UAC prompts are similar to login screens in Windows where a user has to provide their login credentials to access a resource.
GateKeeper Proximity can pass in your Windows credentials on UAC prompts under certain circumstances.
UAC Interactive Logon Prompts - GateKeeper Authentication Works:
Interactive logon prompts such as "Run As Different User", "Run as Administrator" or Windows Security prompts for Remote Desktop Sessions (RDP) are considered INTERACTIVE logon prompts. GateKeeper's credential provider WILL be displayed on these prompts, and users can simply type in their PIN to pass their Windows credentials to the operating system for authentication.
UAC Non-Interactive Logon Prompts - GateKeeper Authentication will not work:
Non-interactive logon prompts are UAC prompts where the user is not actually running an application under their Windows profile, but rather providing credentials for accessing some system features. For example - Network drive access. Non-interactive logons do not support custom credential providers like GateKeeper. In such cases GateKeeper's credential provider will NOT be shown in the UAC prompt and the user cannot use their GateKeeper's authentication mechanism to access these Windows resources.
Disabling Windows Credential Provider for desktop login but keeping it enabled for UAC prompts:
In order for proper UAC workflow, please follow the earlier recommendations.
1. Do not Disable the Standard Windows login through GateKeeper Hub.
2. Edit the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\ CurrentVersion\Authentication\ Credential Providers\{60b78e88-ead8-445c- 9cfd-0b87f74ea6cd}
Create a key with the name "CredUIOnly", type = DWORD, Value = 1
Delete any key with name "Disabled"
This will ensure that the username/password fields are enumerated in non-interactive logon scenarios, but not on the login screen for the computer.
This way you can force GateKeeper Only Login on the computer, but for UAC prompts you will have the Windows username/password option available.
UAC prompts classified as Interactive Logons will have both the Windows username/password and the GateKeeper PIN options. UAC prompts classified as Non-Interactive Logons will only have the Windows username/password option.
For any additional questions or concerns regarding continuous 2FA, proximity settings, computer locking, password management, or compliance, please contact GateKeeper Enterprise support using the Support Ticket form on https://gkaccess.com/support/ or email support@gkaccess.com.
-------------
GateKeeper UAC compatibility;
Comments
0 comments
Please sign in to leave a comment.