question

DjordjeNovakovic-3405 avatar image
0 Votes"
DjordjeNovakovic-3405 asked DjordjeNovakovic-3405 commented

Disable UAC secure desktop using OMA-URI and configuration policy

Hello,

we deploy autopilot machines with standard users(not local adminsitrators), Intune only and everything is in Azure AD.
When user has to install something UAC secure desktop prompts for credentials. I would like to disable secure desktop and then user will be able to do copy/paste of local admin password.

I am trying to disable secure desktop in UAC using custom configuration profile with these settings:

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
Data type: Integer
Value: 3

https://www.petervanderwoude.nl/post/managing-user-account-control-settings-via-windows-10-mdm/

146595-uac.jpg


Configuration profile is applied successfully but this still does not work:



Is there anything else that I should configure?

Thanks

146566-uac1.jpg


intune-generalintune-enrollment
uac.jpg (29.1 KiB)
uac1.jpg (71.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DjordjeNovakovic-3405 avatar image
0 Votes"
DjordjeNovakovic-3405 answered DjordjeNovakovic-3405 commented

Thank you for your quick response. I tried that profile, it is deployed successfully but I still get secure desktop when trying Run as Administrator:

146701-uac2k.png


Information for target host:

146588-uac21kjj.png

Checked MDM Diagnostic Report, it has value 3:

146692-uac21k.png



However, if I change setting to "Automatically deny elevation requests"(just to check other options) and run sync it works after few moments:


146665-uac21kffdsfsdjj.png



uac2k.png (33.1 KiB)
uac21kjj.png (13.7 KiB)
uac21k.png (41.4 KiB)
uac21kffdsfsdjj.png (14.0 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Thanks for your reply.

The registry key corresponding to this policy is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser. Is the value of this key 3?

146795-key.png

Best regards,
Simon


1 Vote 1 ·
key.png (27.2 KiB)

Hello,

yes, it is 3. Finally, I found it, also requires the second value to be 0 :


146891-uacreg.jpg

This can be achieved using the additional setting:

146826-uacreg2.jpg

or via OMA-URIs:

./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation


Thanks!

0 Votes 0 ·
uacreg.jpg (114.5 KiB)
uacreg2.jpg (18.9 KiB)
NickHogarth-MVP avatar image
0 Votes"
NickHogarth-MVP answered

Have you looked at the built-in settings in the Settings Catalog under Local Policies Security Options?
146655-2021-11-05-8-09-50.png



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.