Disable UAC secure desktop using OMA-URI and configuration policy

asked 2021-11-04T16:08:56.043+00:00
Djordje Novakovic 191 Reputation points

Hello,

we deploy autopilot machines with standard users(not local adminsitrators), Intune only and everything is in Azure AD.
When user has to install something UAC secure desktop prompts for credentials. I would like to disable secure desktop and then user will be able to do copy/paste of local admin password.

I am trying to disable secure desktop in UAC using custom configuration profile with these settings:

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
Data type: Integer
Value: 3

https://www.petervanderwoude.nl/post/managing-user-account-control-settings-via-windows-10-mdm/

146595-uac.jpg

Configuration profile is applied successfully but this still does not work:

Is there anything else that I should configure?

Thanks

146566-uac1.jpg

Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
838 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
2,066 questions
No comments
{count} votes

Accepted answer
  1. answered 2021-11-04T23:10:00.04+00:00
    Djordje Novakovic 191 Reputation points

    Thank you for your quick response. I tried that profile, it is deployed successfully but I still get secure desktop when trying Run as Administrator:

    146701-uac2k.png

    Information for target host:

    146588-uac21kjj.png

    Checked MDM Diagnostic Report, it has value 3:

    146692-uac21k.png

    However, if I change setting to "Automatically deny elevation requests"(just to check other options) and run sync it works after few moments:

    146665-uac21kffdsfsdjj.png


1 additional answer

Sort by: Most helpful
  1. answered 2021-11-04T21:11:24.19+00:00
    Nick Hogarth 3,411 Reputation points Microsoft MVP

    Have you looked at the built-in settings in the Settings Catalog under Local Policies Security Options?
    146655-2021-11-05-8-09-50.png

    No comments