Windows 7, 8, and 10 user accounts with administrator rights work differently than administrator accounts in previous versions of Windows.
Rather than granting administrative accounts full and unrestricted access to everything on the PC, these accounts act as regular user accounts until an action appears that requires administrator rights. At this point, the account goes into Admin Approval mode so that the user can approve the action.
Windows 7/8/10 greatly improves the administrator approval handling in Windows Vista, balancing security and usability. Fortunately, Microsoft allows you to further customize how Admin Approval Mode works on your PC.
Depending on where your computer is located and who is using it, you can increase or decrease the security level of your PC by changing the way Windows 7/8/10 uses administrator approval mode. You can also read my post on how to turn off Admin Approval Mode
Note. To access Local Security Policy on a Windows computer, you must have Pro version or higher. This will not work with Windows Home, Home Premium, or Starter editions.
Change how the admin approval mode works
To make changes to how Administrator Approval works on a Windows 7/8/10 PC, start by logging into the operating system using an account with administrator rights. Click Start – All Programs – (Windows) Administrative Tools – Local Security Policy.
You should now see the Local Security Policy Settings window.
In the left pane, click the Local Policies folder and then the Security Settings folder. In the right pane, find the option “User Account Control: Elevation Request Behavior for Administrators in Admin Approval Mode.”
Right-click this option and choose Properties from the menu.
You will notice that you have six options in the dropdown menu in the properties window.
The following is a description of each option for elevating access in Admin Approval Mode.
Six options for establishing administrative approval
Each of the six administrator approval mode options causes Windows to behave differently when it comes to raising approval levels for applications and features that require approval to run on the operating system.
Note that a secure desktop is when the entire screen is blacked out until you accept or deny the request in the UAC prompt. Read my other post to understand how UAC works
Raise without prompting
Lift up without claiming
This is the most convenient, but also the least secure option. Whenever an app or feature tries to launch, which usually requires administrator approval, the app or feature starts automatically as if it had already been granted launch permissions.
Unless your computer is located in a super-secure location, isolated from the network, this is not a smart choice.
Prompt for credentials on secure desktop
Prompt for credentials on secure desktop
This option is more secure than the default setting. Whenever an action appears that requires administrator approval, Windows actually prompts the user for a username and password on the secure desktop.
Prompt for consent on a secure desktop
Prompt for approval of a secure desktop
Instead of asking for a username and password as described above, Windows will simply ask the user to approve on the secure desktop.
Prompt for credentials
Prompt for credentials
This option works similarly to the “Prompt for credentials on secure desktop” option described above, except that the user enters a username and password without additional secure desktop protection.
Request for consent
Prompt for approval
Like the option above called “Prompt for consent on the secure desktop,” this setting simply asks the user to approve the action, but it does so without additional secure desktop protection.
Prompt for consent for non-Windows binaries
Require approval for non-Windows binaries
This is the default admin approval mode variation. When using this option, users must consent to an action only if it requires approval and is not a verified action or Windows executable.
Binaries are simply compiled executable code, synonymous with applications or programs. This is one of the most liberal administrator approval options, second only to the No Prompt Promotion above.
Windows provides a good balance between security and the smooth operation of your computer, but it still allows you to further customize the way you agree to actions that require administrator approval.
By changing the administrator approval mode settings, you can create a custom operating system environment that can increase or decrease security based on your personal administrative security needs.
–