This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 50%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hi,
I've been building up some of the Surface Hubs and once built I've been able to login to Settings with my account, when prompted. However, any that I have rebuilt in this past week, I cannot access Settings with my account. Instead it says "The Requested Operations Requires Elevation".
As far as I know nothing has changed. My account and others are still in the Intune\Endpoint configuration policy which sets the Admins.
Any ideas as to why it no longer accepts my account and says "The Requested Operations Requires Elevation"?
Thanks,
Michal
Thanks @Lu Dai-MSFT . It did eventually end up working for me after a few more times of redoing the XML for the OMA-URI "./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership". Not sure why but it is quite flaky.. If it occurs again in future I'll open a ticket
@Michal Thanks for posting in our Q&A.
From the picture, it is needed an admin permission to login to Settings. To clarify this issue, please use a local admin account to login to the device and then check if the targeted user is in the Administrators group in Computer Management > Local Users and Groups.
If there is anything update, feel free to let us know.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello Michal,
In this case the logical explanation is that the computers are not receiving correctly the policies for updating the Admin accounts.
I can personally recommend the next MS article as a first approach to troubleshooting Intune policy: https://learn.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-policies-in-microsoft-intune
If you find any new information feel welcome to come back for the community to help further if needed.
--------------------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept as answer--
Thanks @Limitless Technology . So I guess it all comes down to those Policies no longer applying properly.. which would make sense why any previously built Surface Hubs allow certain admin accounts to login. However any that have been recently provisioned dont.
I'm currently trying to troubleshoot the following error, on the "ConfigureGroupMembership" setting, which happens to be the setting that contains the list of admin accounts for the Surface Hubs.
Setting: ConfigureGroupMembership [./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership]
Error Code: 0x87d101f4
Error Details: Syncml(500): The recipient encountered an unexpected condition which prevented it from fulfilling the request
Any ideas why it is failing to apply?:
@Michal Thanks for your update.
Could you please tell us the version of the device? Based on my research, if the version is Windows 10, version 20H2 and later, it is suggested to use the LocalUsersandGroups policy instead of the RestrictedGroups policy.
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups#localusersandgroups-policies
If there is anything misunderstanding, please correct me.
Hi @Lu Dai-MSFT that's not what we've had in place. What we've had working prior to this issue is the Custom configuration profile with controlling the accounts via the XML. However as per my earlier post it is erroring. So I'm just trying to troubleshoot that error to resolve the issue
https://learn.microsoft.com/en-us/surface-hub/surface-hub-2s-nonglobal-admin
@Michal Thanks for your kindness to correct me.
For this issue, I discuss it in my team. I get the information that this error message may occurs when the value of the XML couldn't be configured correctly.
Please understanding that Q&A is an open platform. With Q&A limitation, it is not allowed to get customer privacy information. Given this situation, it is suggested to create an online support ticket to get more effective help. It is free. Here is the online support link and hope it helpful.
https://learn.microsoft.com/en-us/mem/get-support
Hope everything goes well with you.
Thanks for your reply @Lu Dai-MSFT , as far as I know nothing has changed in the XML, however maybe someone has changed something in it since it was working last..
This is how we have it configured:
Thanks everyone for your help. As @Limitless Technology mentioned the issue was caused by the policy not applying correctly.
To resolve the error I first re-did the XML for the OMA-URI "./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership" to only be based off a Group, instead of individual accounts. I waited for the policy to apply and it worked!
So I tried to then add the users in individually after the group, waited for the policy to apply and it still worked!
So I'm not sure what the exact issue in the XML was, however recreating it from scratch worked!! :)
End result of XML:
@Michal Thank you very much for your solution. I just tried to find the correct configuration. Hahahaha, you were so quick to solve the problem. Anyway, it works fine now. It gives us an idea that we could try to apply an new policy when the old one isn't applying correctly.
Thanks again for your kindness and it will help someone else who has the similar issue.