Intune: UAC Elevation Prompt Behavior for Standard Users

-
Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process.

Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you.

Let us see what all is involved and some of the ways that you can use to implement this easily.

Policy CSP – LocalPoliciesSecurityOptions

LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers. This policy setting controls the behavior of the elevation prompt for standard users.

To configure this in Intune, follow the steps below:

2. Browse to Devices – Windows – Configuration Profiles
3. Click Create Profile
4. Select Platform as Windows 10 and later
5. Select Profile as Custom
6. Use the following values for the fields in the custom profile and assign to a device based group:

Name: UAC Elevation Prompt For Standard Users.

Description: This policy setting controls the behavior of the elevation prompt for standard users.

OMA-URI: ./Vendor/MSFT/Policy/Config/ LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers

Data Type: Integer

Value:  1

MDM Security Baseline

If you have deployed an MDM security baseline using Intune, then you can directly change the desired setting in the Baseline as most of the Windows 10 CSP policies are part of the MDM security baseline. By default, ‘Standard elevation prompt behavior’ is set to ‘Automatically deny elevation requests’. Change it to ‘Prompt for credentials on the secure desktop’ as shown below.

 

Here is a complete list of settings currently available in the MDM baseline for Local Policies Security Option.

    
   

References:


 

Comments

  1. UnknownDecember 14, 2021 at 3:08 PM

    I'd like to know each time a user provokes a UAC prompt.

    ReplyDelete
    Replies
    1. AnonymousApril 25, 2023 at 11:58 AM

      Your best bet is 3rd Party tools like ABR

      Delete
  2. Phil JacksonJanuary 21, 2022 at 7:07 PM

    I set this setting Administrator elevation prompt behavior to not prompt for credentials, but whenever I try to perform an admin function, it still makes me type in credentials. Not sure what's going on.

    ReplyDelete
    Replies
    1. Rahul JindalMarch 3, 2022 at 11:24 PM

      Have you checked for and policy conflicts?

      Delete
    2. AnonymousJune 14, 2022 at 5:31 PM

      For me it’s conflict but not sure which policy

      Delete
    3. Rahul JindalJuly 12, 2022 at 2:53 PM

      You should be able to see the source policy against the conflict.

      Delete
  3. AnonymousMay 5, 2022 at 3:58 PM

    Thank you so much for writing this - I've been pulling my hairs for 2 weeks

    ReplyDelete
  4. AnonymousJune 25, 2022 at 4:48 PM

    How do we force the policy to require UAC for things like CMD and PS for standard users? we are a school and need to prevent the students from running those types of admin tools

    ReplyDelete
    Replies
    1. Rahul JindalJuly 12, 2022 at 3:08 PM

      As far as I know you can block access but can't raise the elevation level for CMD and PS by default. To be honest, commands\scripts that are altering system files and structure will require elevated rights anyway so from a security standpoint, you should be good.

      Delete
  5. KureleJuly 9, 2022 at 1:41 AM

    Do we need to implement both the OMA-URI and the Baseline setting or would just using the OMA-URI do the trick? Don't want to have a conflict between the two!

    ReplyDelete
    Replies
    1. Rahul JindalJuly 12, 2022 at 3:10 PM

      OMA-URI should only be used if you cannot change the setting in the baseline or want to control the setting for a sub-section of devices. If this is not a requirement for you, then you can always modify directly in the baseline.

      Delete
  6. AnonymousSeptember 22, 2022 at 9:22 AM

    How to downlode OMA-url

    ReplyDelete
  7. AnonymousAugust 29, 2023 at 6:23 AM

    Hi Rahul - where I can find the source policy against the conflict in intune ?

    ReplyDelete

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Prevent users from running certain programs or applications on Windows endpoints using Intune

-
Image
  When it comes to blocking or preventing users from running an application on Windows devices, one normally uses App locker policy, Windows Defender Application Control and not so new but pretty useful method called Defender Vulnerability management within Microsoft 365 Defender Portal. A recent question on the Tech Community Microsoft forum prompted me to look for all possible alternatives. I started reminiscing over the legacy GPO policies and that is when I stumbled upon the policy  Don’t run specified Windows applications  located under User Administrative Templates - The policy setting does come with its own caveat - " This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting pr
Read more