Intune: UAC Elevation Prompt Behavior for Standard Users
Implementing
and maintaining a good security posture is an integral part of overall IT
security governance for most organizations now. While you want to harden the
security of infrastructure and give least number of privileges to your end
users, sometimes you may need to cut back on the restrictions to ensure a good
user experience and an effective IT support process.
Recently, I
had a requirement where the customer wanted to ease the restriction on the end
user devices to make the helpdesk support process more efficient. This involved
easing the UAC level access for the Standard users and if you are
managing your devices using Intune, then this blog may just help you.
Let us see
what all is involved and some of the ways that you can use to implement this
easily.
Policy
CSP – LocalPoliciesSecurityOptions
LocalPoliciesSecurityOptions has many CSP settings and if you
are managing these settings at an individual level, then the CSP that we need
to concern ourselves with here is UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers.
This policy setting controls the behavior of the elevation prompt for
standard users.
To
configure this in Intune, follow the steps below:
1. Sign-in to
the https://endpoint.microsoft.com
2. Browse
to Devices – Windows – Configuration Profiles
3. Click Create
Profile
4. Select Platform
as Windows 10 and later
5. Select Profile
as Custom
6. Use the
following values for the fields in the custom profile and assign to a device
based group:
Name: UAC Elevation Prompt For Standard Users.
Description: This policy setting controls the behavior of the elevation
prompt for standard users.
OMA-URI: ./Vendor/MSFT/Policy/Config/ LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
Data Type: Integer
Value: 1
MDM
Security Baseline
If you have
deployed an MDM security baseline using Intune, then you can directly change the desired
setting in the Baseline as most of the Windows 10 CSP policies are part of the
MDM security baseline. By default, ‘Standard elevation prompt behavior’ is set
to ‘Automatically deny elevation requests’. Change it to ‘Prompt
for credentials on the secure desktop’ as shown below.
Here is a
complete list of settings currently available in the MDM baseline for Local Policies
Security Option.
References:
I'd like to know each time a user provokes a UAC prompt.
ReplyDeleteYour best bet is 3rd Party tools like ABR
DeleteI set this setting Administrator elevation prompt behavior to not prompt for credentials, but whenever I try to perform an admin function, it still makes me type in credentials. Not sure what's going on.
ReplyDeleteHave you checked for and policy conflicts?
DeleteFor me it’s conflict but not sure which policy
DeleteYou should be able to see the source policy against the conflict.
DeleteThank you so much for writing this - I've been pulling my hairs for 2 weeks
ReplyDeleteYour welcome
DeleteHow do we force the policy to require UAC for things like CMD and PS for standard users? we are a school and need to prevent the students from running those types of admin tools
ReplyDeleteAs far as I know you can block access but can't raise the elevation level for CMD and PS by default. To be honest, commands\scripts that are altering system files and structure will require elevated rights anyway so from a security standpoint, you should be good.
DeleteDo we need to implement both the OMA-URI and the Baseline setting or would just using the OMA-URI do the trick? Don't want to have a conflict between the two!
ReplyDeleteOMA-URI should only be used if you cannot change the setting in the baseline or want to control the setting for a sub-section of devices. If this is not a requirement for you, then you can always modify directly in the baseline.
DeleteHow to downlode OMA-url
ReplyDeleteHi Rahul - where I can find the source policy against the conflict in intune ?
ReplyDelete