Windows Office Hours for IT professionals - February 2024

Event details

Get answers to your questions about adopting Windows 11 and managing the Windows devices used by remote, onsite, and hybrid workers across your organization. Get tips on keeping devices up to date ef...

Char_Cheesman

Updated Feb 15, 2024

Web series

MEB2004

Brass Contributor

Feb 12, 2024

Is there a way to prevent admin users from changing the UAC setting, either through registry settings or Intune? We configure the "Administrator elevation prompt behavior" UAC setting through the Security Baseline. However, admin users can change or turn off UAC and this will stay until the devices syncs or is restarted. This leaves the device vulnerable for up to 8 hours. We changed this setting in the Security Baseline to "not configured" and created a configuration profile to set it. Most settings that get configured using a configuration profile are greyed out, but that is not the case for UAC.

Joe_Lurie

Microsoft

Feb 15, 2024

Thanks for the questions MEB2004. There's very little we can do to prevent an admin user from circumventing policy. However, we have a new feature in Intune that makes it easier to keep your users as standard users while elevating app installs and such. This is called Endpoint Privilege Management. You can learn more about EPM here: Learn about using Endpoint Privilege Management with Microsoft Intune | Microsoft Learn