Event banner
Event details
Is there a way to prevent admin users from changing the UAC setting, either through registry settings or Intune? We configure the "Administrator elevation prompt behavior" UAC setting through the Security Baseline. However, admin users can change or turn off UAC and this will stay until the devices syncs or is restarted. This leaves the device vulnerable for up to 8 hours. We changed this setting in the Security Baseline to "not configured" and created a configuration profile to set it. Most settings that get configured using a configuration profile are greyed out, but that is not the case for UAC.
Joe_Lurie
Microsoft
MicrosoftThanks for the questions MEB2004. There's very little we can do to prevent an admin user from circumventing policy. However, we have a new feature in Intune that makes it easier to keep your users as standard users while elevating app installs and such. This is called Endpoint Privilege Management. You can learn more about EPM here: Learn about using Endpoint Privilege Management with Microsoft Intune | Microsoft Learn
- EPM is awesome and we leverage it extensively. @Joe Lurie: If you look at my post new post above, Microsoft has confirmed that EPM doesn't work with Win11 23H2. Do you have insight into when we can expect a resolution?
- Joe_Lurie
Hi joemclain I answered this above as well, but want to make sure you and others see it. EPM works on Windows 11 23H2 as long as this KB (KB5031455) is installed: Learn about using Endpoint Privilege Management with Microsoft Intune | Microsoft Learn
