How to Disable/Change User Account Control with Group Policy?

(User Account Control) is an important component of the Windows security. When you run any application or process that requires administrator privileges, trying to change system settings, protected registry keys or system files, the UAC component switches the desktop to protected mode (Secure Desktop) and asks the administrator for confirmation of these actions. In this way, UAC helps prevent the launch of processes and malware that could potentially harm your computer.

The screenshot below shows that when you trying to run Registry Editor (regedit.exe) on Windows 10, a UAC confirmation window appears:

User Account Control
Do you want to allow this app to make changes to your device?

In this article, we’ll look at how to manage UAC settings on a single computer, or multiple computers in a domain using Group Policies.

User Account Control Slider Levels on Windows 10

In Windows 7 (and newer), the UAC settings on the computer are managed using a special slider (called through the control panel or the UserAccountControlSettings.exe file). Using the slider, you can select one of four predefined User Account Control protection levels.

• Level 4 — Always notify — the highest UAC protection level;
• Level 3 — Notify only when programs try to make changes to mycomputer (default) – default protection level;
• Level 2 — Notify only when programs try to make changes to my computer (do not dim my desktop) – almost the same as the previous level, but without switching to Secure Desktop with desktop locking;
• Level 1 — Never notify – UAC is disabled.

By default in Windows 10, the UAC protection Level 3 is used, which displays a notification only when you try to change system files or settings.

How to Disable User Account Control in Windows Using GPO?

You can disable UAC using Group Policy. On a standalone computer, you can use the Local Group Policy Editor gpedit.msc. If you need to deploy the policy to domain computers, you need to use the Group Policy Management Console – gpmc.msc (let’s consider this option).

1. In the domain GPO Management Console, click on the OU with computers on which you want to disable UAC and create a new policy object;
2. Edit the policy and go to the section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options;
3. This section has several options that control the UAC settings. The names of these parameters start with User Account Control;
4. To completely disable UAC, set the following parameter values:
   • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode = Elevate without prompting;
   • User Account Control: Detect application installations and prompt for elevation = Disabled;
   • User Account Control: Run all administrators in Admin Approval Mode = Disabled;
   • User Account Control: Only elevate UIAccess applications that are installed in secure locations = Disabled.
5. You need to restart client computer in order to update the Group Policy settings and disable UAC. After reboot, UAC will switch to “Never notify” mode.

You can also disable UAC only for some users/computers via the registry, and deploy the settings through Group Policy Preferences.

Create a new registry parameter under GPO section Computer Configuration -> Preferences -> Windows Settings -> Registry with the following settings:

• Action: Replace
• Hive: HKEY_LOCAL_MACHINE
• Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
• Value name: EnableLUA
• Value type: REG_DWORD
• Value data: 0

Then go to the Common tab and enable the options:

• Remove this item when it is no longer applied
• Item-Level targeting

Click the Targeting button and specify the computers or domain security groups to which you want to apply the UAC disable policy.

UAC Registry Key Settings

You can manage UAC settings through the registry. The parameters responsible for the behavior of User Account Control are located under the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System .

When you change the value of the UAC slider in the Control Panel, Windows changes the value of the registry settings from this reg key as follows (below are ready REG files for different levels of the User Account Control slider):

UAC level 4 (Always notify):

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000002
"ConsentPromptBehaviorUser"=dword:00000003
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"FilterAdministratorToken"=dword:00000000

UAC level 3 (Notify only when programs try to make changes to my computer):

"ConsentPromptBehaviorAdmin"=dword:00000005
"ConsentPromptBehaviorUser"=dword:00000003
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"FilterAdministratorToken"=dword:00000000

UAC level 2:

"ConsentPromptBehaviorAdmin"=dword:00000005
"ConsentPromptBehaviorUser"=dword:00000003
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000000
"ValidateAdminCodeSignatures"=dword:00000000
"FilterAdministratorToken"=dword:00000000

UAC level 1 (Never notify — completely disable UAC):

"ConsentPromptBehaviorAdmin"=dword:00000000
"ConsentPromptBehaviorUser"=dword:00000003
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000000
"ValidateAdminCodeSignatures"=dword:00000000
"FilterAdministratorToken"=dword:00000000

You can change the value of any parameter using the Registry Editor GUI or from the command prompt. For example, to disable UAC on the computer (a reboot is required), you can run the command:

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f.

Or a similar PowerShell command:

New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force

User Account Control on Windows Server

User Account Control in Windows Server works and is managed in the same way as it does on Windows desktop editions.

It is acceptable to completely disable UAC in Windows Server 2016/2019 if the following conditions are true:

• Only administrators have remote access to the server desktop (RDP access to the server for non-admin users must be disabled). On RDS hosts, leave UAC enabled;
• Administrators should only use Windows Server for administrative management tasks. The administrator should work with office documents, messengers, web browsers only on workstation under a non-privileged user account with UAC enabled, and not on server hosts.

When UAC is enabled, Windows Server doesn’t allow connecting remotely under local computer accounts (via net use, winrm, Powershell Remoting). The user’s token will be filtered by the enabled UAC LocalAccountTokenFilterPolicy parameter (discussed in the previous section).

UAC Slider and Group Policy Settings

You can manage UAC settings both using the slider and GPO. But there is no single Group Policy parameter that allows to select one of the four UAC protection levels (corresponding to the position of the UAC slider). It is suggested to manage UAC settings using 10 different GPO parameters instead. These policies are located in the following section of GPO editor: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options. UAC-related Group Policy parameters start with User Account Control.

The following table shows the list of UAC Group Policy parameters and their corresponding register keys.

By default, UAC Level 3 uses the following Group Policy settings:

UAC Level 3 (default)