0

I'm running Windows 10 Home, and I want to make sure that unsigned executables don't run (or at least I get a popup making sure that I want to run them).

I found this page, but I cannot for the life of me figure out how to enable this.

It gives me a location to the setting:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

But that's not an absolute path. From where do I follow that path? Is this only available to Windows 10 Pro installs perhaps? Is this already enabled?

My UAC settings are set to the max (see picture here). Is that enough?

pushkin
  • 145
  • 7

1 Answers1

2

Is that enough?

It absolutely is not enough. The default setting for this particular group policy is set to disabled, changing the UAC settings, does not enable the policy in question.

Is this only available to Windows 10 Pro installs perhaps? Is this already enabled?

You can only edit the group policy, through the group policy editor, on Windows 10 Professional and/or Windows Server. It is possible to manually add the group policy editor (gpedit) to Windows 10 Home.

The group policy you want to enable is: User Account Control: Only elevate executables that are signed and validated and by default it is disabled.

Of course, the simplest approach only requires editing the following registry key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures

You will have to set the value from Disabled with a value of 0 to Enabled 1.

Sources

Ramhound
  • 41,734
  • 35
  • 103
  • 130
  • I see no evidence in the documentation, that this group policy, is only limited to editions of Windows with the group policy. However, if that is the case, then your solution to your problem, is to upgrade to an eligible edition of Windows. I am leaving this as a comment, since "upgrading to an eligible edition of Windows", isn't an acceptable answer to any question (in my opinion). – Ramhound Apr 17 '18 at 16:35
  • Brilliant. I think I'll just tweak the registry directly. Thanks! – pushkin Apr 17 '18 at 19:36
  • By the way, if I create an application (`.exe`) and run it, will this setting get in the way? I suspect that it will. Second, if it does, will it also get in the way if I create a script that runs the `.exe` programmatically? – pushkin Apr 17 '18 at 19:38
  • @pushkin - You should read what the policy does. Your question is unrelated to the question you asked. **Comments are not designed to ask additional questions.** *If you are interested, if your application will work, make the change and test it yourself.* – Ramhound Apr 17 '18 at 20:37