Default to PIN for UAC

xy677 · 26 Mar 2017

I have two accounts in Windows 10 Enterprise:

Standard User Account (SUA) with does NOT have admin rights
Admin account which DOES have full admin rights

The admin account has a password set and a PIN set. I have UAC turned all the way up.

When I login with the SUA account and try to run something as ad amin I get prompted with the UAC screen as follows:

I then have to clikc "More Options" and then get prompted with the following:

I then select PIN:

and I can enter my PIN and get the access I need for what I am doing.

The problem is that I have to select "More Options" and then PIN every single time I am prompted by UAC which is annoying.

Is there a way to force UAC to default to prompt for a PIN rather than a password?

I have researched this but all the posts talk about setting the PIN at the login screen which is not relevant to what I am trying to achieve. I am interested in setting this for the UAC prompt.

Thank you!

StephanP · 31 May 2018

I am having the exact same problem here, so please allow me to revive this old thread.
If anyone has a solution, then please feel free to contribute.
I've experimented with HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser, but this did not give the desired effect

StephanP · 31 May 2018

On TechNet someone claims that it cannot be solved

Try3 · 31 May 2018

That TechNet thread identified the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers and its subkey containing the entry PINLogonProvider {{ on mine it is subkey {cb82ea12-9f71-446d-89e1-8d0924e1256e}]].

The poster went on to say that the existing Disabled entry is set at 1 by default and cannot be changed. I noticed that no explanation was given for this.
- The key is owned by TrustedInstaller but there should be nothing to stop you taking ownership and then changing it {right-click on a key & select Permissions}.
- I would urge you to make a system image before doing this as it will not be reversible if mistakes are made.
- I suggest that the most appropriate owner would be the Administrators group to avoid naming a specific account that might later be changed {Administrators in the plural not singular - use of the singular would cause operational difficulties}.

I do not use a PIN so I cannot test any further but I do take ownership of another Registry key for the same reason, to allow Administrators group members to change it, and have no problems doing so.

Best of luck,
Denis

StephanP · 05 Jun 2018

Hi Denis,
Thanks for the detailed desciption. I managed to make the changes:
1. Administrators ownership of entry PINLogonProvider
2. Disabled = 0.
Unfortunately this does not have the desired effect.
When a task requiring admin rights is started, UAC asks for the Admin's password and only after clicking More options, PIN, can I enter the Admin's PIN, as described bij the OP.
Stephan

Try3 · 05 Jun 2018

Stephan,

I am afraid that I will not be of any use to you. I thought, from the TechNet thread, that the problem was merely getting permissions sorted out in order to change that Registry value.

I have not seen any other discussions of the subject so I cannot suggest any logical way forward for you.

That particular Registry key is not the only one to refer to PINLogonProvider so one of the others might provide the basis for a solution [but might not]. It is even possible that the solution is some complex interplay between Registry entries and user account data about which there is no publicly available information.

It is possible that NirSoft's RegFromApp might be used to monitor any Registry changes while you choose to use a PIN manually in an Admin challenge but there is no telling in advance if it will detect anything or if what it does detect turns out to be useful. You might end up spending the whole week investigating only to get nowhere.

Similarly, SysInternals Process monitor might pick up something useful but the same warnings apply.

For both the NirSoft & SysInternals tools to get the most data, you would need to temporarily turn UAC down to its second lowest setting [do not dim the desktop].
- Microsoft stated years ago that the higher UAC settings were secure because no other processes could run whilst the screen was dimmed with the Admin challenge displayed.
- Whilst the precise meaning of this statement is undefined, using the higher UAC settings might mean that these tools could only capture immediately-before & immediately-after states.

Denis

Barman58 · 06 Jun 2018

@Try3

Whilst the precise meaning of this statement is undefined, using the higher UAC settings might mean that these tools could only capture immediately-before & immediately-after states.

Dennis, the UAC uses some form of undisclosed (for obvious reasons), Virtualization technology to totally isolate the Dimmed Screen and the system as a whole so the only thing that can take place is a keyboard action to enter and send credentials. It's an excellent piece of code and is specifically designed to prevent diagnostics of the other running processes to secure the system. As this is in place in different states when UAC is active you may need to lower the slider to minimum to gain any realistic data - and even then it's not guaranteed

Try3 · 06 Jun 2018

I have already written that "you would need to temporarily turn UAC down to its second lowest setting [do not dim the desktop]" So why you are telling me in your response about the dimmed screen [the "Secure desktop"] rather baffles me.
- Yes, the Secure desktop is isolated from other processes.
- No, keyboard actions are not the only things that can take place while the Secure desktop is onscreen.
- No, the Secure desktop is not specifically designed to prevent diagnostics.
- I have never seen any Microsoft statements about security aspects of the undimmed Admin prompt.

I have no idea what Nirsoft RegFromApp or SysInternals Process monitor would capture while the Secure desktop was onscreen or while an undimmed Admin prompt was onscreen. I don't know anybody who has tried it.

Denis

StephanP · 18 Jun 2018

I guess an alternative solution would be here to change the Administrators password so that it equals the pincode.
The only difference is that the pincode as password requires an extra [enter]

Try3 · 18 Jun 2018

Stephan,

A PIN only works on the device on which it is set. Changing the password to such a short one will ease the task of any online hackers who are trying to get into the system.

Default to PIN for UAC-pin-only-works-device-copy.png

Denis