Windows 7, 8, and 10 user accounts that have administrative privileges function differently from previous Windows versions of admin accounts. Instead of giving full and unbridled access to all of the PC’s administrator accounts, these accounts behave as regular user accounts until an event that involves admin privileges pops up. The account is entering Admin Approval Mode at this stage, so that the user can authorize the action.
Windows 7/8/10 strikes a balance between security and usability, much improved over Windows Vista’s handling of admin approval. Fortunately, Microsoft allows to customize further how Admin Approval Mode operates on a PC.
You can upgrade or downgrade your PC security depending on where your computer is located and who uses it by changing how Windows 7/8/10 uses the Admin Approval Mode. You can read my post about how to turn off Admin Approval Mode, too.
Note: You must run a version of Pro or higher to access the Local Security Policy on a Windows computer. This will not work for editions running Windows Home, Home Premium or Starter.
Changing How Admin Approval Mode Works
To make changes to how the Admin Approval Mode operates on a Windows 7/8/10 PC, use an account with administrative rights to sign in to the operating system. Select Start – All Programs – Administrative Tools (Windows)-Local Security Policy.
Test the Local Security Policy options window now.
Click on the Local Policies tab in the left hand pane, and then on the Security Options folder. Locate a User Account Control option in the right pane: behavior of the Administrator Elevation Prompt in Admin Approval Mode.
Right click this option, then select Properties from the menu.
You will note that in the Properties window you have six choices in the drop down menu.
Below is a summary of every Admin Approval Mode elevation option.
Six Admin Approval Mode Options
Each of the six Admin Approval Mode options requires Windows to work differently when it comes to elevating the approval for applications and functions needing permission to run in the OS.
Notice that protected desktop is when the entire screen dims until the UAC prompt allows you to accept or reject the request. Check out my other article to see how UAC’s running.
Elevate Without Prompting
This choice is the most convenient but also the least secure. Whenever an application or function attempts to run that would normally require an administrator’s approval, the application or function would run automatically as if the approvals had already been provided to run.
This is not a wise choice, unless your PC is in a super secure location disconnected from the networks.
Prompt for Credentials on the Secure Desktop
The choice is better than the default setting. If an operation the needs an administrator’s permission comes up, Windows will automatically ask the user on the protected desktop for a username and password.
Prompt for Consent on the Secure Desktop
Windows would simply ask the user to authorize the action on the protected screen, rather than asking for a username and password like the option above.
Prompt for Credentials
This method works similar to the Secure Desktop’s Prompt for Credentials option above, except that the user types in the username and password without the secure desktop’s added security.
Prompt for Consent
Like the above option titled Prompt for Consent on the Secure Desktop, this option simply asks the user to authorize the action but does so without the secure desktop’s added security.
Prompt for Consent for non-Windows Binaries
This is the default Mode of Approval for Admin. Users are expected to agree to an action with this option only if it requires approval, and is not a checked or functional Windows action.
Binaries are merely executable code compiled associated with software or programs. Second only to the above option Elevate without Prompting, this is one of the most liberal choices in Admin Approval Mode.
Windows strikes a good balance between security and an uninterrupted desktop experience, but still allows you to further configure how you agree to acts requiring approval by the administration.
Through modifying the Admin Approval Mode options, you can create a personalized operating system environment that allows you to increase or decrease safety depending on your personal administrative security needs.