Format with exFAT requiring administrator privileges
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Keywords: veracrypt rdp admin prompt VeraCrypt requires admin privileges when formatting containers in an RDP session
UAC prompt, admin prompt, creating containers
Dear All,
We have installed VC 1.25.9 on a system that is accessed by users without admin privileges. The users are able to create containers formatted to FAT. However, when they try to format to exFAT, they receive an admin prompt. I was aware that formatting to NTFS required admin privs but exFAT, I thought, woudl work without admin.
Any idea what could be at fault here?
Last edit: terko 2023-02-01
Maybe this will help?
https://superuser.com/questions/1355056/allow-non-admin-user-to-format-internal-drive-in-windows-10
Greets
Thanks for the tip!
Unfortunately, this does not fix the issue.
- Added user to GPO
- Ran gpupdate /force
- Ran gpresult /h to verify that GPO applies
- Rebooted machine
- Started VeraCrypt and attempted to create an exFAT volume in user-writeable location
- -----> Admin prompt
- Formatted with FAT instead
- Attempted to mount and reformat the volume with exFAT via File Explorer
- -----> Admin prompt
Sorry, that's all I got for you, since I'm not a Windows guy :-/
Maybe someone else might be able to enlighten us regarding this behavior.
Greets
It looks as if installing VeraCrypt for a specific user in a writable location for that user allows them to format containers with exFAT AND with NTFS.
-- rdp -- Remote Desktop
Looks like my bad was to assume that RDP users have the same rights as users who are logging on to the console. This is NOT the case. E.g., even if you assign a GPOs that allow normal users to format removable media and to perform volume maintenance tasks, RDP users will still not be able to do this. The only workaround that I could find for Windows 10/11 is to use Remote assistance or TeamViewer. In Windows Server you shoul be able to use the -console switch for your RDP session, which should make you the same as a user of the physical console.
Final workaround/solution for RDP users trying to crate VeraCrypt containers but getting and admin / UAC prompt.
Apply the below policies or the corresponding registry keys. Of those , which have a user as well as a machine setting, you only need to apply one.
1.
Removable Disks: Deny write access User System\Removable Storage Access HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!Deny_Write
Removable Disks: Deny write access Machine System\Removable Storage Access HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!Deny_Write
2.
All Removable Storage classes: Deny all access User System\Removable Storage Access HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices!Deny_All
All Removable Storage classes: Deny all access Machine System\Removable Storage Access HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices!Deny_All
3.
All Removable Storage: Allow direct access in remote sessions Machine System\Removable Storage Access HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices!AllowRemoteDASD