Default to PIN for UAC


  1. Posts : 64
    Windows 10
       #1

    Default to PIN for UAC


    I have two accounts in Windows 10 Enterprise:

    Standard User Account (SUA) with does NOT have admin rights
    Admin account which DOES have full admin rights

    The admin account has a password set and a PIN set. I have UAC turned all the way up.

    When I login with the SUA account and try to run something as ad amin I get prompted with the UAC screen as follows:

    Default to PIN for UAC-image.png

    I then have to clikc "More Options" and then get prompted with the following:

    Default to PIN for UAC-image.png

    I then select PIN:

    Default to PIN for UAC-image.png

    and I can enter my PIN and get the access I need for what I am doing.

    The problem is that I have to select "More Options" and then PIN every single time I am prompted by UAC which is annoying.

    Is there a way to force UAC to default to prompt for a PIN rather than a password?

    I have researched this but all the posts talk about setting the PIN at the login screen which is not relevant to what I am trying to achieve. I am interested in setting this for the UAC prompt.

    Thank you!
      My Computer


  2. Posts : 11
    Windows 10 Home 64bit
       #2

    I am having the exact same problem here, so please allow me to revive this old thread.
    If anyone has a solution, then please feel free to contribute.
    I've experimented with HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser, but this did not give the desired effect
      My Computer


  3. Posts : 11
    Windows 10 Home 64bit
       #3

    On TechNet someone claims that it cannot be solved
      My Computer


  4. Posts : 11,654
    Windows 10 Home x64 Version 21H2 Build 19044.1776
       #4

    That TechNet thread identified the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers and its subkey containing the entry PINLogonProvider {{ on mine it is subkey {cb82ea12-9f71-446d-89e1-8d0924e1256e}]].

    The poster went on to say that the existing Disabled entry is set at 1 by default and cannot be changed. I noticed that no explanation was given for this.
    - The key is owned by TrustedInstaller but there should be nothing to stop you taking ownership and then changing it {right-click on a key & select Permissions}.
    - I would urge you to make a system image before doing this as it will not be reversible if mistakes are made.
    - I suggest that the most appropriate owner would be the Administrators group to avoid naming a specific account that might later be changed {Administrators in the plural not singular - use of the singular would cause operational difficulties}.

    I do not use a PIN so I cannot test any further but I do take ownership of another Registry key for the same reason, to allow Administrators group members to change it, and have no problems doing so.

    Best of luck,
    Denis
      My Computer


  5. Posts : 11
    Windows 10 Home 64bit
       #5

    Hi Denis,
    Thanks for the detailed desciption. I managed to make the changes:
    1. Administrators ownership of entry PINLogonProvider
    2. Disabled = 0.
    Unfortunately this does not have the desired effect.
    When a task requiring admin rights
    is started, UAC asks for the Admin's password and only after clicking More options, PIN, can I enter the Admin's PIN, as described bij the OP.
    Stephan
      My Computer


  6. Posts : 11,654
    Windows 10 Home x64 Version 21H2 Build 19044.1776
       #6

    Stephan,

    I am afraid that I will not be of any use to you. I thought, from the TechNet thread, that the problem was merely getting permissions sorted out in order to change that Registry value.

    I have not seen any other discussions of the subject so I cannot suggest any logical way forward for you.

    That particular Registry key is not the only one to refer to PINLogonProvider so one of the others might provide the basis for a solution [but might not]. It is even possible that the solution is some complex interplay between Registry entries and user account data about which there is no publicly available information.

    It is possible that NirSoft's RegFromApp might be used to monitor any Registry changes while you choose to use a PIN manually in an Admin challenge but there is no telling in advance if it will detect anything or if what it does detect turns out to be useful. You might end up spending the whole week investigating only to get nowhere.

    Similarly, SysInternals Process monitor might pick up something useful but the same warnings apply.

    For both the NirSoft & SysInternals tools to get the most data, you would need to temporarily turn UAC down to its second lowest setting [do not dim the desktop].
    - Microsoft stated years ago that the higher UAC settings were secure because no other processes could run whilst the screen was dimmed with the Admin challenge displayed.
    - Whilst the precise meaning of this statement is undefined, using the higher UAC settings might mean that these tools could only capture immediately-before & immediately-after states.

    Denis
    Last edited by Try3; 06 Jun 2018 at 05:27.
      My Computer


  7. Posts : 4,176
    Windows 10 Pro x64 Latest RP
       #7

    @Try3
    Whilst the precise meaning of this statement is undefined, using the higher UAC settings might mean that these tools could only capture immediately-before & immediately-after states.
    Dennis, the UAC uses some form of undisclosed (for obvious reasons), Virtualization technology to totally isolate the Dimmed Screen and the system as a whole so the only thing that can take place is a keyboard action to enter and send credentials. It's an excellent piece of code and is specifically designed to prevent diagnostics of the other running processes to secure the system. As this is in place in different states when UAC is active you may need to lower the slider to minimum to gain any realistic data - and even then it's not guaranteed
      My Computers


  8. Posts : 11,654
    Windows 10 Home x64 Version 21H2 Build 19044.1776
       #8

    I have already written that "you would need to temporarily turn UAC down to its second lowest setting [do not dim the desktop]" So why you are telling me in your response about the dimmed screen [the "Secure desktop"] rather baffles me.
    - Yes, the Secure desktop is isolated from other processes.
    - No, keyboard actions are not the only things that can take place while the Secure desktop is onscreen.
    - No, the Secure desktop is not specifically designed to prevent diagnostics.
    - I have never seen any Microsoft statements about security aspects of the undimmed Admin prompt.

    I have no idea what Nirsoft RegFromApp or SysInternals Process monitor would capture while the Secure desktop was onscreen or while an undimmed Admin prompt was onscreen. I don't know anybody who has tried it.

    Denis
      My Computer


  9. Posts : 11
    Windows 10 Home 64bit
       #9

    I guess an alternative solution would be here to change the Administrators password so that it equals the pincode.
    The only difference is that the pincode as password requires an extra [enter]
      My Computer


  10. Posts : 11,654
    Windows 10 Home x64 Version 21H2 Build 19044.1776
       #10

    Stephan,

    A PIN only works on the device on which it is set. Changing the password to such a short one will ease the task of any online hackers who are trying to get into the system.

    Default to PIN for UAC-pin-only-works-device-copy.png

    Denis
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 20:10.
Find Us




Windows 10 Forums