How to turn on "only elevate executables that are signed and validated" setting

Question

I'm running Windows 10 Home, and I want to make sure that unsigned executables don't run (or at least I get a popup making sure that I want to run them).

I found this page, but I cannot for the life of me figure out how to enable this.

It gives me a location to the setting:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

But that's not an absolute path. From where do I follow that path? Is this only available to Windows 10 Pro installs perhaps? Is this already enabled?

My UAC settings are set to the max (see picture here). Is that enough?

Answer 1

Is that enough?

It absolutely is not enough. The default setting for this particular group policy is set to disabled, changing the UAC settings, does not enable the policy in question.

Is this only available to Windows 10 Pro installs perhaps? Is this already enabled?

You can only edit the group policy, through the group policy editor, on Windows 10 Professional and/or Windows Server. It is possible to manually add the group policy editor (gpedit) to Windows 10 Home.

The group policy you want to enable is: User Account Control: Only elevate executables that are signed and validated and by default it is disabled.

Of course, the simplest approach only requires editing the following registry key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures

You will have to set the value from Disabled with a value of 0 to Enabled 1.

Sources

• User Account Control Group Policy and registry key settings

• User Account Control: Only elevate executables that are signed and validated