Ever tried to set up a new Windows workstation and got stuck on that little “Do you want to allow the app to make changes to your device?” dialog?
That pop‑up is the face of User Account Control, or UAC, and in a simulation lab it’s the gatekeeper you’ll be wrestling with. In Module 13 of Lab 13.2 the goal isn’t just to click “Yes” – it’s to understand why UAC exists, how to configure it properly, and what the ripple effects are for security and usability The details matter here..
What Is Simulation Lab 13.2: Module 13 Configuring the User Account Control
In plain English, this lab is a hands‑on sandbox that lets you play with Windows’ built‑in privilege‑elevation system. In practice, you’ll spin up a virtual machine, open the Local Security Policy editor, and toggle the UAC settings that live under the Security Options node. The idea is to see, in real time, how changing the “Admin Approval Mode” or the “Prompt for consent” level reshapes the user experience.
Think of UAC like a bouncer at a club. The bouncer (UAC) checks every request to make sure the person trying to get in (the program) has the right credentials. If the bouncer is too strict, nobody gets past the door. If it’s too lax, anyone can waltz in with a fake ID. Module 13 forces you to find that sweet spot.
The Core Pieces
- Admin Approval Mode – tells Windows whether administrators must approve their own actions.
- UAC Prompt Behavior – decides if the prompt appears on the secure desktop (the “Dim” screen) or the normal desktop.
- Elevation Prompt for Standard Users – controls whether a standard user gets a credential dialog or a simple “No” button.
All of these settings live in the registry under HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, but the lab pushes you to use the graphical tools first, then peek at the underlying keys Took long enough..
Why It Matters / Why People Care
Security teams love UAC because it adds a layer of defense without locking down the entire OS. Developers appreciate it when they can test how their installer behaves under different consent levels. And end users? They just want the computer to work without endless pop‑ups.
If you leave UAC turned off, you’re basically giving every program admin rights by default. That’s a fast track to ransomware or a rogue script wiping your data. On the flip side, cranking it to the highest setting can cripple productivity—imagine a help desk that can’t run a remote script because every step triggers a consent dialog Worth keeping that in mind..
In a lab environment, misconfiguring UAC is a safe way to see those consequences without risking a production machine. On top of that, the short version is: **UAC is the first line of defense that balances security with usability. On top of that, ** Getting it right means fewer “Are you sure? ” moments and fewer security holes.
How It Works (or How to Do It)
Below is the step‑by‑step walkthrough that the lab expects you to follow. I’ve added a few extra notes that usually get skipped in the official guide.
1. Spin Up the Virtual Machine
- Open Hyper‑V or VMware and import the
Lab13.2_Base.vhdx. - Allocate at least 2 GB RAM and a 40 GB virtual hard disk.
- Boot to the Windows 10 (or Windows 11) image and log in with the admin credentials
LabAdmin / P@ssw0rd!.
Pro tip: Snapshots are your friend. Take one before you touch any UAC settings so you can roll back instantly.
2. Open the Local Security Policy Editor
- Press Win + R, type
secpol.msc, and hit Enter. - manage to Local Policies → Security Options.
- Scroll down to the entries that start with “User Account Control”.
You’ll see a handful of policies, but the three you’ll tinker with are:
- Enable LSA protection – not directly UAC, but it affects how credentials are stored.
- User Account Control: Run all administrators in Admin Approval Mode
- User Account Control: Behavior of the elevation prompt for administrators
3. Adjust “Admin Approval Mode”
- Double‑click the policy and set it to Enabled.
- Click Apply → OK.
Why? Enabling this forces even local admins to go through the consent dialog, which mirrors how domain‑joined machines behave in most enterprises Less friction, more output..
4. Choose the Prompt Behavior
There are four options:
| Setting | What Happens |
|---|---|
| Elevate without prompting | No dialog; all admin actions run automatically. |
| Prompt for consent on the secure desktop | Classic dim‑screen prompt, requires a click “Yes”. |
| Prompt for consent on the user’s desktop | Same prompt but appears on the normal desktop (less secure). |
| Prompt for credentials | Standard users must type an admin password; admins just consent. |
For the lab, select Prompt for consent on the secure desktop. This is the “default safe” choice and lets you see the secure desktop in action Less friction, more output..
5. Tweak the Standard User Prompt
- Find User Account Control: Behavior of the elevation prompt for standard users.
- Set it to Prompt for credentials.
Now, if a non‑admin runs an installer, they’ll see a credential box instead of a simple “No”. This mimics a real corporate environment where help desk staff hold the admin password.
6. Verify the Registry Values
Open Regedit and handle to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
You should see:
EnableLUA=1(UAC on)ConsentPromptBehaviorAdmin=2(secure desktop)ConsentPromptBehaviorUser=1(credentials)
If any value looks off, double‑check the policy editor—sometimes the UI and registry get out of sync if you forget to click Apply.
7. Test the Settings
Open PowerShell as a normal user and run:
Start-Process notepad.exe -Verb runAs
You’ll get the secure desktop prompt. Click Yes; Notepad should open with elevated rights (check the title bar for “Administrator”).
Now log out, log back in as a standard user (e.g.Consider this: , LabUser / Password1), and repeat the command. This time a credential dialog should appear Most people skip this — try not to..
If anything behaves oddly—like the prompt not showing at all—reboot the VM. Some UAC changes only fully apply after a restart Worth keeping that in mind..
Common Mistakes / What Most People Get Wrong
“I disabled UAC to make my script run, then never turned it back on.”
That’s a classic. Now, disabling EnableLUA removes the entire consent layer, but it also disables many modern Windows features (SmartScreen, Credential Guard). The lab will flag this as a failure in the final checklist.
“I set the prompt to appear on the user’s desktop because it looks prettier.”
Sure, it looks nicer, but the user’s desktop is vulnerable to spoofing. Which means malware can create a fake dialog that looks identical, tricking you into clicking “Yes”. The secure desktop isolates the prompt from anything else on the screen That's the part that actually makes a difference..
“I only changed the admin setting and ignored the standard‑user policy.”
If you forget to adjust the standard‑user prompt, a regular user will just get a “No” button and the app will abort. In a corporate setting that’s a support nightmare.
“I edited the registry directly without using the policy editor.”
The policy editor writes additional metadata that Windows reads at startup. Changing the key alone can work, but you’ll see a warning in the Event Viewer that the policy is “out‑of‑sync”. It’s not fatal, but it’s a red flag for auditors.
“I didn’t take a snapshot before changing anything.”
One wrong click and you’re stuck with a broken UAC configuration that prevents you from installing updates. Snapshots save you hours of re‑imaging.
Practical Tips / What Actually Works
-
Start with the default settings – they’re the baseline most tutorials assume. Then adjust one variable at a time and test.
-
Use the secure desktop – it may feel intrusive, but it’s the only truly tamper‑proof prompt Small thing, real impact..
-
Document every change – a simple text file in the VM’s
C:\LabDocsfolder with the date, policy name, and new value keeps you from guessing later. -
make use of Group Policy – if you eventually move this lab to a domain, the same settings live under
Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options. -
Combine with AppLocker – UAC handles elevation, AppLocker controls which executables can run. Together they form a solid “defense in depth” strategy.
-
Watch the Event Log –
SecurityandSystemlogs will show Event ID 4688 (process creation) with a “New Process ID” field that tells you whether the process ran with elevated rights. Great for post‑lab analysis. -
Remember the “Prompt on Secure Desktop” toggle – if you ever need to script a change, use PowerShell:
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' ` -Name ConsentPromptBehaviorAdmin -Value 2Then run
gpupdate /forceand reboot Not complicated — just consistent..
FAQ
Q: Does turning UAC off improve performance?
A: It may shave off a few milliseconds on launch, but the security trade‑off is massive. Modern Windows is optimized to handle the extra prompt without noticeable lag.
Q: Can I set different UAC levels per user?
A: Not directly via the built‑in policies. UAC is a system‑wide setting, but you can use Software Restriction Policies or AppLocker to achieve per‑user restrictions Which is the point..
Q: What’s the difference between “Admin Approval Mode” and “EnableLUA”?
A: EnableLUA turns the whole UAC subsystem on or off. Admin Approval Mode tells Windows whether even administrators must go through the consent dialog. Both need to be enabled for full UAC functionality.
Q: Will disabling the secure desktop affect remote desktop sessions?
A: Yes. When you’re connected via RDP, the secure desktop prompt may not appear, causing the elevation to fail silently. The recommended workaround is to enable “Prompt for credentials” for administrators in a remote scenario.
Q: How do I reset UAC to Microsoft’s defaults?
A: Open an elevated PowerShell and run:
$defaults = @{
EnableLUA = 1
ConsentPromptBehaviorAdmin = 2
ConsentPromptBehaviorUser = 1
}
$defaults.GetEnumerator() | ForEach-Object {
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' `
-Name $_.Key -Value $_.Value
}
gpupdate /force
Then reboot.
That’s the whole picture for Simulation Lab 13.So naturally, ” pop‑up, you’ll know exactly why it’s there—and how to make it work for you, not against you. Once you’ve walked through the steps, tweaked a few settings, and seen the prompts in action, you’ll have a solid mental model of how UAC protects a Windows system. And the next time you hear a “Do you want to allow…?In real terms, 2, Module 13. Happy labbing!
8. Automating UAC Testing with PowerShell Remoting
In a lab environment you’ll often need to verify that a policy change propagates across several virtual machines. PowerShell Remoting (enabled by default on Windows 10 + Server 2016) lets you script the whole UAC‑validation cycle:
# List of target machines
$targets = @('WIN10-01','WIN10-02','WIN10-03')
# Desired UAC configuration (same values used in the FAQ)
$desiredUac = @{
EnableLUA = 1
ConsentPromptBehaviorAdmin = 2
ConsentPromptBehaviorUser = 1
PromptOnSecureDesktop = 1
EnableVirtualization = 1
FilterAdministratorToken = 1
}
# Function that pushes the registry values, forces a policy refresh, and reports back
function Set-UacConfig {
param([string]$Computer)
Invoke-Command -ComputerName $Computer -ScriptBlock {
param($cfg)
$regPath = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
foreach ($k in $cfg.Keys) {
Set-ItemProperty -Path $regPath -Name $k -Value $cfg[$k] -Force
}
gpupdate /force | Out-Null
# Return the current state for verification
Get-ItemProperty -Path $regPath |
Select-Object EnableLUA, ConsentPromptBehaviorAdmin,
ConsentPromptBehaviorUser, PromptOnSecureDesktop,
EnableVirtualization, FilterAdministratorToken
} -ArgumentList $desiredUac -ErrorAction Stop
}
# Run the function on every target and collect the results
$results = foreach ($c in $targets) {
try {
$status = Set-UacConfig -Computer $c
[pscustomobject]@{
Computer = $c
Success = $true
Settings = $status
}
} catch {
[pscustomobject]@{
Computer = $c
Success = $false
Error = $_.Exception.Message
}
}
}
$results | Format-Table -AutoSize
What this script does
| Step | Purpose |
|---|---|
Define $desiredUac |
Centralizes the values you want to enforce, making the script easy to adapt for future labs. Here's the thing — |
Set-UacConfig |
Pushes each registry key, runs gpupdate /force, and then reads the values back so you can confirm the change without rebooting (the reboot is only required for the secure‑desktop switch). Even so, |
| Error handling | If a machine is offline or the remote session fails, you get a clear “Success = $false” entry with the exception text. |
| Result table | Gives you an at‑a‑glance view of which VMs complied and which need manual attention. |
Once the script finishes, you can fire a quick sanity check from any of the VMs:
Start-Process -FilePath "powershell.exe" -Verb RunAs
If the UAC prompt appears, the automation succeeded. If you receive a silent “Access denied” error, double‑check that PromptOnSecureDesktop is set to 1 and that the machine has been rebooted.
9. Common Pitfalls & How to Avoid Them
| Symptom | Likely Cause | Fix |
|---|---|---|
| No consent dialog appears for an admin‑initiated installer | EnableLUA is set to 0 (UAC disabled) or the machine is running in Safe Mode (UAC is disabled there). |
Re‑enable EnableLUA and restart in normal mode. |
| Prompt shows but disappears instantly | The Secure Desktop flag (PromptOnSecureDesktop) is disabled while a Group Policy forces the “Elevate without prompting” option for the user. In real terms, |
Align the local registry with the GPO, or modify the GPO to respect the secure desktop. |
| Elevation fails over RDP | Remote sessions default to “Prompt for credentials” but the client’s Remote Desktop Connection settings have “Do not allow credential prompts”. | On the client, enable Allow me to save credentials and ensure the server’s Local Security Policy → Security Options → User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for credentials. |
| AppLocker blocks a legitimate executable after UAC is hardened | The rule set only allows signed binaries from C:\Program Files, but a custom admin tool lives in C:\Tools. |
Add a path rule for the custom folder or sign the binary and add a publisher rule. |
| Event‑ID 4688 shows a “high integrity” process, but the UI still asks for consent | The process was launched from a low‑integrity parent (e.g., a sandboxed Edge tab). The child inherits the low integrity and must request elevation. | Run the parent process with normal integrity (e.g., launch the script from an elevated PowerShell) or adjust the sandbox policy. |
10. Putting It All Together – A Mini‑Scenario
Goal: Deploy a new internal utility (DeployTool.exe) to 10 workstations while guaranteeing that only domain admins can run it with elevated rights.
- Create an AppLocker rule – Publisher rule that allows only binaries signed with the company certificate located in
\\fileserver\Deployments\. - Lock down UAC – Set
ConsentPromptBehaviorAdmin = 2(prompt for consent) and enable secure desktop. - Deploy via Group Policy – Use a Computer Configuration → Policies → Software Installation package that copies
DeployTool.exetoC:\Program Files\Company\DeployTool. - Validate – Run the PowerShell automation from Section 8 on each workstation, then manually launch the tool on a test machine. You should see a secure‑desktop consent dialog, and the Event Log should contain a 4688 entry with Integrity Level = High after you click Yes.
If any workstation fails at step 3, the automation script will flag it, and you can drill down into the AppLocker event log (Microsoft-Windows-AppLocker/EXE and DLL) to see the exact rule that blocked the copy.
Conclusion
UAC is far more than a simple “Do you want to allow this?” pop‑up; it is a tightly integrated subsystem that blends kernel‑level token filtering, secure‑desktop isolation, and policy‑driven consent behavior. By mastering the registry keys, the corresponding Group‑Policy settings, and the supporting tooling (Event Viewer, Process Monitor, AppLocker, PowerShell Remoting), you gain the ability to:
Honestly, this part trips people up more than it should The details matter here..
- Audit every elevation request in real time.
- Enforce a least‑privilege posture across an entire domain.
- Automate configuration drift detection and remediation.
In Simulation Lab 13.Day to day, 2 the key takeaway is that UAC should be treated as a baseline security control, not an optional inconvenience. When you combine the default “prompt for consent” level with secure‑desktop enforcement, AppLocker whitelisting, and regular log reviews, you create a defense‑in‑depth posture that dramatically reduces the attack surface for both local privilege‑escalation attempts and remote exploitation chains.
Short version: it depends. Long version — keep reading.
So the next time a dialog asks, “Do you want to allow this app to make changes to your device?Also, ” you’ll know exactly why it’s there, how it fits into the broader security architecture, and how to tune it so that it protects without impeding productivity. Happy labbing, and may your prompts always be the right ones.
