{{tag>sysadmin windows uac}}

====== Gérer l'UAC ======


L'UAC((**U**ser **A**ccount **C**ontrol)) fait parti du système de sécurité de Windows 10. Son rôle est d'empêcher les applications malveillantes à apporter des modifications non voulues aux fichiers/paramètres système.


On peut définir le niveau de l'UAC via le panneau de contrôle:
  * control panel -> system and security -> user account control settings


Pour désactiver l'UAC, via l'éditeur de registre, déployer:

<file>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
</file>

Créer la clé DWORD **EnableLUA** avec la valeur 0


Enregistrer le script ci-dessous.

<code powershell SwitchUACLevel.psml>
New-Variable -Name Key 
New-Variable -Name PromptOnSecureDesktop_Name 
New-Variable -Name ConsentPromptBehaviorAdmin_Name 
 
Function Set-RegistryValue($key, $name, $value, $type="Dword") {  
  If ((Test-Path -Path $key) -Eq $false) { New-Item -ItemType Directory -Path $key | Out-Null }  
       Set-ItemProperty -Path $key -Name $name -Value $value -Type $type  
}  
 
Function Get-RegistryValue($key, $value) {  
   (Get-ItemProperty $key $value).$value  
}  
 
$Key = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" 
$ConsentPromptBehaviorAdmin_Name = "ConsentPromptBehaviorAdmin" 
$PromptOnSecureDesktop_Name = "PromptOnSecureDesktop" 
 
Function Get-UACLevel(){ 
    $ConsentPromptBehaviorAdmin_Value = Get-RegistryValue $Key $ConsentPromptBehaviorAdmin_Name 
    $PromptOnSecureDesktop_Value = Get-RegistryValue $Key $PromptOnSecureDesktop_Name 
    If($ConsentPromptBehaviorAdmin_Value -Eq 0 -And $PromptOnSecureDesktop_Value -Eq 0){ 
        "Never notIfy" 
    } 
    ElseIf($ConsentPromptBehaviorAdmin_Value -Eq 5 -And $PromptOnSecureDesktop_Value -Eq 0){ 
        "NotIfy me only when apps try to make changes to my computer(do not dim my desktop)" 
    } 
    ElseIf($ConsentPromptBehaviorAdmin_Value -Eq 5 -And $PromptOnSecureDesktop_Value -Eq 1){ 
        "NotIfy me only when apps try to make changes to my computer(default)" 
    } 
    ElseIf($ConsentPromptBehaviorAdmin_Value -Eq 2 -And $PromptOnSecureDesktop_Value -Eq 1){ 
        "Always notIfy" 
    } 
    Else{ 
        "Unknown" 
    } 
} 
     
Function Set-UACLevel() { 
    Param([int]$Level= 2) 
 
    New-Variable -Name PromptOnSecureDesktop_Value 
    New-Variable -Name ConsentPromptBehaviorAdmin_Value 
 
    If($Level -In 0, 1, 2, 3) { 
        $ConsentPromptBehaviorAdmin_Value = 5 
        $PromptOnSecureDesktop_Value = 1 
        Switch ($Level)  
        {  
          0 { 
              $ConsentPromptBehaviorAdmin_Value = 0  
              $PromptOnSecureDesktop_Value = 0 
          }  
          1 { 
              $ConsentPromptBehaviorAdmin_Value = 5  
              $PromptOnSecureDesktop_Value = 0 
          }  
          2 { 
              $ConsentPromptBehaviorAdmin_Value = 5  
              $PromptOnSecureDesktop_Value = 1 
          }  
          3 { 
              $ConsentPromptBehaviorAdmin_Value = 2  
              $PromptOnSecureDesktop_Value = 1 
          }  
        } 
        Set-RegistryValue -Key $Key -Name $ConsentPromptBehaviorAdmin_Name -Value $ConsentPromptBehaviorAdmin_Value 
        Set-RegistryValue -Key $Key -Name $PromptOnSecureDesktop_Name -Value $PromptOnSecureDesktop_Value 
 
        Get-UACLevel 
    } 
    Else{ 
        "No supported level" 
    } 
     
} 
 
Export-ModuleMember -Function Get-UACLevel 
Export-ModuleMember -Function Set-UACLevel
</code>

Executer PowerShell en administrateur:
<code>
Import-Module .\SwitchUACLevel.psml
</code>

Affiche les commandes disponibles:
<code bash>
Get-Command -Module SwitchUACLevel
</code>

Définir le niveau de notification (argument allant de 0 à 3):

<code>
Set-UACLevel 0
</code>

===== Références =====

  * https://winaero.com/blog/how-to-turn-off-and-disable-uac-in-windows-10/
  * https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview
  * https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works