Intune: UAC Elevation Prompt Behavior for Standard Users

Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process.

Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you.

Let us see what all is involved and some of the ways that you can use to implement this easily.

Policy CSP – LocalPoliciesSecurityOptions

LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers. This policy setting controls the behavior of the elevation prompt for standard users.

To configure this in Intune, follow the steps below:

2. Browse to Devices – Windows – Configuration Profiles
3. Click Create Profile
4. Select Platform as Windows 10 and later
5. Select Profile as Custom
6. Use the following values for the fields in the custom profile and assign to a device based group:

Name: UAC Elevation Prompt For Standard Users.

Description: This policy setting controls the behavior of the elevation prompt for standard users.

OMA-URI: ./Vendor/MSFT/Policy/Config/ LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers

Data Type: Integer

Value:  1

MDM Security Baseline

If you have deployed an MDM security baseline using Intune, then you can directly change the desired setting in the Baseline as most of the Windows 10 CSP policies are part of the MDM security baseline. By default, ‘Standard elevation prompt behavior’ is set to ‘Automatically deny elevation requests’. Change it to ‘Prompt for credentials on the secure desktop’ as shown below.

 

Here is a complete list of settings currently available in the MDM baseline for Local Policies Security Option.

    
   

References:


 

Comments

  1. I'd like to know each time a user provokes a UAC prompt.

    ReplyDelete
    Replies
    1. Your best bet is 3rd Party tools like ABR

      Delete
  2. I set this setting Administrator elevation prompt behavior to not prompt for credentials, but whenever I try to perform an admin function, it still makes me type in credentials. Not sure what's going on.

    ReplyDelete
    Replies
    1. Have you checked for and policy conflicts?

      Delete
    2. For me it’s conflict but not sure which policy

      Delete
    3. You should be able to see the source policy against the conflict.

      Delete
  3. Thank you so much for writing this - I've been pulling my hairs for 2 weeks

    ReplyDelete
  4. How do we force the policy to require UAC for things like CMD and PS for standard users? we are a school and need to prevent the students from running those types of admin tools

    ReplyDelete
    Replies
    1. As far as I know you can block access but can't raise the elevation level for CMD and PS by default. To be honest, commands\scripts that are altering system files and structure will require elevated rights anyway so from a security standpoint, you should be good.

      Delete
  5. Do we need to implement both the OMA-URI and the Baseline setting or would just using the OMA-URI do the trick? Don't want to have a conflict between the two!

    ReplyDelete
    Replies
    1. OMA-URI should only be used if you cannot change the setting in the baseline or want to control the setting for a sub-section of devices. If this is not a requirement for you, then you can always modify directly in the baseline.

      Delete
  6. How to downlode OMA-url

    ReplyDelete
  7. Hi Rahul - where I can find the source policy against the conflict in intune ?

    ReplyDelete

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Prevent users from running certain programs or applications on Windows endpoints using Intune

Intune: Configure Printers for Non-Administrative Users