-
Notifications
You must be signed in to change notification settings - Fork 83
UserAccountControl
dscbot edited this page Dec 11, 2022
·
4 revisions
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| IsSingleInstance | Key | String | Specifies the resource is a single instance, the value must be 'Yes'. | Yes |
| NotificationLevel | Write | String | Specifies the desired notification level for the User Account Control setting. This parameter can not be used at the same time as any of the granular parameters. |
AlwaysNotify, AlwaysNotifyAndAskForCredentials, NotifyChanges, NotifyChangesWithoutDimming, NeverNotify, NeverNotifyAndDisableAll
|
| FilterAdministratorToken | Write | UInt16 | Specifies the mode for the built-in administrator account (RID 500). |
0, 1
|
| ConsentPromptBehaviorAdmin | Write | UInt16 | Specifies the prompt behavior for the Consent Administrator. |
0, 1, 2, 3, 4, 5
|
| ConsentPromptBehaviorUser | Write | UInt16 | Specifies how the operations that requires elevation is handled for users. |
0, 1, 3
|
| EnableInstallerDetection | Write | UInt16 | Specifies how package installations are handled. |
0, 1
|
| ValidateAdminCodeSignatures | Write | UInt16 | Specifies how cryptographic signatures on interactive applications are handled. |
0, 1
|
| EnableLua | Write | UInt16 | Specifies how the 'administrator in Admin Approval Mode' user type are handled. |
0, 1
|
| PromptOnSecureDesktop | Write | UInt16 | Specifies if secure desktop prompting are used. |
0, 1
|
| EnableVirtualization | Write | UInt16 | Specifies how redirection of legacy application File and Registry writes are handled. |
0, 1
|
| SuppressRestart | Write | Boolean | Specifies if a restart of the node should be suppressed. By default the node will be restarted if the value is changed. |
The resource allows you to configure the notification level or granularly configure the User Account Control for the computer.
The parameter NotificationLevel and any of the other granular parameters
are mutual exclusive and will throw an argument exception error.
For the granular properties available in this resource, read more about the possible values in the article User Account Control Group Policy and registry key settings.
The values of the parameter NotificationLevel reflects the
levels available through the User Account Control Settings user interface;
AlwaysNotify, NotifyChanges, NotifyChangesWithoutDimming, and NeverNotify.
The other available values have been added to easier configure different
scenarios, but they can also be configured using the granular properties
of the resource. Available values for the parameter NotificationLevel is:
-
AlwaysNotify: You will be notified before programs make changes to your
computer or to Windows settings that require the permissions of an administrator.
When you're notified, your desktop will be dimmed, and you must either approve
or deny the request in the UAC dialog box before you can do anything else on
your computer. The dimming of your desktop is referred to as the secure desktop
because other programs can't run while it's dimmed. This is the most secure
setting. When you are notified, you should carefully read the contents of each
dialog box before allowing changes to be made to your computer.
This sets the values:
-
ConsentPromptBehaviorAdmin: 2 -
EnableLUA: 1 -
PromptOnSecureDesktop: 1
-
-
AlwaysNotifyAndAskForCredentials: This is the same as the notification level
"AlwaysNotify" with the exception that when you're notified, your desktop will
be dimmed, and you must enter valid credentials to approve the request in the
UAC dialog box.
This sets the values:
-
ConsentPromptBehaviorAdmin: 1 -
EnableLUA: 1 -
PromptOnSecureDesktop: 1
-
-
NotifyChanges: You will be notified before programs make changes to your
computer that require the permissions of an administrator. You will not be notified
if you try to make changes to Windows settings that require the permissions of
an administrator. You will be notified if a program outside of Windows tries
to make changes to a Windows setting. It's usually safe to allow changes to be
made to Windows settings without you being notified. However, certain programs
that come with Windows can have commands or data passed to them, and malicious
software can take advantage of this by using these programs to install files
or change settings on your computer. You should always be careful about which
programs you allow to run on your computer.
This sets the values:
-
ConsentPromptBehaviorAdmin: 5 -
EnableLUA: 1 -
PromptOnSecureDesktop: 1
-
-
NotifyChangesWithoutDimming: You will be notified before programs make
changes to your computer that require the permissions of an administrator.
You will not be notified if you try to make changes to Windows settings that
require the permissions of an administrator. You will be notified if a program
outside of Windows tries to make changes to a Windows setting. This setting is
the same as "NotifyChanges" but you are not notified on the secure desktop.
Because the UAC dialog box isn't on the secure desktop with this setting, other
programs might be able to interfere with the dialog's visual appearance. This
is a small security risk if you already have a malicious program running on
your computer.
This sets the values:
-
ConsentPromptBehaviorAdmin: 5 -
EnableLUA: 1 -
PromptOnSecureDesktop: 0
-
-
NeverNotify: You will not be notified before any changes are made to your
computer. If you are logged on as an administrator, programs can make changes
to your computer without you knowing about it. If you are logged on as a
standard user, any changes that require the permissions of an administrator will
automatically be denied. If you select this setting, you will need to restart
the computer to complete the process of turning off UAC. Once UAC is off, people
that log on as administrator will always have the permissions of an administrator.
This is the least secure setting. When you set UAC to never notify, you open
up your computer to potential security risks. If you set UAC to never notify,
you should be careful about which programs you run, because they will have the
same access to the computer as you do. This includes reading and making changes
to protected system areas, your personal data, saved files, and anything else
stored on the computer. Programs will also be able to communicate and transfer
information to and from anything your computer connects with, including the
Internet.
This sets the values:
-
ConsentPromptBehaviorAdmin: 0 -
EnableLUA: 1 -
PromptOnSecureDesktop: 0
-
-
NeverNotifyAndDisableAll: This is the same as the notification level
"NeverNotify", but in addition EnableLUA registry key is disabled.
EnableLUA controls the behavior of all UAC policy settings for the computer.
If you change this policy setting, you must restart your computer. We
do not recommend using this setting, but it can be selected for systems
that use programs that are not certified for Windows 8, Windows Server 2012,
Windows 7 or Windows Server 2008 R2 because they do not support UAC.
This sets the values:
-
ConsentPromptBehaviorAdmin: 0 -
EnableLUA: 0 -
PromptOnSecureDesktop: 0
-
This configuration will change the notification level for the User Account Control (UAC).
Configuration UserAccountControl_ChangeNotificationLevel_Config
{
Import-DscResource -Module ComputerManagementDsc
Node localhost
{
UserAccountControl 'ChangeNotificationLevel'
{
IsSingleInstance = 'Yes'
NotificationLevel = 'AlwaysNotifyAndAskForCredentials'
}
}
}This configuration will change the notification level for the User Account Control (UAC).
Configuration UserAccountControl_GranularSettings_Config
{
Import-DscResource -Module ComputerManagementDsc
Node localhost
{
UserAccountControl 'SetGranularSettings'
{
IsSingleInstance = 'Yes'
FilterAdministratorToken = 0
ConsentPromptBehaviorAdmin = 5
ConsentPromptBehaviorUser = 3
EnableInstallerDetection = 1
ValidateAdminCodeSignatures = 0
EnableLua = 1
PromptOnSecureDesktop = 1
EnableVirtualization = 1
}
}
}