Webcast Recap

Thanks to everyone for joining the webcast on Tuesday and to Chris Corio for helping to answer questions. People asked a lot of good questions, so we wanted to share the transcript with others who may have similar ones. For those who missed it, you can watch the replay here.

I always start my webcasts with a poll asking attendees what percentage of their users has admin rights today. Here is that data:


Then, at the end, I ask what percentage will be administrators on Windows Vista:

Not a scientific study, from just about 50 people or so, but we generally see that today about 80 percent of users have administrator rights, and on Windows Vista, customers are anticipating that will drop considerably.

On to the transcript…

Question: Can I ask technical questions while the presentation is going on?

Private Answer: Yes

Question: Will this be in the form of an on-demand webcast?

Answer: Yes. Watch your inbox tomorrow for an e-mail with information about viewing this webcast on demand and downloading a WMV file. The e-mail will also include a link to a downloadable PowerPoint presentation of today’s webcast. [Anyone can watch it again here.]

Question: I connected some Windows Vista workstations to an SBS2003 server, and every logon, the default SBS2003 logon script runs a Client\Setup.exe, which kicks up the UAC screen. This does not seem to be a desirable feature of every logon.

Answer: This is something that we are working with the SBS team on right now. This logon script updates binaries and settings configured by SBS, but it is rarely updated. Currently, we recommend that you propagate an App Compat shim marking the client\setup.exe binary as not requiring Administrator privileges. The proper run level would be asInvoker.

Question: How can you run things as an admin that don't specifically have a Start menu icon? For instance, an applet in the taskbar that requires admin access (but right-click over doesn't allow for "Run as...").

Answer: You can either browse to the binary and right-click it, or you can run a CMD window with Administrator privileges and run it there.

Question: What is Microsoft doing to educate vendors on how to write applications that don't require admin rights?

Answer: We've done our best to let all developers and ISVs know about this product by presenting at numerous conferences since PDC '05. We also have guidance available online. Check out the resources slide for those links.

Question: Is it possible for IT departments to update the app compat list using, say, GPO or SMS?

Answer: Yes. You can use GP to deploy the App Compat shims.

Question: I am asking about the domain users in the local machines. Does this apply to it?

Answer: UAC applies to both domain users and local users.

Question: You have mentioned App Compat shims several times in the replies. Is there some detailed documentation on App Compat Shims available?

Answer: Yes, take a look at: https://www.microsoft.com/technet/windowsvista/deploy/appcompat/acshims.mspx

Question: So you can drop a manifest in alongside an app that you did not produce (e.g., I have an app from a defunct ISV)?

Answer: Yes, as long at the app does not have an internal manifest, which would override the external one. You can also use the tool mt.exe (shipped with Visual Studio) to add an internal manifest to an existing .exe.

Question: My initial take on UAC is you are simply masking over the real problem of users with admin rights. If they have an admin password, they are only one step away from hacking their computer. Will we be able to identify and customize the ACLS on all system components based on application requirements to allow these applications to run without supplying an admin password?

Answer: Our goal is to reduce the privileges that applications are designed to run with. Unfortunately, because all of our users prior to Windows Vista were members of the Administrators group, applications often unnecessarily required that the user be an administrator. We are trying to help the industry understand that oftentimes they don't need administrator privileges to execute their applications, and we expect many users in enterprises to no longer run as administrators.

Question: Can the local store be relocated to better support roaming profiles?

Answer: Unfortunately, the location of the virtual store isn't configurable.

Question: That so it is of stability? (Sorry for my English) will be able to use the old standard user or not?

Answer: You can still run your users as member of the users group. If you want exact parity between XP, you should disable the UAC installer detection feature and file virtualization.

Question: I referred to me that in spite of being a beta, if Windows Vista is stable in its totality or still it has things to correct.

Answer: We continue to refine Windows Vista as we move toward release. We feel that the beta version is quite stable.

Question: I'm still confused. Applications don't "require" admin rights. Applications perform tasks on a computer that accesses system components (directories, registry, services, etc.) that are locked down to admins only. Can we not identify these components in advance and adjust the ACLs on these components to give the standard user the ability to access?

Answer: You could do this, but then any malware running as the user could also change those settings. This would undermine any security model that an application or Windows has established for those resources.

Question: In what SKUs is the secpol available?

Answer: secpol.msc is available in all SKUs [Correction from live chat: secpol will only be available in the SKUs that support group policy: Business, Enterprise, and Ultimate.]

Question: Given that we'll be running in a mixed environment at first (Windows XP and Windows Vista), will any level of these controls be available for XP via a patch?

Answer: There are currently no plans to move UAC down-level. However, as you understand which applications can run as standard users on Windows Vista, you can move your Windows XP users into the Users group and get similar performance.

Question: How can I make a white list program by vendor or by location or what?

Answer: Check out the Software Restriction Policy white paper available here: https://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx

Question: What was that again? If I disable UAC, do I also lose the new security features of Internet Explorer?

Answer: Internet Explorer will not be running in Protected Mode if UAC is disabled.

Question: What is the URL for the compatibility tools?

Answer: https://www.microsoft.com/technet/desktopdeployment/appcompat/toolkit.mspx

Question: Can we see the vote results?

- Alex