Computer ConfigurationWindows SettingsLocal PoliciesSecurity Options
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.
This security setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts being used by a standard user.
If you enable this setting, UIA programs including Windows Remote Assistance can automatically disable the secure desktop for elevation prompts. Unless you have also disabled elevation prompts, the prompts will appear on the interactive user’s desktop instead of the secure desktop.
If you disable or do not configure this setting, the secure desktop can only be disabled by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" setting.
UIA programs are designed to interact with Windows and application programs on behalf of a user. This setting allows UIA programs to bypass the secure desktop to increase usability in certain cases, but allowing elevation requests to appear on the regular interactive desktop instead of the secure desktop increases your security risk.
Since UIA programs must be able to respond to prompts regarding security issues, such as the UAC elevation prompt, UIA programs must be highly trusted. In order to be considered trusted, a UIA program must be digitally signed.By default, UIA programs can be run only from the following protected paths:
..Program Files (and subfolders)
..Program Files (x86) (and subfolders, in 64-bit versions of Windows only)
The requirement to be in a protected path can be disabled by the "User Account Control: Only elevate UIAccess applications that are installed in secure locations" setting.
While this setting applies to any UIA program, it will be used primarily in certain Windows Remote Assistance scenarios. The Windows Remote Assistance program in Windows Vista is a UIA program.
If a user requests remote assistance from an administrator and the remote assistance session is established, any elevation prompts appear on the interactive user’s secure desktop and the administrator’s remote session is paused. To avoid pausing the remote administrator’s session during elevation requests, ,the user may select the "Allow IT Expert to respond to User Account Control prompts" check box when setting up the remote assistance session. However, selecting this check box itself requires that the interactive user respond to an elevation prompt on the secure desktop. If the interactive user is a standard user, the user does not have the required credentials to allow elevation.
If you enable this setting, ("User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop”), , requests for elevation are automatically sent to the interactive desktop (not the secure desktop) and also appear on the remote administrator’s view of the desktop during a Windows Remote Assistance session, and the remote administrator is able to provide the appropriate credentials for elevation.
This setting does not change the behavior of the UAC elevation prompt for administrators.
If you plan to enable this setting, you should also review the effect of the "User Account Control: Behavior of the elevation prompt for standard users" setting. If it is configured as "Automatically deny elevation requests" elevation requests will not be presented to the user.