdmin"=dword:00000000
"ConsentPromptBehaviorUser"=dword:00000003
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000000
"ValidateAdminCodeSignatures"=dword:00000000
"FilterAdministratorToken"=dword:00000000
uac registry settings

You can change the value of any parameter using the Registry Editor GUI or from the command prompt. For example, to disable UAC on the computer (a reboot is required), you can run the command:

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f.

Or a similar PowerShell command:

New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force

There is another registry parameter in this thread, LocalAccountTokenFilterPolicy, which is often referred to as Remote UAC. This parameter restricts remote connections to default administrative shares under local user accounts with administrator privileges.

User Account Control on Windows Server

User Account Control in Windows Server works and is managed in the same way as it is on Windows desktop editions.

It is acceptable to completely disable UAC in Windows Server 2016/2019 if the following conditions are true:

  • Only administrators have remote access to the server desktop (RDP access to the server for non-admin users must be disabled). On RDS hosts, leave UAC enabled;
  • Administrators should only use Windows Server for administrative management tasks. The administrator should work with office documents, messengers, web browsers only on workstation under a non-privileged user account with UAC enabled, and not on server hosts.

UAC is always disabled in Windows Server Core editions.

When UAC is enabled, Windows Server doesn’t allow connecting remotely under local computer accounts (via net use, winrm, Powershell Remoting). The user’s token will be filtered by the enabled UAC LocalAccountTokenFilterPolicy parameter (discussed in the previous section).

UAC Slider and Group Policy Settings

You can manage UAC settings both using the slider and GPO. But there is no single Group Policy parameter that allows to select one of the four UAC protection levels (corresponding to the position of the UAC slider). It is suggested to manage UAC settings using 10 different GPO parameters instead. These policies are located in the following section of GPO editor: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options. UAC-related Group Policy parameters start with User Account Control.

User Account Control Policy

The following table shows the list of UAC Group Policy parameters and their corresponding register keys.

Policy NameRegistry Parameter Set by the Policy
User Account Control: Admin Approval Mode for the Built-in Administrator accountFilterAdministratorToken
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktopEnableUIADesktopToggle
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval ModeConsentPromptBehaviorAdmin
User Account Control: Behavior of the elevation prompt for standard usersConsentPromptBehaviorUser
User Account Control: Detect application installations and prompt for elevationEnableInstallerDetection
User Account Control: Only elevate executables that are signed and validatedValidateAdminCodeSignatures
User Account Control: Only elevate UIAccess applications that are installed in secure locationsEnableSecureUIAPaths
User Account Control: Run all administrators in Admin Approval ModeEnableLUA
User Account Control: Switch to the secure desktop when prompting for elevationPromptOnSecureDesktop
User Account Control: Virtualize file and registry write failures to per-user locationsEnableVirtualization

By default, UAC Level 3 uses the following Group Policy settings:

UAC Level 3 (default)
Admin Approval Mode for the Built-in Administrator account = Disabled
Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled
Behavior of the elevation prompt for administrators in Admin Approval Mode = Prompt for consent for non-Windows binaries
Behavior of the elevation prompt for standard users = Prompt for credentials on the secure desktop
Detect application installations and prompt for elevation = Enabled  (for Workgroup), Disabled (for domain-joined Windows device)
Only elevate executables that are signed and validated = Disabled
Only elevate UIAccess applications that are installed in secure locations = Enabled
Run all administrators in Admin Approval Mode = Enabled
Switch to the secure desktop when prompting for elevation = Enabled
Virtualize file and registry write failures to per-user locations = Enabled

Leave a Reply