Open the User Account Control Settings window and explore the settings, ranging from Never Notify to Always Notify, and understand when changing the default settings is warranted. This will help you control when and how Secure Desktop is employed and appears. Explore related Group Policy settings for User Account Control and their available values.
- [Instructor] User Account Control, also called UAC, is a Window's component that helps protect a Window's device from malware, unwanted or unauthorized app installations, and inadvertent changes that affect the computer's health. UAC is responsible for the pop-up that appears that asks for administrator approval when a user tries to make changes to the system. I'll show you this pop-up by opening an elevated command prompt. Here it is. I'll click No for now and return back to the screen. You can change how UAC behaves if you want to.
You can access the settings by searching for User Account Control here in the search box on the Task Bar. Here we go. Change User Account Control Settings. You can change the settings by moving the slider. It's best to leave the setting configured so that you will be notified when apps try to make changes to the computer, that's the default. You can move the slider up, though, to Always Notify. And in this case, you'll also be notified when you try to change Window settings. Microsoft recommends that you never move the slider to Never Notify.
If notifications are disabled, you won't know when system settings are changed or apps are silently installed. I'll put it back up here and click Cancel just to be safe. Although the interface consists only of a simple slider, there are settings in the Group Policy Editor related to UAC. Although the interface consists of only a simple slider, there are settings in Local Security Policy related to UAC. Let's take a look at those. In the search box type Local Security Policy, like so, and click it in the results.
I'll maximize this window and navigate to Security Options. It's under Local Policies, right here. Scroll down and let's find the User Account Control entries. And double-click the first one. This policy setting controls the behavior of Admin Approval Mode for the built in administrator account. If you enable it, the built in administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privileges will prompt the user to approve the operation.
If you disable it, the built in administrator account runs all applications with full administrative privileges. Let's double-click the fourth entry, the one that sets the options for standard users. The default setting is to prompt standard users for credentials. However, if you click the dropdown menu, you'll also see that Deny is an option. From the Explain tab, you can see that when you opt for this, if an operation requires elevation of privilege, a configurable Access Denied error message can be displayed.
An enterprise that is running desktops as standard users may choose this setting to reduce help desk calls. There are some other settings that you can explore. As you do, read what's offered from the Explain tab for more information. What that's trying to tell you is that if you enable something like, say, only elevate executables that are signed and validated, then only executables that are signed and validated will be elevated. As noted earlier, it's best in almost all circumstances to leave UAC configured and enabled so that all users, even administrators, are prompted when apps are installed.
Disabling UAC can result in apps installing silently which can be a source of malware on a system.
Note: The course also maps to the third part of MCSA exam 70-698, Installing and Configuring Windows 10. Taking this course will prepare you for objectives in the Manage and Maintain Windows domain of the test.
- Configuring Windows Update
- Updating Windows apps
- Reviewing event logs
- Using Resource Monitor and Performance Monitor
- Managing security with Windows Defender
- Creating a recovery drive
- Restoring and recovering files
- Recovering the OS with Windows Recovery
- Configuring authorization and authentication
- Securing Windows 10 with passwords
- Joining workgroups and domains
- Creating and using accounts
- Automating tasks with PowerShell