AnyConnect + Secure Desktop Host Scan UAC Prompts

dbgreekas · ‎01-13-2011

Is it possible to install AnyConnect with Secure Desktop Advanced Endpoint Assessment so that it doesn't always trigger a UAC prompt to Windows 7 users? I do not want to disable UAC but these prompts defeat the automated nature of certificate based authentication that I am looking for..

I want to use AnyConnect with Always-on for my laptops but having a UAC prompt come up during login is going to frustrate my users, turning Advanced Endpoint Assessment or UAC completely off is also not a solution.

Jennifer Halim · ‎01-13-2011

What version of CSD are you running? I believe that version 3.5 has that issue resolved.

dbgreekas · ‎01-13-2011

AnyConnect: 2.5

Secure Desktop: 3.5

I have it set to Cache Cleaner because all I really want to do is run the Advanced Endpoint checks to ensure the connecting machine has a specific certificate and that it is running the correct antivirus up-to-date antivirus software.

Jennifer Halim · ‎01-13-2011

Do all hosts have administrator rights to the PC where the AnyConnect is connecting from?

dbgreekas · ‎01-13-2011

The account being tested has local administrator rights...

With Secure Desktop / Cache cleaner removed from the Connection Profile AnyConnect will connect with no prompt... As soon as Secure Desktop or in this case Cache Cleaner is enabled, there is a notice that the Host Scan Launcher needs Rights elevation.

Reading the documentation it indicates that the keylog scanner needs rights escalation but I do not have that option enabled.

Jennifer Halim · ‎01-13-2011

Yes, it needs the rights escalation for Host Scan.

But I believe user without admin privilege to their PC should not be prompted for the UAC. Can you please confirm. Thx.

dbgreekas · ‎01-13-2011

The users that will be using this connection require local admin rights so that doesn't really solve the problem, however I will try it out.

Also I will try it will the lates version of AnyConnect as I see there have been some minor bug fix releases.

dbgreekas · ‎01-14-2011

halijenn wrote:

Yes, it needs the rights escalation for Host Scan.

But I believe user without admin privilege to their PC should not be prompted for the UAC. Can you please confirm. Thx.

I did some more tests.

If I use pre-login authentication, there is no UAC prompt.

If I log in as a user with no local admin rights there is no UAC prompt.

If I log in as a user with local admin I receive a UAC prompt.

Is there any way this will ever work without a UAC prompt for users with local admin? Most of our laptop users have local admin since they need to install software while out in the field... the useablility is very good when there is no UAC prompt, AnyConnect JUST WORKS... With the UAC prompt however I can see the users having problems, and having to click YES to those prompts EVERY TIME will make the user ignore them for other apps as well.

Jennifer Halim · ‎01-15-2011

No, unfortunately there is no way to disable UAC with Admin privilege. It's not issue with the Host Scan prompting for UAC on machine with admin privilege but that is why UAC is introduced by Microsoft.

On machine with admin privilege, it's easier to compromise the machine, as there is more privilege with admin access. Hence, Microsoft has enforced UAC to prevent application direct access by prompting user with UAC, in case it's a malware, etc.

dbgreekas · ‎01-17-2011

I don't see why once installed this product would still behave in such a way to trigger a UAC. It is not like your typical antivirus package causes a UAC prompt if you tell it to start a system scan.

I WOULD expect a prompt during install and when new profiles / upgrades are installed, for daily use this is really annoying.