5

I have a Windows10 Enterprise machine on which I want to disable UAC completely in order to execute all applications as Administrator per default.
However, my UAC settings keep resetting every time after a reboot.

I tried the following solutions:

  • Setting the following values in the registry hive HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System:
    • EnableLUA to 0
    • ConsentPromptBehaviorAdmin to 0
  • I even made myself the effective owner of the registry hive above and denied every other user (incl. SYSTEM) to modify it.
  • Setting the following group policies:
    • Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Behavior of the elevation prompt for adminsitrators in Admin Approval Mode to Elevate without promting
    • Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Run all administrators in Admin Approval Mode to Disabled
    • There is an other setting somewhere around Computer Configuration\Administrative Templates\System\ ??? which disables the automatic overriding of Group Policy Settings.
  • Reinstalling a fresh copy of Windows10
  • Writing a script in C# executed on every boot which sets all these settings for me - it did not work as not even Admin Privileges apparently are high enough to change these settings...

None of the above solutions --including the Windows re-installation-- helped resolving the problem.

I am aware that Windows10 has trouble running the WindowsStore and MSEdge etc. when one has UAC completely disabled - but I do not care as I do not use any of these "features".

Does anyone have a solution which I have maybe not yet tried?

As a developer, this drives me completely nuts.

Edit:
Completely disable UAC in Windows 10 is not a duplicate of my question, as I have tested all the proposed solutions in the linked question and they did not work for me (as specified above).

unknown6656
  • 166

3 Answers3

3

Open gpedit.msc and navigate to Computer configuration -> Windows settings -> Security settings -> Local policies -> Security options. Under that, disable User Account Control:Run all administrators in Admin Approval Mode.

Here's what the documentation for Admin approval mode says:

If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled.

This is indeed the case for me - I have upgraded from Windows 7 Ultimate -> 8.1 -> 10, and mine is the sole administrator account. If that's the case for you too, well - seems this can't be fixed without a fresh install of Windows with a separate administrator account.

Rex
  • 428
2

If your domain Group Policy is overriding your settings, the method described here might work.

To make your life easier, I made a task you can import into Task Scheduler:

<?xml version="1.0"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <URI>\DisableUAC</URI>
  </RegistrationInfo>
  <Triggers>
    <EventTrigger>
      <Enabled>true</Enabled>
      <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Microsoft-Windows-GroupPolicy/Operational"&gt;&lt;Select Path="Microsoft-Windows-GroupPolicy/Operational"&gt;*[System[Provider[@Name='Microsoft-Windows-GroupPolicy'] and EventID=8004]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
    </EventTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-18</UserId>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT1H</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>%SystemRoot%\System32\reg.exe</Command>
      <Arguments>ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f</Arguments>
    </Exec>
    <Exec>
      <Command>%SystemRoot%\System32\reg.exe</Command>
      <Arguments>ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f</Arguments>
    </Exec>
  </Actions>
</Task>
user541686
  • 23,629
0

The bug seems to have gone away in the Windows10 build 1803 / 17134.523.

I will close this question although this is technically not a valid answer to my question.

unknown6656
  • 166