Check if UAC is enabled

Quick Description This Automation Policy determines if User Access Control (UAC) is enable/disabled.
Applies To N-central 9.0.x
Last Revised Feb. 20, 2012

Overview

This Automation Policy retrieves the value of the following HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System registry keys to determine if User Access Control is enable or disabled on the remote device:

  • ConsentPromptBehaviorAdmin
  • ConsentPromptBehaviorUser
  • EnableLUA

They can be configured with a number of values, as shown in the table below.

The UAC setting is typically set using a slider bar on the UAC Settings dialog box, accessible through the Control Panel. On certain operating system platforms, moving this setting to its lowest level (Never Notify), disables UAC. Any other value enables UAC.

On other operating system platforms (usually those with higher security requirements – such as servers and enterprise editions), UAC cannot be disabled through the UAC dialog. That is, even when the UAC setting is at its lowest level, UAC may still be enabled.

Regardless of which environment the operating system platform is in, the Is UAC Enabled AM object checks the value of the UAC setting based on the value of the slider bar, and reports it as disabled if the setting is set to its minimum value; any other value will report UAC as enabled.

Potential to disable UAC!

Set the value for these keys as follows:

  • ConsentPromptBehaviorAdmin = 1
  • ConsentPromptBehaviorUser = 1
  • EnableLUA = 1

Setting any of the values to 0 will disable UAC, regardless of the value of the EnableLUA key.

Key Value Description

ConsentPromptBehaviorAdmin

(Defines the User Account Control behaviour for system administrators.)

0 Allows an administrator to perform operations that require elevated privileges without consent (prompts) or authentication (credentials).
1 Requires the administrator to enter a username and password when operations require elevated privileges on a secure device.
2 Displays the UAC prompt that needs to be permitted or denied on a secure device. No authentication is required.
3 Prompts for credentials to access the device.
4 Displays the UAC prompt for consent to access the device.
5 The default value. Prompts for consent for non-Windows binaries.

ConsentPromptBehaviorUser

(Defines the User Account Control behaviour for standard users.)

0 Automatically denies any operation that requires elevated privileges if attempted by a standard user.
1 Displays a prompt to enter the username and password of an administrator to run the operation with elevated privileges on the secure desktop.
3 The default value. Prompts for credentials on a secure desktop.
EnableLUA 0 Disables UAC.
1 Enables UAC.

Input parameters

No input parameters are required.

Automation policy

Outcome

Whether or not User Access Control is enabled on the device is displayed.

Troubleshooting

There is no troubleshooting available.