Admin Approval Mode.

[hemiipatu]

I'd like to thank you for the fantastic guide. It has provided invaluable information and opportunities for self learning.

A question I have which I can't find the answer to, is whether "Admin Approval Mode" could replace the need to enable the built-in Administrator and transform the current account to a standard user.

After reading the documentation provided by Microsoft I'm led to believe that it can be just as secure - but I could be mistaken and would like more input from others.

Additionally there are these settings/flags that can be set to further secure an account when using AAM.

• Prompt for administrators.
• Prompt for standard users.

[beerisgood]

Thanks for the feedback!

Isn't the option already active according to the documentation?

I am also not sure if this is necessary. A standard account with reasonably secure password for the admin account should be more sufficient - to the other security options such as set by Hard_Configurator.

[hemiipatu]

A pleasure - as I mentioned the guide has been infallable to my growth in knowledge.

I can't recall from memory if either guide mentions the combined use of Admin Approval Mode, Prompt for credentials on the secure desktop for Administrators and Prompt for credentials on the secure desktop for Standard Users. but they do detail information on setting UAC to maximum which these settings also effect/change.

Unfortunately it appears a lot of the questions I have surrounding the aformentioned settings, even after a substancial amount of research have conflicting answers and in general the agreed upon "best practice" is to simply activate the built-in administrative account and then use a standard user account on a daily basis.

My only "fear" and the reason for asking my initial question is whether this agreed upon best practice is misguided and has become outdated over the years as older versions of Windows have been phased out and such new options/settings have become available.

[beerisgood]

Microsoft documentation is often outdated and although it is listed as best practices even in the group policies provided, you don't have to adopt every setting.

Everyone has to configure the best setup for themselves and is therefore no more insecure than others, as any additional hardening already contributes to security. In the end, security is always the biggest enemy of comfort.

[hemiipatu]

"Microsoft documentation is often outdated"

Oh definitely, quite scary how much of it is outdated or conflicting. A huge portion of the more informative part(s) seems to be community driven too which is insane on Microsofts part - but I'm thankful there are people (like yourself) that put effort in to rectify the issue.

"security is always the biggest enemy of comfort."

Since I am implementing this on my own machine(s) and I am the only one with access I have been forgiving with the policies/features I've set. It's been quite the learning curve and that quote definitely applies!

[Harvester57]

Hi,

Please keep in mind that AAM (or UAC) is not a security boundary, and as such does not offer the same security properties than using a standard user account and elevating your privileges when needed. There are many UAC bypasses, that will happily give a high integrity level to an attacker in case your admin account is compromised, and those exploits are not serviced by Microsoft as part as their servicing policy.

If the problem of using a standard account is practicality/usability, you should probably focus on simplifying your elevation workflow, by using Windows Hello with a webcam or with a fingerprint reader, but UAC is never the answer to privileges separation.

[hemiipatu]

Hi @Harvester57,

Thank you for taking the time to provide an informative response.

For the time being I will continue to use the administrative account made through OOBE and implement UAC; wherein credentials are required on the secure desktop whenever escalation is required. Whilst I understand this is not as secure as using a standard user account, I am implementing the guide on my own computer (a laptop) where data theft is negligable (no data to steal) and access by others is limited.

By-in-large this is merely for self-education and to help pass the time without feeling like I've wasted it on something like candy crush. 😅