Forum Discussion
UAC elevation prompt for standard users
MSFT Windows 10 21H2 - Computer have the following setting recommendation
Policy: User Account Control: Behavior of the elevation prompt for standard users
Setting: Automatically deny elevation requests
How do I provide support if I need to install software that requires Run as Administrator permissions? Will I need to switch user to the Administrator, and install the software?
12 Replies
If I have understood it correctly, to conclude;
This is a important setting to follow in regards to security, because it is possible to hijack a elevated process.
A management solution is required to manage the clients. The management solutions must be able to install, configure, update/upgrade and uninstall operating system, drivers/firmware and software. It should also be able to evaluate configuration and correct error automatically.
If a one time fix is required and a program/process needs to be run with Administrators permissions, the user/helpdesk should switch user to the Administrator account with a LAPS password (or equivalent) and run the program/process in that session.
The following setting will make it impossible to run a program/process with Administrators permissions interactive remotely / through a remote support session. These changes MUST now be done through the management solution.
Thanks AaronMargosis_Tanium and rahuljindal for input.
- Good summary. That sounds like the best case scenario IMO.
- What is your delivery method for the policy? If it is a GPO, then you can create a custom policy over the baseline with higher precedence to prompt for credentials. I blogged about this using Intune, but the admx policy setting is the same. https://rahuljindalmyit.blogspot.com/2021/03/intune-uac-elevation-prompt-behavior.html
- Intune is an option as well.
- Sorry, was that directed to me? I already mentioned about using Intune as a delivery tool for the policy.
- Running elevated processes on a non-admin desktop is risky - there are too many ways for non-admin code to hijack those elevated permissions. Much better isolation to perform the installation from an admin's desktop or through a service (e.g., Microsoft's SCCM or Tanium's "Deploy" capability.)
- Our management solution, SCCM/Intune, fixes >90% of the installations, uninstalls, upgrades ++. But some error situations requires Administrators permissions. I guess I'll need to invest more time in SCCM/Intune or helpdesk will need to "Switch user, and log in as Administrator" to fix the problem?
I'm just trying to figure out what the "cost" will be to following the standard and what other companies are doing.
