Forum Discussion

Kiril's avatar
Kiril
Steel Contributor
May 21, 2024

UAC during OOBE (after switching from Admin to Standard user in Windows Autopilot)

We switched settings in Windows Autopilot to make the user a standard user instead of an admin. Now, during OOBE I am asked multiple times to execute a PowerShell script as an admin.

 

 

What causes this behavior and how to prevent?

  • it must be an app or powershell script.. so if you are noticing that that policy being mentioned in the ime.. there must be an app being downloaded /executed just before.... Use cmtrace to look at the ime log ..
  • Kiril 

     

    Not 100 percent sure how you deploy your script but do you have the option "Run this script using the logged on credentials" set to 'yes'? This might cause this behaviour:

     

     

     

    • Kiril's avatar
      Kiril
      Steel Contributor
      Thank you. There are no scripts being deployed or executed by Intune. Must be cause by something else.
      • NicklasOlsen's avatar
        NicklasOlsen
        Iron Contributor
        We can't see the name of the script, but is this something related to a application you are deploying in your ESP?
  • If you arent deploing powershell scripts or proactive remediations to your devices, it could be a custom made win32app that is being targetted at the user and not running in system context.
    So i would start digging in to the intune management extension to find out what is being executed just before you get that prompt
    • Kiril's avatar
      Kiril
      Steel Contributor
      Looking through the logs, the name of the script being executed contains a userId and policyId (userId_policyId.ps1).

      How can I find out which policy is triggering this by policyId?
      • it must be an app or powershell script.. so if you are noticing that that policy being mentioned in the ime.. there must be an app being downloaded /executed just before.... Use cmtrace to look at the ime log ..

Resources