Forum Discussion

andreaskrovel's avatar
andreaskrovel
Copper Contributor
Mar 23, 2022

UAC elevation prompt for standard users

MSFT Windows 10 21H2 - Computer have the following setting recommendation   Policy: User Account Control: Behavior of the elevation prompt for standard users   Setting: Automatically deny elevation...
andreaskrovel's avatar
andreaskrovel
Copper Contributor
Mar 31, 2022

If I have understood it correctly, to conclude;

 

This is a important setting to follow in regards to security, because it is possible to hijack a elevated process.

 

A management solution is required to manage the clients. The management solutions must be able to install, configure, update/upgrade and uninstall operating system, drivers/firmware and software. It should also be able to evaluate configuration and correct error automatically.

 

If a one time fix is required and a program/process needs to be run with Administrators permissions, the user/helpdesk should switch user to the Administrator account with a LAPS password (or equivalent) and run the program/process in that session.

 

The following setting will make it impossible to run a program/process with Administrators permissions interactive remotely / through a remote support session. These changes MUST now be done through the management solution.

 

Thanks AaronMargosis_Tanium and rahuljindal for input.

 

  • mfalde's avatar
    mfalde
    Brass Contributor
    Apr 05, 2022
    Good summary. That sounds like the best case scenario IMO.

Resources