4

I have a Windows10 Enterprise machine on which I want to disable UAC completely in order to execute all applications as Administrator per default.
However, my UAC settings keep resetting every time after a reboot.

I tried the following solutions:

  • Setting the following values in the registry hive HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System:
    • EnableLUA to 0
    • ConsentPromptBehaviorAdmin to 0
  • I even made myself the effective owner of the registry hive above and denied every other user (incl. SYSTEM) to modify it.
  • Setting the following group policies:
    • Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Behavior of the elevation prompt for adminsitrators in Admin Approval Mode to Elevate without promting
    • Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Run all administrators in Admin Approval Mode to Disabled
    • There is an other setting somewhere around Computer Configuration\Administrative Templates\System\ ??? which disables the automatic overriding of Group Policy Settings.
  • Reinstalling a fresh copy of Windows10
  • Writing a script in C# executed on every boot which sets all these settings for me - it did not work as not even Admin Privileges apparently are high enough to change these settings...

None of the above solutions --including the Windows re-installation-- helped resolving the problem.

I am aware that Windows10 has trouble running the WindowsStore and MSEdge etc. when one has UAC completely disabled - but I do not care as I do not use any of these "features".

Does anyone have a solution which I have maybe not yet tried?

As a developer, this drives me completely nuts.

Edit:
Completely disable UAC in Windows 10 is not a duplicate of my question, as I have tested all the proposed solutions in the linked question and they did not work for me (as specified above).

unknown6656
  • 146
  • 1
  • 1
  • 9
  • 2
    Possible duplicate of [Completely disable UAC in Windows 10](https://superuser.com/questions/1013702/completely-disable-uac-in-windows-10) – Run5k Jul 07 '18 at 17:02
  • @Run5k: Not really, IMO, as the proposed solutions did not work for me (as I already stated in my question). – unknown6656 Jul 07 '18 at 18:03
  • @Biswapriyo: I had the value `PromptOnSecureDesktop` already set to `0` on my machine (You couldn't know that, I did not mention it). However, the 3rd line does not make sense to me, as I need to _disable_ UAC prompt, and not _enable_ it. Setting `EnableLUA` to `1` does enable UAC-prompting according to MS Specifications and to my experience. – unknown6656 Jul 07 '18 at 18:16
  • @Unknown665 We are always glad to help, but please keep in mind that just because the previous solutions didn't work for you does *not* change the fact that it **is** a duplicate question. If the answers within the `Possible duplicate` don't work, it would be much more appropriate to comment within that question accordingly and initiate a bounty to emphasize that new/updated solutions are needed. However, it sounds like you haven't actually tried the solution that Biswapriyo posted. As I said earlier, you may need a combination of settings. – Run5k Jul 07 '18 at 18:31
  • @Biswapriyo: I tried, however, it did not have the intended effect. The settings still reset themselves after two reboots. – unknown6656 Jul 07 '18 at 19:10
  • @Run5k: Yes, you are right -- however, my point was that the UAC settings are not "staying" across (multiple) reboots. I thought it would be better to move the question into a separate thread instead of appending my question to one of the existing threads. – unknown6656 Jul 07 '18 at 19:12
  • But ultimately, you specifically emphasized that *"I want to disable UAC completely."* Needless to say, that is exactly the title of the original question and logically, it's safe to say that the concept of "completely" is encompassed within any subsequent OS reboots. The original question is canonical within Super User: it has numerous up-votes, over 28,000 views, and an accepted answer. As a result, we shouldn't be creating what is essentially a duplicate question. Commenting and initiating a bounty to emphasize that new/updated solutions are needed is much more appropriate. – Run5k Jul 07 '18 at 19:23
  • 1
    If you use Process Monitor (could be boot, can also do shutdown), to monitor the EnableLUA key that is reset - I assume this is at least one that is reverted, it might reveal from the stack of the reg key write operation, the process, module and function from the stack, could provide more insight at least. – HelpingHand Jul 07 '18 at 19:25
  • @HelpingHand: Good Idea - I will try that – unknown6656 Jul 07 '18 at 19:45
  • Just to clarify, you said that this machine is running Windows 10 Enterprise. It isn't actually joined to a domain, is it? – Run5k Jul 07 '18 at 21:21
  • @Run5k it is on a standard network domain, but not a Windows domain, if you were wondering about that. In this sense, one could see the machine as a 'private' machine. – unknown6656 Jul 11 '18 at 00:08
  • Forgive me, but I don't really understand: if that's the case, what type of domain *is* it? Is it managed by network and systems administrators? If so, it would probably be prudent to migrate this question to [Server Fault](https://serverfault.com/), instead. – Run5k Jul 11 '18 at 00:45
  • 2
    @Run5k: The earlier question is from 3 years ago. Windows 10 has had multiple updates since then and Microsoft keep dicking around and removing features that used to work. The fact that it worked for the original user is _irrelevant_ because Windows 10 itself has changed a lot since then. – Rex Jul 23 '18 at 14:34
  • @Rex The earlier question is canonical within the Super User realm: it has an accepted answer, numerous up-votes, and over 29,000 views. Last but certainly not least, the ultimate goal is exactly the same as this question. As a result, it **is** a duplicate. While the OP's concerns are understandable, this should have been addressed within the other question. That being said, based upon the fact that I asked a follow-up question twelve days ago and never received a reply, it's safe to assume that this isn't a pressing issue from the OP's perspective. – Run5k Jul 23 '18 at 18:05
  • @Run5k Do please excuse me for replying so late -- I have been away the past two weeks due to work. The machine is _not_ managed by network admins - it is my private machine (like inside a home-network). It therefore does not run in a domain network. **Rex** is right in saying that Win10 has changed a lot during the last years. Many administrative functions have been reduced drastically compared to Win7 (or even the beginning of Win10). – unknown6656 Jul 24 '18 at 09:34
  • No worries... real life takes precedence. Yes, both you and Rex are right about the changes within the Windows 10 operating system. However, he is definitely **not** right when he claims that the other question *"irrelevant."* As I explained within my last post, it really *is* the same question. Your frustration is understandable, but just because the solutions in the earlier question didn't work for you doesn't change the fact that it is a **duplicate**. The best thing to do would be `Start a bounty` [on the other question](https://superuser.com/q/1013702/650163) and explain why. – Run5k Jul 24 '18 at 12:25
  • @Run5k OK -- I can see your point. I will maybe start a bounty. Thanks for your help. – unknown6656 Jul 24 '18 at 13:37
  • Microsoft has conveniently decided to stop releasing newer Windows versions, and simply go on continuously updating Windows 10, AFAIK, there's not going to be a Windows 11 or 12. So with that in mind, this is like expecting a solution for Windows 7 to still apply in the first release of Windows 10. The number of changes and broken features in the last 3 years makes it almost a different edition of Windows from now. – Rex Jul 25 '18 at 04:45
  • @Rex Unfortunately, within the IT support world we can't afford to make decisions based upon a subjective assessment that says *"almost."* You are obviously very cynical regarding Windows 10 updates, and there is nothing inherently wrong with that. However, that doesn't change the fact that the OP is asking the exact same question. – Run5k Jul 25 '18 at 12:05

3 Answers3

2

Open gpedit.msc and navigate to Computer configuration -> Windows settings -> Security settings -> Local policies -> Security options. Under that, disable User Account Control:Run all administrators in Admin Approval Mode.

Here's what the documentation for Admin approval mode says:

If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled.

This is indeed the case for me - I have upgraded from Windows 7 Ultimate -> 8.1 -> 10, and mine is the sole administrator account. If that's the case for you too, well - seems this can't be fixed without a fresh install of Windows with a separate administrator account.

Rex
  • 399
  • 1
  • 8
  • 21
0

If your domain Group Policy is overriding your settings, the method described here might work.

To make your life easier, I made a task you can import into Task Scheduler:

<?xml version="1.0"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <URI>\DisableUAC</URI>
  </RegistrationInfo>
  <Triggers>
    <EventTrigger>
      <Enabled>true</Enabled>
      <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Microsoft-Windows-GroupPolicy/Operational"&gt;&lt;Select Path="Microsoft-Windows-GroupPolicy/Operational"&gt;*[System[Provider[@Name='Microsoft-Windows-GroupPolicy'] and EventID=8004]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
    </EventTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-18</UserId>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT1H</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>%SystemRoot%\System32\reg.exe</Command>
      <Arguments>ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f</Arguments>
    </Exec>
    <Exec>
      <Command>%SystemRoot%\System32\reg.exe</Command>
      <Arguments>ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f</Arguments>
    </Exec>
  </Actions>
</Task>
user541686
  • 23,663
  • 46
  • 140
  • 214
-1

The bug seems to have gone away in the Windows10 build 1803 / 17134.523.

I will close this question although this is technically not a valid answer to my question.

unknown6656
  • 146
  • 1
  • 1
  • 9