Windows 10: Default to PIN for UAC

  1.    26 Mar 2017 #1

    Default to PIN for UAC


    I have two accounts in Windows 10 Enterprise:

    Standard User Account (SUA) with does NOT have admin rights
    Admin account which DOES have full admin rights

    The admin account has a password set and a PIN set. I have UAC turned all the way up.

    When I login with the SUA account and try to run something as ad amin I get prompted with the UAC screen as follows:

    Click image for larger version. 

Name:	image.png 
Views:	62 
Size:	18.5 KB 
ID:	126789

    I then have to clikc "More Options" and then get prompted with the following:

    Click image for larger version. 

Name:	image.png 
Views:	61 
Size:	21.5 KB 
ID:	126790

    I then select PIN:

    Click image for larger version. 

Name:	image.png 
Views:	62 
Size:	21.4 KB 
ID:	126791

    and I can enter my PIN and get the access I need for what I am doing.

    The problem is that I have to select "More Options" and then PIN every single time I am prompted by UAC which is annoying.

    Is there a way to force UAC to default to prompt for a PIN rather than a password?

    I have researched this but all the posts talk about setting the PIN at the login screen which is not relevant to what I am trying to achieve. I am interested in setting this for the UAC prompt.

    Thank you!
      My ComputerSystem Spec


  2. Posts : 10
    Windows 10 Home 64bit
       31 May 2018 #2

    I am having the exact same problem here, so please allow me to revive this old thread.
    If anyone has a solution, then please feel free to contribute.
    I've experimented with HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser, but this did not give the desired effect
      My ComputerSystem Spec


  3. Posts : 10
    Windows 10 Home 64bit
       31 May 2018 #3

    On TechNet someone claims that it cannot be solved
      My ComputerSystem Spec


  4. Posts : 887
    Windows 10 Home x64 and Pro x86
       31 May 2018 #4

    That TechNet thread identified the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers and its subkey containing the entry PINLogonProvider {{ on mine it is subkey {cb82ea12-9f71-446d-89e1-8d0924e1256e}]].

    The poster went on to say that the existing Disabled entry is set at 1 by default and cannot be changed. I noticed that no explanation was given for this.
    - The key is owned by TrustedInstaller but there should be nothing to stop you taking ownership and then changing it {right-click on a key & select Permissions}.
    - I would urge you to make a system image before doing this as it will not be reversible if mistakes are made.
    - I suggest that the most appropriate owner would be the Administrators group to avoid naming a specific account that might later be changed {Administrators in the plural not singular - use of the singular would cause operational difficulties}.

    I do not use a PIN so I cannot test any further but I do take ownership of another Registry key for the same reason, to allow Administrators group members to change it, and have no problems doing so.

    Best of luck,
    Denis
      My ComputerSystem Spec


  5. Posts : 10
    Windows 10 Home 64bit
       05 Jun 2018 #5

    Hi Denis,
    Thanks for the detailed desciption. I managed to make the changes:
    1. Administrators ownership of entry PINLogonProvider
    2. Disabled = 0.
    Unfortunately this does not have the desired effect.
    When a task requiring admin rights
    is started, UAC asks for the Admin's password and only after clicking More options, PIN, can I enter the Admin's PIN, as described bij the OP.
    Stephan
      My ComputerSystem Spec


  6. Posts : 887
    Windows 10 Home x64 and Pro x86
       05 Jun 2018 #6

    Stephan,

    I am afraid that I will not be of any use to you. I thought, from the TechNet thread, that the problem was merely getting permissions sorted out in order to change that Registry value.

    I have not seen any other discussions of the subject so I cannot suggest any logical way forward for you.

    That particular Registry key is not the only one to refer to PINLogonProvider so one of the others might provide the basis for a solution [but might not]. It is even possible that the solution is some complex interplay between Registry entries and user account data about which there is no publicly available information.

    It is possible that NirSoft's RegFromApp might be used to monitor any Registry changes while you choose to use a PIN manually in an Admin challenge but there is no telling in advance if it will detect anything or if what it does detect turns out to be useful. You might end up spending the whole week investigating only to get nowhere.

    Similarly, SysInternals Process monitor might pick up something useful but the same warnings apply.

    For both the NirSoft & SysInternals tools to get the most data, you would need to temporarily turn UAC down to its second lowest setting [do not dim the desktop].
    - Microsoft stated years ago that the higher UAC settings were secure because no other processes could run whilst the screen was dimmed with the Admin challenge displayed.
    - Whilst the precise meaning of this statement is undefined, using the higher UAC settings might mean that these tools could only capture immediately-before & immediately-after states.

    Denis
    Last edited by Try3; 06 Jun 2018 at 05:27.
      My ComputerSystem Spec

  7. Barman58's Avatar
    Posts : 2,764
    Windows 10 Pro x64 1803 - 17134.5 XP/Vista/Win7/Win8.1 in VM for testing
       06 Jun 2018 #7

    @Try3
    Whilst the precise meaning of this statement is undefined, using the higher UAC settings might mean that these tools could only capture immediately-before & immediately-after states.
    Dennis, the UAC uses some form of undisclosed (for obvious reasons), Virtualization technology to totally isolate the Dimmed Screen and the system as a whole so the only thing that can take place is a keyboard action to enter and send credentials. It's an excellent piece of code and is specifically designed to prevent diagnostics of the other running processes to secure the system. As this is in place in different states when UAC is active you may need to lower the slider to minimum to gain any realistic data - and even then it's not guaranteed
      My ComputerSystem Spec


  8. Posts : 887
    Windows 10 Home x64 and Pro x86
       06 Jun 2018 #8

    I have already written that "you would need to temporarily turn UAC down to its second lowest setting [do not dim the desktop]" So why you are telling me in your response about the dimmed screen [the "Secure desktop"] rather baffles me.
    - Yes, the Secure desktop is isolated from other processes.
    - No, keyboard actions are not the only things that can take place while the Secure desktop is onscreen.
    - No, the Secure desktop is not specifically designed to prevent diagnostics.
    - I have never seen any Microsoft statements about security aspects of the undimmed Admin prompt.

    I have no idea what Nirsoft RegFromApp or SysInternals Process monitor would capture while the Secure desktop was onscreen or while an undimmed Admin prompt was onscreen. I don't know anybody who has tried it.

    Denis
      My ComputerSystem Spec


  9. Posts : 10
    Windows 10 Home 64bit
       18 Jun 2018 #9

    I guess an alternative solution would be here to change the Administrators password so that it equals the pincode.
    The only difference is that the pincode as password requires an extra [enter]
      My ComputerSystem Spec


  10. Posts : 887
    Windows 10 Home x64 and Pro x86
       18 Jun 2018 #10

    Stephan,

    A PIN only works on the device on which it is set. Changing the password to such a short one will ease the task of any online hackers who are trying to get into the system.

    Click image for larger version. 

Name:	A PIN only works on this device - Copy.png 
Views:	1 
Size:	37.1 KB 
ID:	192773

    Denis
      My ComputerSystem Spec


 

Related Threads
So I have worked out how to customize the windows 10 start menu and then use powershell to import it so default users or new users start menu is set using the following commands and editing defaultlayout.xml: #Export start layout and customize...
Hi! After latest update, Windows keeps reverting my apps to default. For example, my default music app/program is Winamp, and after a while I'll just find that it is Groove music again. It is not a huge problem, but you see how it can be...
Help !!!!!!!!!!!!!!!! I understand that Windows 10 has a new feature that automatically sets your effective default printer to the last device used (unless you explicitly turn OFF the "Let Windows manage my default printer" feature). I have...
Hi, An observation, not a question. I wanted to set Thunderbird as my default email client again (after having reset defaults whilst looking for a problem). So I set it as my default email client in 'System', 'Default Apps'. This proved not to...
I currently have Firefox, IE and Edge installed on my PC. Firefox is set as the default browser. When I go into the default apps setting screen and click to change my default browser, only IE and Firefox are on the list, so I can't select Edge. ...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 17:08.
Find Us