Multi-factor authentication for Windows UAC

What is Windows User Account Control?

User Account Control (UAC) is a Windows security feature that prevents unauthorized system changes by enforcing a privilege boundary between standard user accounts and administrative actions. When users log in, Windows assigns them a standard user access token by default. Tasks requiring elevated permissions trigger a UAC elevation prompt (rendered on a secure desktop to block spoofing) where the user must confirm or supply credentials before Windows issues an administrator access token.

This behavior is governed by Admin Approval Mode (AAM), which ensures that even accounts with administrative membership run at standard privilege levels until a prompt is explicitly approved. UAC settings controlling prompt behavior, AAM enforcement, and elevation policies are managed via Group Policy, the Windows Registry, or local security policy—and in enterprise environments, deployed centrally through Active Directory (AD) across both Windows client and Windows Server machines.

Why User Account Control alone isn't enough

According to the 2026 Verizon Data Breach Investigations Report, credential abuse appears in 39% of all breaches at some point in the attack chain—and on a Windows endpoint, a compromised password is all it takes to approve an elevation prompt and obtain an administrator access token.

Even with AAM enforced—which restricts administrator accounts to standard privileges by default—standard user accounts targeted for privilege escalation face the same risk.

ManageEngine ADSelfService Plus helps address this by adding a mandatory multi-factor verification step to the credential-based elevation prompt, so a stolen password alone can never grant unauthorized elevated access.

Multi-factor authentication for Windows User Account Control with ADSelfService Plus

When multi-factor authentication (MFA) for UAC is enabled, every credential prompt triggered by a UAC event requires the user to complete an additional identity verification step before Windows issues the administrator access token and allows the privileged action to proceed.

This means that even if an administrator account's password is compromised, an attacker cannot complete the elevation prompt without passing the second factor. This safeguard blocks unauthorized privilege escalation at the exact moment it's attempted.

ADSelfService Plus supports over 20 authentication factors for UAC MFA, including time-based OTP authenticator apps, push notification approval, email and SMS OTP, FIDO2 security keys, biometric verification, and YubiKey OTP.

How User Account Control MFA works

When a user or process triggers a UAC elevation event, Windows presents its standard elevation prompt. With ADSelfService Plus installed and UAC MFA enabled, the flow continues as follows:

1. Windows displays the UAC credential prompt as normal, requesting the administrator username and password.
2. Once credentials are entered, ADSelfService Plus intercepts the prompt and triggers the configured MFA challenge that is presented on the secure desktop to prevent spoofing.
3. The user completes the second factor (OTP, push notification, biometric, etc.).
4. Upon successful verification, Windows issues the administrator access token and the elevated action proceeds.
5. If MFA verification fails or is denied, the elevation is blocked regardless of whether the password was correct.

User Account Control MFA and Windows integrity levels

Windows uses integrity levels—a trust-based process classification system with high, medium, and low designations—to restrict which processes can modify data belonging to higher-integrity processes. UAC enforces the boundary between medium-integrity standard user processes and high-integrity administrator processes. Adding MFA to the elevation prompt strengthens this boundary: Even when the credential check succeeds, the integrity level transition is blocked until the second factor is verified. This prevents malware running at medium integrity from silently escalating to high integrity using a harvested password alone.

Benefits of enabling MFA for Windows User Account Control

• Stops credential-based privilege escalation

  A stolen administrator password can no longer complete a UAC elevation on its own. MFA verification begins at the prompt, blocking unauthorized escalation even after credential compromise.

• Granular policy by OU, group, or domain

  Configure different authentication factors for different users based on their AD OU membership, group assignments, or domain. High-privilege accounts can require stronger factors than standard users.

• Wide authenticator choice

  Choose from 20+ authentication methods to match your organization's existing MFA infrastructure and security requirements—no need to deploy new authenticator hardware if users already have TOTP apps.

• Complements existing UAC settings and Group Policy

  Works alongside your existing UAC configuration, GPO settings, and Admin Approval Mode without requiring changes to existing UAC policies.

• Protects Windows Server environments

  MFA for UAC applies to Windows Server editions as well as client OS deployments, securing privileged actions on servers where unauthorized elevation carries the highest risk.

Supported environments

ADSelfService Plus UAC MFA is compatible with Windows 7 and above, and Windows Server 2008 and above (including Windows Server 2016, 2019, and 2022). It requires the ADSelfService Plus Windows login agent version 5.10 or above. The login agent can be deployed at scale via Group Policy across AD-joined environments.