cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

UAC elevation prompt for standard users

andreaskrovel
Copper Contributor

‎Mar 23 2022 12:09 PM

‎Mar 23 2022 12:09 PM

UAC elevation prompt for standard users

MSFT Windows 10 21H2 - Computer have the following setting recommendation

  Policy: User Account Control: Behavior of the elevation prompt for standard users

  Setting: Automatically deny elevation requests

 

How do I provide support if I need to install software that requires Run as Administrator permissions? Will I need to switch user to the Administrator, and install the software?

 

 

4,057 Views
2 Likes
12 Replies
Reply
12 Replies
AaronMargosis_Tanium

‎Mar 23 2022 02:25 PM

‎Mar 23 2022 02:25 PM

Re: UAC elevation prompt for standard users

Running elevated processes on a non-admin desktop is risky - there are too many ways for non-admin code to hijack those elevated permissions. Much better isolation to perform the installation from an admin's desktop or through a service (e.g., Microsoft's SCCM or Tanium's "Deploy" capability.)
1 Like
Reply
rahuljindal-MVP

‎Mar 23 2022 11:49 PM

‎Mar 23 2022 11:49 PM

Re: UAC elevation prompt for standard users

What is your delivery method for the policy? If it is a GPO, then you can create a custom policy over the baseline with higher precedence to prompt for credentials. I blogged about this using Intune, but the admx policy setting is the same. https://rahuljindalmyit.blogspot.com/2021/03/intune-uac-elevation-prompt-behavior.html
0 Likes
Reply
mfalde

‎Mar 25 2022 02:25 PM

‎Mar 25 2022 02:25 PM

Re: UAC elevation prompt for standard users

Intune is an option as well.
0 Likes
Reply
andreaskrovel

‎Mar 25 2022 03:05 PM

‎Mar 25 2022 03:05 PM

Re: UAC elevation prompt for standard users

Our management solution, SCCM/Intune, fixes >90% of the installations, uninstalls, upgrades ++. But some error situations requires Administrators permissions. I guess I'll need to invest more time in SCCM/Intune or helpdesk will need to "Switch user, and log in as Administrator" to fix the problem?

I'm just trying to figure out what the "cost" will be to following the standard and what other companies are doing.
0 Likes
Reply
rahuljindal-MVP

‎Mar 25 2022 03:38 PM

‎Mar 25 2022 03:38 PM

Re: UAC elevation prompt for standard users

Sorry, was that directed to me? I already mentioned about using Intune as a delivery tool for the policy.
0 Likes
Reply
andreaskrovel

‎Mar 28 2022 02:04 AM

‎Mar 28 2022 02:04 AM

Re: UAC elevation prompt for standard users

The problem isn't making exceptions in GPO or Intune for this setting, but how I manage the clients if this setting is set to Automatically deny elevation requests
0 Likes
Reply
rahuljindal-MVP

‎Mar 28 2022 02:38 PM

‎Mar 28 2022 02:38 PM

Re: UAC elevation prompt for standard users

Ok, in that case the available options that comes to my mind are switching user to admin account or elevating permissions on demand for a standard user using a 3rd party script or an app. Make me an admin is an example.
0 Likes
Reply
AaronMargosis_Tanium

‎Mar 28 2022 09:06 PM

‎Mar 28 2022 09:06 PM

Re: UAC elevation prompt for standard users

If you absolutely need to log in to an interactive desktop on the target system to perform the administrative actions, then switch-user and log in with that admin account. UAC different-user elevation is MUCH less secure. Keep that option disabled.
0 Likes
Reply
mfalde

‎Mar 29 2022 08:34 AM

‎Mar 29 2022 08:34 AM

Re: UAC elevation prompt for standard users

Apologies, I thought I was replying to Aaron's earlier comment. :)
0 Likes
Reply
rahuljindal-MVP

‎Mar 29 2022 01:16 PM

‎Mar 29 2022 01:16 PM

Re: UAC elevation prompt for standard users

Not a problem. :)
0 Likes
Reply
andreaskrovel

‎Mar 31 2022 01:12 AM

‎Mar 31 2022 01:12 AM

Re: UAC elevation prompt for standard users

If I have understood it correctly, to conclude;

 

This is a important setting to follow in regards to security, because it is possible to hijack a elevated process.

 

A management solution is required to manage the clients. The management solutions must be able to install, configure, update/upgrade and uninstall operating system, drivers/firmware and software. It should also be able to evaluate configuration and correct error automatically.

 

If a one time fix is required and a program/process needs to be run with Administrators permissions, the user/helpdesk should switch user to the Administrator account with a LAPS password (or equivalent) and run the program/process in that session.

 

The following setting will make it impossible to run a program/process with Administrators permissions interactive remotely / through a remote support session. These changes MUST now be done through the management solution.

 

Thanks @AaronMargosis_Tanium and @rahuljindal-MVP for input.

 

1 Like
Reply
mfalde

‎Apr 05 2022 10:11 AM

‎Apr 05 2022 10:11 AM

Re: UAC elevation prompt for standard users

Good summary. That sounds like the best case scenario IMO.
0 Likes
Reply