Intune Windows devices: Admin Credentials Prompt for standard users

Question

Intune Windows devices: Admin Credentials Prompt for standard users

Chloe Hall 15

Prior to implementing Intune on all Windows devices, we set up local admin accounts on each device and added a separate standard user account for the employee using the device. This ensured that users could not install software, and had to reach out to our IT team so they could approve/deny the install. If approved, the IT team would remote into the device and enter the admin credentials. Now that we have implemented Intune, standard users are NOT being prompted for all installs and are able to install software without needing permission. We have tested UAC configuration policies to try and ensure prompts show up for each install, however this is not working. We also have LAPS setup for every Windows device. What is the solution in Intune to ensure that users are always prompted for admin credentials as they were before?

1 answer

Your answer

Answer 1

Crystal-MSFT 53,981 Microsoft External Staff

@Chloe Hall, Thanks for posting in Q&A. For your issue, it can be that the user is added into local administrators group when enroll into Intune. You can choose one affected device to check on this.

To fix this, we can configure "Local user group membership and choose Add (Replace): to only keep the account you want in the local administrators group or choose Remove (Update): to remove the user you don't want to remove the standard users from local administrators group.

https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-account-protection-policy#manage-local-groups-on-windows-devices

In addition, Autopilot method can set enrolled user as standard user by setting "User account type" for new devices to enroll into Intune, you can consider using Autopilot enrollment method to enroll into Intune.

https://learn.microsoft.com/en-us/autopilot/profiles

Hope the above information can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Chloe Hall 15 Reputation points

2025-01-20T14:29:16.1766667+00:00

Hello,
We have already set up the Local user group membership policy. The user accounts are standard and are prompting for admin credentials sometimes, but not for ALL install attempts.
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2025-01-21T02:30:07.2666667+00:00

@Chloe Hall, Thanks for the reply. For other installs which are not prompting for admin credentials, if we test them on the device which is not enrolled into Intune, will it prompt?

If yes, please compare the local group membership on the two devices to check if there's any difference and if the enrolled user is in other group.
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2025-01-23T02:37:11.4766667+00:00

@Chloe Hall, How's everything going? if there's any update, feel free to let us know.

Share via

Intune Windows devices: Admin Credentials Prompt for standard users

1 answer

Your answer