User Account Control asks for your consent before running an elevated task or program. This helps protect your infrastructure from malware, but learning how to set the UAC behavior for the admin can improve usability (or tighten security) for your IT environment.
Set UAC to ask for login credentials, or disable it altogether. Discover how to change UAC prompt behavior, key points, and commonly asked questions with our article below.
How to set the UAC behavior for the admin
Knowing how to change UAC prompt behavior opens new possibilities for securing your IT environment. But before you choose which method to use, consider your infrastructure’s needs and technical constraints for seamless rollouts.
📌 Prerequisites:
- Windows 11 (all editions)
- Administrator privileges
📌 Recommended deployment strategies:
Click to Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Method 1: Local Security Policy | ✓ | |
| Method 2: Registry Editor | ✓ |
Method 1: Configure via Local Security Policy
Easily configure UAC behavior through your administrator tools for local security.
📌 Use Cases: Changing UAC prompt behavior across your enterprise
📌 Prerequisites: Windows 11 Pro, Enterprise, or Education
- Press Win + R, type secpol.msc, and press Enter.
- Navigate to: Local Policies > Security Options
- Double-click User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode.
- Select the desired behavior from the drop-down menu.
- Click OK.
- Restart the workstation to apply your changes.
Method 2: Configure via Registry Editor
⚠️ Warning: Editing the registry can cause system issues. Create a backup before proceeding.
📌 Use Cases: For system-wide changes that affect all users on a workstation
- Press Win + R, type regedit, and press Enter.
- Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Double-click ConsentPromptBehaviorAdmin.
- If you don’t see this value, do the following:
- Right-click on an empty space on the right-hand pane.
- Select New > DWORD (32-bit) Value.
- Name the new value “ConsentPromptBehaviorAdmin”.
- If you don’t see this value, do the following:
- Modify its value to change UAC behavior.
- To elevate without prompting, type 0.
- To prompt for credentials on a secure desktop, type 1.
- To prompt for consent on a secure desktop, type 2.
- To prompt for credentials, type 3.
- To prompt for consent, type 4.
- To prompt for consent for non-Windows programs, type 5.
- Press OK.
- Close Registry Editor.
- Restart the workstation to apply your changes.
⚠️ Things to look out for
Risks | Potential Consequences | Reversals |
| UAC is disabled entirely | Modern apps and security features break |
|
| Misconfigured registry value | UAC behaves erratically | Open the Registry Editor and correct/remove ConsentPromptBehavior |
| Accidentally set to “Elevate without prompting” | Programs are elevated silently, threatening the security posture | Open the Registry Editor and set ConsentPromptBehaviorAdmin’s value to 2 in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
💡TIP: Here are the available configuration options for User Account Control, and what they mean:
- Elevate without prompting: Automatically elevates the initiated program or task
- Prompt for credentials on the secure desktop: Displays a protected screen where only the credential prompt receives input
- Prompt for consent on the secure desktop: Asks for a simple Yes/No confirmation on a protected screen
- Prompt for credentials: Asks for credentials on an ordinary prompt
- Prompt for consent: Requests confirmation on an ordinary prompt
- Prompt for consent for non-Windows binaries (default): Prompt asks for consent on third-party programs only
Additional considerations when you elevate UAC behavior
Be aware of the proper ways to apply UAC behavior changes to protect your IT environment from unwanted data loss. Here are the biggest key points for changing UAC en masse.
Reboot your system to apply changes
Firstly, your changes won’t reflect unless you reboot or log back into a workstation. Keep this in mind when deploying UAC changes, especially in environments that need continuous uptime.
Applications may behave differently
On Windows 11, you can set UAC behavior to elevate tasks/programs according to administrator needs. Doing so may cause apps to behave unexpectedly, so always run tests before rolling out any changes.
Standardize prompt behavior
Varying UAC behaviors within your infrastructure can result in inconsistent performance. Therefore, set the User Account Control prompt you want in your golden image or deploy changes at scale with Group Policy Editor.
Avoid using “Elevate without prompting” unless necessary
UAC acts as a security checkpoint for potentially harmful programs. As such, running this UAC setting effectively bypasses any kind of inspection, undermining your security posture. Only elevate without prompting during rare instances.
Elevate UAC behavior responsibly for enhanced security
Knowing how to set the UAC behavior for the admin team adds a valuable skill to your toolbelt, empowering you to uphold cybersecurity policies, streamline workflows, or find a perfect balance of both. Note that this process can greatly impact stability, and always prepare backups.
Quick-Start Guide
NinjaOne provides several ways to manage UAC behavior:
- Through Scripts: NinjaOne has a script template library that includes scripts like “Disable Local Admin Tools” which can help modify administrator-related settings.
- Policy Management: You can create policies that control various system behaviors, including UAC-related settings.
The most straightforward approach would likely be to use a custom script to modify UAC behavior. Here’s a general recommendation:
powershell*Script to modify UAC behavior for administrators*Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 0
This script sets the UAC prompt behavior for administrators to a low-prompt mode.However, I recommend consulting with your IT security team before making such changes, as modifying UAC can have security implications. NinjaOne’s script deployment can help you manage this across multiple devices consistently and safely.
Related topics:
