13

I'm trying to disable UAC (i.e. set to the minimum level) using Powershell. So I'm running:

Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name EnableLUA -Value 0

I've also tried this with -Force added on the end.

This code has the intended effect of setting UAC to minimum but also the undesired effect of preventing built-in Windows applications (including Edge) from running, returning an error that the application can't be run using the built-in administrator account (despite the fact that it's being run with a user account that simply has UAC disabled).

So if anyone has some insight as to why this is happening and how to resolve it, that would be ideal. Failing that, if there's an alternative Powershell command I can run to disable UAC then that could also be worth a shot.

Sam
  • 887
  • 1
  • 12
  • 27
  • 1
    [Related](https://4sysops.com/archives/why-the-built-in-administrator-account-cant-open-edge-and-a-lesson-in-uac/). – Ansgar Wiechers Jun 07 '17 at 09:54
  • So you are not asking about disabling UAC but why Edge does not work when UAC is disabled? – Matt Jun 07 '17 at 11:37
  • @Matt specifically, why Edge doesn't work when UAC is disabled via that Powershell line. Disabling via GUI everything works correctly, but I need this to be automated to run remotely on a large number of machines. – Sam Jun 07 '17 at 11:52
  • @AnsgarWiechers thanks for the link - that gives me a better idea of what's going on. In effect, my Powershell line is setting UAC to 0 (my numbering), whereas the GUI lowest setting is 1 (which is what I need). – Sam Jun 07 '17 at 11:55

2 Answers2

17

Looks like this did the trick:

Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0

Edge still running after reboot and annoying UAC prompts gone, so think that's a win.

Sam
  • 887
  • 1
  • 12
  • 27
0

This is an issue specifically with Windows 10 and Windows 8. You cannot have Minimal/No UAC and be a local administrator on the machine. This actually affects more than just Edge including all modern apps like the Calculator as well. This was changed due to a security risk, as running the browser as an administrator is actually a really bad and insecure thing to do. Take a look at this article for more information

Via GPO, if you enable "Admin Approval Mode", you will then be able to launch apps without UAC but this comes with some drawbacks as well.

At my company, we put this in a GPO for a specific OU and dropped all Win10/Win8 devices into it so that the admin approval affects as few devices as possible.

You notice that it works when disabled by the GUI because you cannot disable UAC completely with the GUI, the only way to do it is with the registry key. So even though you think you're disabling it via the GUI, you're not disabling it completely.

Nick
  • 1,178
  • 3
  • 24
  • 36
  • Thanks Nick. From my understanding of the article and its comments, enabling Admin Approval Mode can be done via `Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name FilterAdministratorToken -Value 1` but unfortunately that doesn't seem to correct the problem for me. What are the drawbacks that you mention? – Sam Jun 07 '17 at 12:08
  • I'm sorry, I shouldn't have said drawback. Rather, it's just super annoying. If it's enabled, you get prompted for EVERYTHING which requires elevation, even if you're logged in as a local administrator. So you can open things like Edge and Calculator just fine, but regedit, certmgr, gpedit all require you to put in credentials. – Nick Jun 07 '17 at 12:17
  • 1
    Thanks for clarifying. It's not ideal - main point of disabling UAC in the first place is to avoid all the prompts. I think I just need to devise a Powershell line to set the level to 'Low' / 'Never Notify' as described here at https://gallery.technet.microsoft.com/scriptcenter/How-to-switch-UAC-level-0ac3ea11 – Sam Jun 07 '17 at 12:20