![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 24%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Microsoft Security | Intune | Configuration
Setting up and managing device configurations using Intune
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
AFAIK, unfortunately that's not the case. UAC credential prompts use a secure desktop and a fixed credential provider ordering. Microsoft does not expose any Group Policy, registry setting, or Intune configuration to change the default provider selection or reorder providers for elevation prompts. Windows Hello for Business is supported for elevation, but it is intentionally placed under “More choices” unless it is the only available provider. Disabling the password provider forces Hello to the front, as you observed, but that breaks supported security and recovery scenarios and is not considered a valid production configuration.
Relevant policies you might have already seen, such as “Interactive logon: Require Windows Hello for Business or smart card,” or various Windows Hello for Business Intune settings, only affect sign-in behavior and provisioning, not the UAC credential UI ordering. Likewise, UAC policies like “Behavior of the elevation prompt for administrators” control whether consent or credentials are required, but not which credential type is preselected.
If the goal is to reduce password use during elevation, the supported approaches are limited to either allowing consent-only elevation for administrators or ensuring Windows Hello for Business is deployed so users can choose it manually in the prompt. Beyond that, changing the default selection would require unsupported customization of credential providers or system behavior.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin